subject:"Re\: \[Freeipa\-users\] Command\-line replication is not works in FreeIPA\-Master"

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-09-01 Thread Andrey Rogovsky

Hi, Alexander!
Thank for your reply

I was read your link, but it not related my issue. I will start new thread,
couse replica problem is resloved.


2016-09-01 11:10 GMT+03:00 Alexander Bokovoy :

> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>
>> Hi, Alexander!
>>
>> Than you very much for help. Now I able to start replica, but have one
>> issue - schemes is not replicated:
>>
>> [01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Warning: unable to
>> replicate schema to host ldap2, port 389. Continuing with total update
>> session.
>> [01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Beginning total
>> update
>> of replica "agmt="cn=ExampleAgreement" (ldap2:389)".
>> [01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Need to create
>> replication keep alive entry 
>> [01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - add dn: cn=repl keep
>> alive 7,dc=example,dc=com
>> objectclass: top
>> objectclass: ldapsubentry
>> objectclass: extensibleObject
>> cn: repl keep alive 7
>> [01/Sep/2016:07:04:58 +] NSMMReplicationPlugin - Finished total update
>> of replica "agmt="cn=ExampleAgreement" (ldap2:389)". Sent 415 entries.
>>
>> Can you help me with schemes?
>>
> I'm afraid I cannot help with that. You need to read RHDS documentation
> and design your own mechanism to make schema compatible on both sides.
> Replicating schema between IPA and plain RHDS is not really supported as
> nobody did that before, so you are on your own research and exploration
> path to see what configuration should be.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/10/html/Deployment_Guide/Designing_the_
> Replication_Process-Using_Replication_with_Other_DS_Features
> .html#Using_Replication_with_Other_DS_Features-Schema_Replication
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-09-01 Thread Alexander Bokovoy

On Thu, 01 Sep 2016, Andrey Rogovsky wrote:

Hi, Alexander!

Than you very much for help. Now I able to start replica, but have one
issue - schemes is not replicated:

[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ldap2, port 389. Continuing with total update
session.
[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Beginning total update
of replica "agmt="cn=ExampleAgreement" (ldap2:389)".
[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Need to create
replication keep alive entry
[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - add dn: cn=repl keep
alive 7,dc=example,dc=com
objectclass: top
objectclass: ldapsubentry
objectclass: extensibleObject
cn: repl keep alive 7
[01/Sep/2016:07:04:58 +] NSMMReplicationPlugin - Finished total update
of replica "agmt="cn=ExampleAgreement" (ldap2:389)". Sent 415 entries.

Can you help me with schemes?

I'm afraid I cannot help with that. You need to read RHDS documentation
and design your own mechanism to make schema compatible on both sides.
Replicating schema between IPA and plain RHDS is not really supported as
nobody did that before, so you are on your own research and exploration
path to see what configuration should be.

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Deployment_Guide/Designing_the_Replication_Process-Using_Replication_with_Other_DS_Features.html#Using_Replication_with_Other_DS_Features-Schema_Replication

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-09-01 Thread Andrey Rogovsky

Hi, Alexander!

Than you very much for help. Now I able to start replica, but have one
issue - schemes is not replicated:

[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ldap2, port 389. Continuing with total update
session.
[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Beginning total update
of replica "agmt="cn=ExampleAgreement" (ldap2:389)".
[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Need to create
replication keep alive entry 
[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - add dn: cn=repl keep
alive 7,dc=example,dc=com
objectclass: top
objectclass: ldapsubentry
objectclass: extensibleObject
cn: repl keep alive 7
[01/Sep/2016:07:04:58 +] NSMMReplicationPlugin - Finished total update
of replica "agmt="cn=ExampleAgreement" (ldap2:389)". Sent 415 entries.

Can you help me with schemes?


2016-09-01 10:01 GMT+03:00 Alexander Bokovoy :

> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>
>> Hi, Alexander!
>>
>> I have ldap1 - FreeIPA (master) and ldap2 - 389DS (slave)
>> I want one-way replica from ldap1 to ldap2
>> On ldap1 I was define dn replication user, replica and agreement
>> On ldap2 I was define replica only:
>>
> This is what you are doing wrong. Your ldap1 server will attempt to
> connect to ldap2 server using the replication user credentials. It is
> ldap2 which will be authenticating this request. Where would it take
> information about the replication user?
>
>
> filter: (objectclass=nsds5replica)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (objectclass=nsds5replica)
>> # requesting: ALL
>> #
>>
>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleObject
>> cn: replica
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaType: 2
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsDS5Flags: 0
>> nsDS5ReplicaId: 65535
>> nsState:: //8AAABY2sZXAAABAA==
>> nsDS5ReplicaName: 06154b02-6f7e11e6-b236be05-3db8a3e8
>> nsds5ReplicaChangeCount: 0
>> nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> Does I need define DN replication user on ldap2?
>>
>>
>> 2016-09-01 8:57 GMT+03:00 Alexander Bokovoy :
>>
>> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>>>
>>> Hi, Alexander!

 Thank for fast reply.
 I have replication manager object:
 filter: (objectclass=organizationalPerson)
 requesting: All userApplication attributes
 # extended LDIF
 #
 # LDAPv3
 # base  with scope subtree
 # filter: (objectclass=organizationalPerson)
 # requesting: ALL
 #

 # replication manager, config
 dn: cn=replication manager,cn=config
 objectClass: inetorgperson
 objectClass: person
 objectClass: top
 objectClass: organizationalPerson
 cn: replication manager
 sn: RM
 userPassword::
 e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=
 =

 # search result
 search: 2
 result: 0 Success

 # numResponses: 2
 # numEntries: 1

 But error is present.

 You have two LDAP servers. If you have replication going in both
>>> directions, you need to have the replication bind entry defined on both
>>> servers.
>>>
>>> If you have replication going in one direction, then the target server
>>> should have this replication bind entry defined.
>>>
>>> Where do you have this entry?
>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-09-01 Thread Alexander Bokovoy


On Thu, 01 Sep 2016, Andrey Rogovsky wrote:

Hi, Alexander!

I have ldap1 - FreeIPA (master) and ldap2 - 389DS (slave)
I want one-way replica from ldap1 to ldap2
On ldap1 I was define dn replication user, replica and agreement
On ldap2 I was define replica only:

This is what you are doing wrong. Your ldap1 server will attempt to
connect to ldap2 server using the replication user credentials. It is
ldap2 which will be authenticating this request. Where would it take
information about the replication user?


filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#

# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaType: 2
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5Flags: 0
nsDS5ReplicaId: 65535
nsState:: //8AAABY2sZXAAABAA==
nsDS5ReplicaName: 06154b02-6f7e11e6-b236be05-3db8a3e8
nsds5ReplicaChangeCount: 0
nsds5replicareapactive: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Does I need define DN replication user on ldap2?


2016-09-01 8:57 GMT+03:00 Alexander Bokovoy :


On Thu, 01 Sep 2016, Andrey Rogovsky wrote:


Hi, Alexander!

Thank for fast reply.
I have replication manager object:
filter: (objectclass=organizationalPerson)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=organizationalPerson)
# requesting: ALL
#

# replication manager, config
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword::
e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=
=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

But error is present.


You have two LDAP servers. If you have replication going in both
directions, you need to have the replication bind entry defined on both
servers.

If you have replication going in one direction, then the target server
should have this replication bind entry defined.

Where do you have this entry?



--
/ Alexander Bokovoy




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky

Hi, Alexander!

I have ldap1 - FreeIPA (master) and ldap2 - 389DS (slave)
I want one-way replica from ldap1 to ldap2
On ldap1 I was define dn replication user, replica and agreement
On ldap2 I was define replica only:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#

# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaType: 2
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5Flags: 0
nsDS5ReplicaId: 65535
nsState:: //8AAABY2sZXAAABAA==
nsDS5ReplicaName: 06154b02-6f7e11e6-b236be05-3db8a3e8
nsds5ReplicaChangeCount: 0
nsds5replicareapactive: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Does I need define DN replication user on ldap2?


2016-09-01 8:57 GMT+03:00 Alexander Bokovoy :

> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>
>> Hi, Alexander!
>>
>> Thank for fast reply.
>> I have replication manager object:
>> filter: (objectclass=organizationalPerson)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (objectclass=organizationalPerson)
>> # requesting: ALL
>> #
>>
>> # replication manager, config
>> dn: cn=replication manager,cn=config
>> objectClass: inetorgperson
>> objectClass: person
>> objectClass: top
>> objectClass: organizationalPerson
>> cn: replication manager
>> sn: RM
>> userPassword::
>> e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=
>> =
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> But error is present.
>>
> You have two LDAP servers. If you have replication going in both
> directions, you need to have the replication bind entry defined on both
> servers.
>
> If you have replication going in one direction, then the target server
> should have this replication bind entry defined.
>
> Where do you have this entry?
>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Alexander Bokovoy


On Thu, 01 Sep 2016, Andrey Rogovsky wrote:

Hi, Alexander!

Thank for fast reply.
I have replication manager object:
filter: (objectclass=organizationalPerson)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=organizationalPerson)
# requesting: ALL
#

# replication manager, config
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword::
e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=
=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

But error is present.

You have two LDAP servers. If you have replication going in both
directions, you need to have the replication bind entry defined on both
servers.

If you have replication going in one direction, then the target server
should have this replication bind entry defined.

Where do you have this entry?



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky

Hi, Alexander!

Thank for fast reply.
I have replication manager object:
filter: (objectclass=organizationalPerson)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=organizationalPerson)
# requesting: ALL
#

# replication manager, config
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword::
e1NTSEF9d281RGZOTTlCSEVWTEhxY1lTcGs0WHdjRXplemU4S280S3EwWnc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

But error is present.



2016-09-01 7:14 GMT+03:00 Alexander Bokovoy :

> On Thu, 01 Sep 2016, Andrey Rogovsky wrote:
>
>> Hi!
>> Thanks for your advices!
>> I'm try start replica and get this errors in log:
>> [01/Sep/2016:03:24:23 +] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]:
>> error
>> 32 (No such object) errno 0 (Success)
>> [01/Sep/2016:03:24:23 +] NSMMReplicationPlugin -
>> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
>> failed: LDAP error 32 (No such object) ()
>>
> You've been told already that you should have replication manager object
> created at both sides. Your 'cn=replicaton manager,cn=config' does not
> exist at the replica.
>
> You should read RHDS Administration Guide, at least the part about
> supplier bind DN entry, but preferrably the whole chapter it is part of:
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/10/html/Administration_Guide/Creating_the_
> Supplier_Bind_DN_Entry.html
>
>
>
>
>> This is my current replica:
>> filter: (objectclass=nsds5replica)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (objectclass=nsds5replica)
>> # requesting: ALL
>> #
>>
>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleObject
>> cn: replica
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaId: 7
>> nsDS5ReplicaType: 3
>> nsDS5Flags: 1
>> nsds5ReplicaPurgeDelay: 604800
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsState:: BwDqnMdXAAABAA==
>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>> nsds5ReplicaChangeCount: 118
>> nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> This is my current agreement:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (objectclass=nsds5ReplicationAgreement)
>> # requesting: ALL
>> #
>>
>> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
>> tree,
>> cn=config
>> objectClass: top
>> objectClass: nsds5replicationagreement
>> cn: ExampleAgreement
>> nsDS5ReplicaHost: ldap2
>> nsDS5ReplicaPort: 389
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsDS5ReplicaBindMethod: SIMPLE
>> nsDS5ReplicaRoot: dc=example,dc=com
>> description: agreement between supplier1 and consumer1
>> nsDS5ReplicaUpdateSchedule: -0500 1
>> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
>> authorityRevocationLis
>> t
>> nsDS5ReplicaCredentials:
>> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
>> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkw
>> ek5qRmxNalkxWkFBQ
>> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ
>> U1Dc25vTkVzZVJ4b3
>> N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg==
>> nsds5replicareapactive: 0
>> nsds5replicaLastUpdateStart: 1970010100Z
>> nsds5replicaLastUpdateEnd: 1970010100Z
>> nsds5replicaChangesSentSinceStartup:
>> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
>> server s
>> tartup
>> nsds5replicaUpdateInProgress: FALSE
>> nsds5replicaLastInitStart: 20160901032423Z
>> nsds5replicaLastInitEnd: 1970010100Z
>> nsds5replicaLastInitStatus: 32  - LDAP error: No such object
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> I'm try delete agreement, replica, user, changelog and create again. This
>> not help, same error:
>>
>> [01/Sep/2016:03:42:37 +] NSMMReplicationPlugin - agmt_delete: begin
>> [01/Sep/2016:03:45:35 +] NSMMReplicationPlugin -
>> replica_config_delete:
>> Warning: The changelog for replica dc=example,dc=com is no longer valid
>> since the replica config is being deleted.  Removing the changelog.
>> [01/Sep/2016:03:53:18 +] slapi_ldap_bind - Error: could not bind id
>> [cn=replication manager,cn=config] authentication mechanism [SIMPLE]:
>> error
>> 32 (No such object) errno 0 (Success)
>> [01/Sep/2016:03:53:18 +] NSMMReplicationPlugin -
>> agmt="c

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Alexander Bokovoy


On Thu, 01 Sep 2016, Andrey Rogovsky wrote:

Hi!
Thanks for your advices!
I'm try start replica and get this errors in log:
[01/Sep/2016:03:24:23 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:24:23 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()

You've been told already that you should have replication manager object
created at both sides. Your 'cn=replicaton manager,cn=config' does not
exist at the replica.

You should read RHDS Administration Guide, at least the part about
supplier bind DN entry, but preferrably the whole chapter it is part of:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html




This is my current replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#

# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 7
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: BwDqnMdXAAABAA==
nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
nsds5ReplicaChangeCount: 118
nsds5replicareapactive: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This is my current agreement:

# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=nsds5ReplicationAgreement)
# requesting: ALL
#

# ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,
cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: ExampleAgreement
nsDS5ReplicaHost: ldap2
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsDS5ReplicaUpdateSchedule: -0500 1
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis
t
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQU1Dc25vTkVzZVJ4b3
N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 1970010100Z
nsds5replicaLastUpdateEnd: 1970010100Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since
server s
tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20160901032423Z
nsds5replicaLastInitEnd: 1970010100Z
nsds5replicaLastInitStatus: 32  - LDAP error: No such object

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I'm try delete agreement, replica, user, changelog and create again. This
not help, same error:

[01/Sep/2016:03:42:37 +] NSMMReplicationPlugin - agmt_delete: begin
[01/Sep/2016:03:45:35 +] NSMMReplicationPlugin - replica_config_delete:
Warning: The changelog for replica dc=example,dc=com is no longer valid
since the replica config is being deleted.  Removing the changelog.
[01/Sep/2016:03:53:18 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:53:18 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()



2016-08-31 20:09 GMT+03:00 Mark Reynolds :




On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:

Hi, Mark!

Thanks for explain. Now I create replication manager: (I hope)
[root@ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
"cn=directory manager" -W -b cn=config "cn=replication manager"
Enter LDAP Password:
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU
dCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
 =

What is next? I use manual from 8 version and this a bit obsoleted.

Now you should be able to initialize your standalone server by updating
the agreement on the ipa DS:

dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start

If something goes wrong let us know what's i

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky

Hi!
Thanks for your advices!
I'm try start replica and get this errors in log:
[01/Sep/2016:03:24:23 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:24:23 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()

This is my current replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#

# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 7
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: BwDqnMdXAAABAA==
nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
nsds5ReplicaChangeCount: 118
nsds5replicareapactive: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This is my current agreement:

# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=nsds5ReplicationAgreement)
# requesting: ALL
#

# ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,
 cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: ExampleAgreement
nsDS5ReplicaHost: ldap2
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsDS5ReplicaUpdateSchedule: -0500 1
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis
 t
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
 RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQU1Dc25vTkVzZVJ4b3
 N2WVlEMXRpbQ==}a21h3uqnbcAZ1cX+NheCeg==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 1970010100Z
nsds5replicaLastUpdateEnd: 1970010100Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since
server s
 tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20160901032423Z
nsds5replicaLastInitEnd: 1970010100Z
nsds5replicaLastInitStatus: 32  - LDAP error: No such object

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I'm try delete agreement, replica, user, changelog and create again. This
not help, same error:

[01/Sep/2016:03:42:37 +] NSMMReplicationPlugin - agmt_delete: begin
[01/Sep/2016:03:45:35 +] NSMMReplicationPlugin - replica_config_delete:
Warning: The changelog for replica dc=example,dc=com is no longer valid
since the replica config is being deleted.  Removing the changelog.
[01/Sep/2016:03:53:18 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
[01/Sep/2016:03:53:18 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()



2016-08-31 20:09 GMT+03:00 Mark Reynolds :

>
>
> On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:
>
> Hi, Mark!
>
> Thanks for explain. Now I create replication manager: (I hope)
> [root@ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
> "cn=directory manager" -W -b cn=config "cn=replication manager"
> Enter LDAP Password:
> dn: cn=replication manager,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> objectClass: organizationalPerson
> cn: replication manager
> sn: RM
> userPassword:: e1NTSEF9N1JiRmNXWTFXNDA1cmdYSU
> dCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
>  =
>
> What is next? I use manual from 8 version and this a bit obsoleted.
>
> Now you should be able to initialize your standalone server by updating
> the agreement on the ipa DS:
>
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5beginreplicarefresh
> nsds5beginreplicarefresh: start
>
> If something goes wrong let us know what's in the errors log again.
>
> Mark
>
>
>
> 2016-08-31 19:30 GMT+03:00 Mark Reynolds :
>
>> Hi Andrey,
>>
>> It looks like you still did not create the replication manager entry.
>> You must create that manager entry on the standalone server.  Please read
>> the link I sent you:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
>> ory_Server/10/html/Administration_Guide/Creating_the_Supplie
>> r_Bind_DN_Entry.html
>>

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Mark Reynolds



On 08/31/2016 12:39 PM, Andrey Rogovsky wrote:
> Hi, Mark!
>
> Thanks for explain. Now I create replication manager: (I hope)
> [root@ldap1 ~]# ldapsearch -h ldap1.example.com
>  -p 389 -xLLL -D "cn=directory manager" -W
> -b cn=config "cn=replication manager"
> Enter LDAP Password: 
> dn: cn=replication manager,cn=config
> objectClass: inetorgperson
> objectClass: person
> objectClass: top
> objectClass: organizationalPerson
> cn: replication manager
> sn: RM
> userPassword::
> e1NTSEF9N1JiRmNXWTFXNDA1cmdYSUdCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
>  =
>
> What is next? I use manual from 8 version and this a bit obsoleted.
Now you should be able to initialize your standalone server by updating
the agreement on the ipa DS:

dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start

If something goes wrong let us know what's in the errors log again.

Mark
>
>
> 2016-08-31 19:30 GMT+03:00 Mark Reynolds  >:
>
> Hi Andrey,
>
> It looks like you still did not create the replication manager
> entry.   You must create that manager entry on the standalone
> server.  Please read the link I sent you:
>
> 
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html
> 
> 
>
> You can verify its existence by doing this search against the
> standalone server:
>
> ldapsearch -h ldap1.example.com  -p 389
> -xLLL -D "cn=directory manager" -W -b cn=config "cn=replication
> manager"
>
> Mark
>
>
> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>> Hi!
>> Thank you for fast reply.
>> Yes, I want use standalone 389DS to replica from FreeIPA.
>> There is my replica:
>> filter: (objectclass=nsds5replica)
>> requesting: All userApplication attributes
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (objectclass=nsds5replica)
>> # requesting: ALL
>> #
>>
>> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
>> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
>> objectClass: top
>> objectClass: nsds5replica
>> objectClass: extensibleObject
>> cn: replica
>> nsDS5ReplicaRoot: dc=example,dc=com
>> nsDS5ReplicaId: 7
>> nsDS5ReplicaType: 3
>> nsDS5Flags: 1
>> nsds5ReplicaPurgeDelay: 604800
>> nsDS5ReplicaBindDN: cn=replication manager,cn=config
>> nsState:: BwBZ98ZXAAABAA==
>> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
>> nsds5ReplicaChangeCount: 22
>> nsds5replicareapactive: 0
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> So, my replica have entry "cn=replication manager"
>>
>> But I try add entry in agreement. Unforthunalty this is not help,
>> error is present:
>> [root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com
>>  -p 389 -D "cn=directory manager" -w ...
>> ldap_initialize( ldap://ldap1.example.com:389
>>  )
>> dn:
>> cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config
>> changetype: modify
>> replace: nsds5ReplicaBindDN
>> nsds5ReplicaBindDN: cn=replication manager,cn=config
>> replace nsds5ReplicaBindDN:
>> cn=replication manager,cn=config
>> modifying entry
>> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
>> tree,cn=config"
>> modify complete
>>
>> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
>> [31/Aug/2016:11:11:09 +] schema-compat-plugin -
>> schema-compat-plugin tree scan will start in about 5 seconds!
>> [31/Aug/2016:11:11:09 +] - slapd started.  Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Aug/2016:11:11:09 +] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [31/Aug/2016:11:11:09 +] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [31/Aug/2016:11:11:13 +] schema-compat-plugin - warning: no
>> entries set up under ou=sudoers,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no
>> entries set up under cn=computers, cn=compat,dc=example,dc=com
>> [31/Aug/2016:11:11:14 +] schema-compat-plugin - Finished
>> plugin initialization.
>> [31/Aug/2016:13:38:01 +]

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky

Hi, Mark!

Thanks for explain. Now I create replication manager: (I hope)
[root@ldap1 ~]# ldapsearch -h ldap1.example.com -p 389 -xLLL -D
"cn=directory manager" -W -b cn=config "cn=replication manager"
Enter LDAP Password:
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword::
e1NTSEF9N1JiRmNXWTFXNDA1cmdYSUdCNWJtV3RzOElNQXBhakhXam94WlE9PQ=
 =

What is next? I use manual from 8 version and this a bit obsoleted.


2016-08-31 19:30 GMT+03:00 Mark Reynolds :

> Hi Andrey,
>
> It looks like you still did not create the replication manager entry.
> You must create that manager entry on the standalone server.  Please read
> the link I sent you:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Direct
> ory_Server/10/html/Administration_Guide/Creating_the_
> Supplier_Bind_DN_Entry.html
>
> You can verify its existence by doing this search against the standalone
> server:
>
> ldapsearch -h ldap1.example.com -p 389 -xLLL -D "cn=directory manager" -W
> -b cn=config "cn=replication manager"
>
> Mark
>
>
> On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
>
> Hi!
> Thank you for fast reply.
> Yes, I want use standalone 389DS to replica from FreeIPA.
> There is my replica:
> filter: (objectclass=nsds5replica)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (objectclass=nsds5replica)
> # requesting: ALL
> #
>
> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleObject
> cn: replica
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaId: 7
> nsDS5ReplicaType: 3
> nsDS5Flags: 1
> nsds5ReplicaPurgeDelay: 604800
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsState:: BwBZ98ZXAAABAA==
> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
> nsds5ReplicaChangeCount: 22
> nsds5replicareapactive: 0
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> So, my replica have entry "cn=replication manager"
>
> But I try add entry in agreement. Unforthunalty this is not help, error is
> present:
> [root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com -p 389 -D
> "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389 )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDN
> nsds5ReplicaBindDN: cn=replication manager,cn=config
> replace nsds5ReplicaBindDN:
> cn=replication manager,cn=config
> modifying entry 
> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +] schema-compat-plugin - schema-compat-plugin
> tree scan will start in about 5 seconds!
> [31/Aug/2016:11:11:09 +] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +] - Listening on All Interfaces port 636 for
> LDAPS requests
> [31/Aug/2016:11:11:09 +] - Listening on /var/run/slapd-EXAMPLE-COM.socket
> for LDAPI requests
> [31/Aug/2016:11:11:13 +] schema-compat-plugin - warning: no entries
> set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no entries
> set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no entries
> set up under cn=computers, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - Finished plugin
> initialization.
> [31/Aug/2016:13:38:01 +] slapi_ldap_bind - Error: could not bind id
> [cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
> such object) errno 0 (Success)
> [31/Aug/2016:13:38:01 +] NSMMReplicationPlugin -
> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
> failed: LDAP error 32 (No such object) ()
> ^C
> [root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com -p 389 -D
> "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389 )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5beginreplicarefresh
> nsds5beginreplicarefresh: start
> replace nsds5beginreplicarefresh:
> start
> modifying entry 
> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +] - Listening on All Interfaces port 636 for
> LDAPS requests
> [31/Aug/2016:11:11:09 +] - Listening on

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Mark Reynolds

Hi Andrey,

It looks like you still did not create the replication manager entry.  
You must create that manager entry on the standalone server.  Please
read the link I sent you:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html


You can verify its existence by doing this search against the standalone
server:

ldapsearch -h ldap1.example.com  -p 389 -xLLL
-D "cn=directory manager" -W -b cn=config "cn=replication manager"

Mark


On 08/31/2016 11:50 AM, Andrey Rogovsky wrote:
> Hi!
> Thank you for fast reply.
> Yes, I want use standalone 389DS to replica from FreeIPA.
> There is my replica:
> filter: (objectclass=nsds5replica)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (objectclass=nsds5replica)
> # requesting: ALL
> #
>
> # replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleObject
> cn: replica
> nsDS5ReplicaRoot: dc=example,dc=com
> nsDS5ReplicaId: 7
> nsDS5ReplicaType: 3
> nsDS5Flags: 1
> nsds5ReplicaPurgeDelay: 604800
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsState:: BwBZ98ZXAAABAA==
> nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
> nsds5ReplicaChangeCount: 22
> nsds5replicareapactive: 0
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> So, my replica have entry "cn=replication manager"
>
> But I try add entry in agreement. Unforthunalty this is not help,
> error is present:
> [root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com
>  -p 389 -D "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389
>  )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5ReplicaBindDN
> nsds5ReplicaBindDN: cn=replication manager,cn=config
> replace nsds5ReplicaBindDN:
> cn=replication manager,cn=config
> modifying entry
> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +] schema-compat-plugin -
> schema-compat-plugin tree scan will start in about 5 seconds!
> [31/Aug/2016:11:11:09 +] - slapd started.  Listening on All
> Interfaces port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +] - Listening on All Interfaces port 636
> for LDAPS requests
> [31/Aug/2016:11:11:09 +] - Listening on
> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
> [31/Aug/2016:11:11:13 +] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - Finished plugin
> initialization.
> [31/Aug/2016:13:38:01 +] slapi_ldap_bind - Error: could not bind
> id [cn=replication manager] authentication mechanism [SIMPLE]: error
> 32 (No such object) errno 0 (Success)
> [31/Aug/2016:13:38:01 +] NSMMReplicationPlugin -
> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE
> auth failed: LDAP error 32 (No such object) ()
> ^C
> [root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com
>  -p 389 -D "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389
>  )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5beginreplicarefresh
> nsds5beginreplicarefresh: start
> replace nsds5beginreplicarefresh:
> start
> modifying entry
> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +] - slapd started.  Listening on All
> Interfaces port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +] - Listening on All Interfaces port 636
> for LDAPS requests
> [31/Aug/2016:11:11:09 +] - Listening on
> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
> [31/Aug/2016:11:11:13 +] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] sche

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Andrey Rogovsky

Hi!
Thank you for fast reply.
Yes, I want use standalone 389DS to replica from FreeIPA.
There is my replica:
filter: (objectclass=nsds5replica)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=nsds5replica)
# requesting: ALL
#

# replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaId: 7
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: BwBZ98ZXAAABAA==
nsDS5ReplicaName: 496dba82-6f7a11e6-9d5ba359-5196ffe4
nsds5ReplicaChangeCount: 22
nsds5replicareapactive: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So, my replica have entry "cn=replication manager"

But I try add entry in agreement. Unforthunalty this is not help, error is
present:
[root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com -p 389 -D "cn=directory
manager" -w ...
ldap_initialize( ldap://ldap1.example.com:389 )
dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5ReplicaBindDN
nsds5ReplicaBindDN: cn=replication manager,cn=config
replace nsds5ReplicaBindDN:
cn=replication manager,cn=config
modifying entry
"cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config"
modify complete

[root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
[31/Aug/2016:11:11:09 +] schema-compat-plugin - schema-compat-plugin
tree scan will start in about 5 seconds!
[31/Aug/2016:11:11:09 +] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[31/Aug/2016:11:11:09 +] - Listening on All Interfaces port 636 for
LDAPS requests
[31/Aug/2016:11:11:09 +] - Listening on
/var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
[31/Aug/2016:11:11:13 +] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=example,dc=com
[31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no entries set
up under cn=ng, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +] schema-compat-plugin - Finished plugin
initialization.
[31/Aug/2016:13:38:01 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
such object) errno 0 (Success)
[31/Aug/2016:13:38:01 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()
^C
[root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com -p 389 -D "cn=directory
manager" -w ...
ldap_initialize( ldap://ldap1.example.com:389 )
dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config
changetype: modify
replace: nsds5beginreplicarefresh
nsds5beginreplicarefresh: start
replace nsds5beginreplicarefresh:
start
modifying entry
"cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
tree,cn=config"
modify complete

[root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
[31/Aug/2016:11:11:09 +] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[31/Aug/2016:11:11:09 +] - Listening on All Interfaces port 636 for
LDAPS requests
[31/Aug/2016:11:11:09 +] - Listening on
/var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
[31/Aug/2016:11:11:13 +] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=example,dc=com
[31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no entries set
up under cn=ng, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=example,dc=com
[31/Aug/2016:11:11:14 +] schema-compat-plugin - Finished plugin
initialization.
[31/Aug/2016:13:38:01 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager] authentication mechanism [SIMPLE]: error 32 (No
such object) errno 0 (Success)
[31/Aug/2016:13:38:01 +] NSMMReplicationPlugin -
agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE auth
failed: LDAP error 32 (No such object) ()
[31/Aug/2016:15:48:36 +] slapi_ldap_bind - Error: could not bind id
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: error
32 (No such object) errno 0 (Success)
^C
[root@ldap1 ~]#

2016-08-31 18:15 GMT+03:00 Mark Reynolds :

>
>
> On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
>
> Hi!
>
> I try configure manual replica from FreeIPA DS to 389 DS.
> I have two VM: ldap1.example.com and ldap2.example.com
> I was used this manual https://www.centos.org/docs/5/html/CDS/ag/8.0/
> Managing_Replication-Configuring-Replicati

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

2016-08-31 Thread Mark Reynolds



On 08/31/2016 09:50 AM, Andrey Rogovsky wrote:
> Hi!
>
> I try configure manual replica from FreeIPA DS to 389 DS.
> I have two VM: ldap1.example.com  and
> ldap2.example.com 
> I was used this
> manual 
> https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Replication-Configuring-Replication-cmd.html
> for configure relica
>
> There was replica agreement before starting:
>
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (objectclass=nsds5ReplicationAgreement)
> # requesting: ALL
> #
>
> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
> dn:
> cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,
>  cn=config
> objectClass: top
> objectClass: nsds5replicationagreement
> cn: ExampleAgreement
> nsDS5ReplicaHost: ldap2
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: cn=replication manager
> nsDS5ReplicaBindMethod: SIMPLE
> nsDS5ReplicaRoot: dc=example,dc=com
> description: agreement between supplier1 and consumer1
> nsDS5ReplicaUpdateSchedule: -0500 1
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
> authorityRevocationLis
>  t
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
>  RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
>  0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQUVJckpINmE0S3RFYl
>  NhLzkxL01qZg==}Wo+c0XfBnaDhg/a36yguXg==
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 1970010100Z
> nsds5replicaLastUpdateEnd: 1970010100Z
> nsds5replicaChangesSentSinceStartup:
> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
> server s
>  tartup
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 1970010100Z
> nsds5replicaLastInitEnd: 1970010100Z
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 
>
>
> There is errors which I get when start replica:
>
>
> [root@ldap1 ~]# ldapmodify  -v -h ldap1.example.com
>  -p 389 -D "cn=directory manager" -w ...
> ldap_initialize( ldap://ldap1.example.com:389
>  )
> dn: cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5beginreplicarefresh
> nsds5beginreplicarefresh: start
> replace nsds5beginreplicarefresh:
> start
> modifying entry
> "cn=ExampleAgreement,cn=replica,cn="dc=example,dc=com",cn=mapping
> tree,cn=config"
> modify complete
>
> [root@ldap1 ~]# tail -f /var/log/dirsrv/slapd-EXAMPLE-COM/errors
> [31/Aug/2016:11:11:09 +] schema-compat-plugin -
> schema-compat-plugin tree scan will start in about 5 seconds!
> [31/Aug/2016:11:11:09 +] - slapd started.  Listening on All
> Interfaces port 389 for LDAP requests
> [31/Aug/2016:11:11:09 +] - Listening on All Interfaces port 636
> for LDAPS requests
> [31/Aug/2016:11:11:09 +] - Listening on
> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
> [31/Aug/2016:11:11:13 +] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=example,dc=com
> [31/Aug/2016:11:11:14 +] schema-compat-plugin - Finished plugin
> initialization.
> [31/Aug/2016:13:38:01 +] slapi_ldap_bind - Error: could not bind
> id [cn=replication manager] authentication mechanism [SIMPLE]: error
> 32 (No such object) errno 0 (Success)
> [31/Aug/2016:13:38:01 +] NSMMReplicationPlugin -
> agmt="cn=ExampleAgreement" (ldap2:389): Replication bind with SIMPLE
> auth failed: LDAP error 32 (No such object) ()
> ^C
I'm assuming this is just a standalone 389 Directory Server you are
trying to replicate to(not a freeIPA installation).  If it is a freeipa
installation, then you should use the freeipa CLI for setting up
replication.

The error 32 (no such object) you are getting is because the replica
does not have an entry "cn=replication manager".  Looking at the
replication agreement:

nsDS5ReplicaBindDN: cn=replication manager

This is not a valid DN as there is no base suffix:  For example, I would
expect to see something like "cn=replication manager,cn=config"

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Creating_the_Supplier_Bind_DN_Entry.html

Regards,
Mark
>
> Please help me fix this
>
>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

Re: [Freeipa-users] Command-line replication is not works in FreeIPA-Master

14 matches

Site Navigation

Mail list logo

Footer information