[Freeipa-users] replicating cn=accounts, dc=ipa, dc=example, dc=com tree to a read-only instance of 389ds on our mailserver
Hi guys, our current setup consists of 3 replicated free-ipa servers in a master-master configuration. What we are currently trying to do, is to add a standalone 389-ds on our mailserver which should only readonly-replicate cn=accounts,dc=ipa,dc=example,dc=com to enable our mailserver to have a local ldap cache (for alias/mailbox mapping in postfix/dovecot) and to be able to add a local ldap-addressbook to our mailserver without the need to have it on our ipa-servers. Our environment is: 3 free-ipa servers (centos7, 389-ds-base.x86_64 1.3.5.10-20.el7_3) 1 Mailserver (debian stretch, 389-ds 1.3.5.15-2) What we did do: Basically following this guide: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/Managing_Replication-Configuring-Replication-cmd#Configuring-Replication-Suppliers-cmd on consumer (our mailserver): ...first we created the missing root (cn=accounts,dc=ipa,dc=example,dc=com) by hand # readonly replication manager dn: cn=readonly replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: readonly replication manager sn: RORM userPassword: NotTheRealPassword passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 Replication Entry: # no dc=ipa in the dn! dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaid: 65535 nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com nsds5replicatype: 2 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 1 # on supplier (one of our IPA-servers) # on our IPA-servers, dc=ipa is included dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config objectclass: top objectclass: nsds5ReplicationAgreement cn: accounts2hermes nsds5replicahost: mail.example.com nsds5replicaport: 389 nsds5ReplicaBindDN: cn=readonly replication manager,cn=config nsds5replicabindmethod: SIMPLE nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com description: replicate cn=accounts from ipa to hermes nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime nsds5replicacredentials: notTheRealButSameAsAbove nsds5ReplicaIgnoreMissingChange: once nsds5BeginReplicaRefresh: start After some log-entries regarding the schema versions, we stopped the consumer and copied the schema from the supplier to the consumer by hand... This fixed most of the noise in the log, but we are still getting the following error: [18/May/2017:10:23:41.311816674 +0200] NSMMReplicationPlugin - agmt="cn=accountsToMail" (mail:389): The remote replica has a different database generation ID tha n the local database. You may have to reinitialize the remote replica, or the local replica. Of course, we tried to re-initialize the remote-replica by, dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start What are we missing? Best regards, Bernhard -- Bernhard Kneip Systemadministration E-Mail: bernhard.kn...@isa.de.com Tel: +49(0)3677/46929-144 Internet: www.isa.de.com ISA Institut für Serviceautomation GmbH & Co. KG Ziolkowskistraße 8, 98693 Ilmenau Amtsgericht Jena, HRA 301735 persönlich haftende Gesellschafterin: ISA GmbH Amtsgericht Jena, HRB 306708 Geschäftsführer: Dr.-Ing. Walther Spies, Dipl.-Ing. (FH) Peter Mayer Member of SIELAFF GROUP -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] replicating cn=accounts, dc=ipa, dc=example, dc=com tree to a read-only instance of 389ds on our mailserver
Hi guys, our current setup consists of 3 replicated free-ipa servers in a master-master configuration. What we are currently trying to do, is to add a standalone 389-ds on our mailserver which should only readonly-replicate cn=accounts,dc=ipa,dc=example,dc=com to enable our mailserver to have a local ldap cache (for alias/mailbox mapping in postfix/dovecot) and to be able to add a local ldap-addressbook to our mailserver without the need to have it on our ipa-servers. Our environment is: 3 free-ipa servers (centos7, 389-ds-base.x86_64 1.3.5.10-20.el7_3) 1 Mailserver (debian stretch, 389-ds 1.3.5.15-2) What we did do: Basically following this guide: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/Managing_Replication-Configuring-Replication-cmd#Configuring-Replication-Suppliers-cmd on consumer (our mailserver): ...first we created the missing root (cn=accounts,dc=ipa,dc=example,dc=com) by hand # readonly replication manager dn: cn=readonly replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: readonly replication manager sn: RORM userPassword: NotTheRealPassword passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 Replication Entry: # no dc=ipa in the dn! dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaid: 65535 nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com nsds5replicatype: 2 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 1 # on supplier (one of our IPA-servers) # on our IPA-servers, dc=ipa is included dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config objectclass: top objectclass: nsds5ReplicationAgreement cn: accounts2hermes nsds5replicahost: mail.example.com nsds5replicaport: 389 nsds5ReplicaBindDN: cn=readonly replication manager,cn=config nsds5replicabindmethod: SIMPLE nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com description: replicate cn=accounts from ipa to hermes nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime nsds5replicacredentials: notTheRealButSameAsAbove nsds5ReplicaIgnoreMissingChange: once nsds5BeginReplicaRefresh: start After some log-entries regarding the schema versions, we stopped the consumer and copied the schema from the supplier to the consumer by hand... This fixed most of the noise in the log, but we are still getting the following error: [18/May/2017:10:23:41.311816674 +0200] NSMMReplicationPlugin - agmt="cn=accountsToMail" (mail:389): The remote replica has a different database generation ID tha n the local database. You may have to reinitialize the remote replica, or the local replica. Of course, we tried to re-initialize the remote-replica by, dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start What are we missing? Best regards, Bernhard -- Bernhard Kneip Systemadministration E-Mail: bernhard.kn...@isa.de.com Tel: +49(0)3677/46929-144 Internet: www.isa.de.com ISA Institut für Serviceautomation GmbH & Co. KG Ziolkowskistraße 8, 98693 Ilmenau Amtsgericht Jena, HRA 301735 persönlich haftende Gesellschafterin: ISA GmbH Amtsgericht Jena, HRB 306708 Geschäftsführer: Dr.-Ing. Walther Spies, Dipl.-Ing. (FH) Peter Mayer Member of SIELAFF GROUP -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project