secure replication failing
by Elizabeth Jones
I have multimaster replication set up on 4 LDAP servers but can't get
secure replication working on one of the servers. The setup is like this
--
data center 1 data center 2
ldap1 <-------> ldap1
^ | ^ |
/ | | |
| v | v
ldap2 ldap2
each server has its own self-signed cert.
I can successfully replicate in all the directions indicated except for
replication from data center1 ldap2 to data center1 ldap1.
I know that I have the right certificate on ldap2. I can ldapsearch -ZZ
from ldap2 to ldap1 successfully using this certificate. I can
successfully replicate from data center 2 ldap1 to data center1 ldap1
using this certificate. But replication refuses to work from DC1 ldap2 to
DC1 ldap1!!!!
The logs say LDAP error: Can't contact LDAP server. Error Code: -1.
I've disabled iptables on both data center 1 ldaps. I've rebuilt the
replication agreement a dozen times. I've ldapsearch -zz'ed a dozen times.
I've reinstalled the CA certificate (using the one from my openldap
directory, so I know that it is the same one that is working for
ldapsearch -ZZ, as well as exporting it from ldap1 again and reinstalling
it). What else can I possibly do to get this working?
These are my rpms -
# rpm -qa | grep 389
389-ds-base-libs-1.2.11.25-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-ds-base-1.2.11.25-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
openssl-1.0.1e-16.el6_5.4.x86_64
# uname -a
Linux dc1-ldap2 2.6.32-431.5.1.el6.x86_64
9 years, 7 months
Replication error after initializing consumer
by Shilen Patel
Hi,
I'm not sure if this is related to my previous email, but I'm also seeing issues when adding an entry while a suffix on a consumer is being initialized. Again, I'm running 1.2.11.30. Here are the details:
1. Using the console, I started to initialize a suffix.
[19/Aug/2014:17:46:35 +0100] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=test5toSing1" (consumerhost:636)".
2. While that was happening, I added an entry to the suffix on the master.
dn: uid=shilen3,ou=people,ou=test,dc=duke,dc=edu
changetype: add
objectclass: top
objectclass: person
objectclass: inetorgperson
objectclass: organizationalperson
cn: test
sn: test
uid: shilen3
[19/Aug/2014:17:47:04 +0100] conn=155 op=1 ADD dn="uid=shilen3,ou=people,ou=test,dc=duke,dc=edu"
[19/Aug/2014:17:47:04 +0100] conn=155 op=1 RESULT err=0 tag=105 nentries=0 etime=0 csn=53f37f89000000050000
3. The init later finished.
[19/Aug/2014:17:48:55 +0100] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=test5toSing1" (consumerhost:636)". Sent 270 entries.
At this point, the entry does exist on the consumer. Presumably it was added as part of the init.
4. However, the master still wants to send the ADD to the consumer. On the consumer, I have the following repeated every few seconds:
[19/Aug/2014:17:48:54 +0100] conn=2002 op=56 ADD dn="uid=shilen3,ou=people,ou=test,dc=duke,dc=edu"
[19/Aug/2014:17:48:54 +0100] conn=2002 op=56 RESULT err=53 tag=105 nentries=0 etime=0 csn=53f37f89000000050000
And on the master, I have this:
[19/Aug/2014:17:48:58 +0100] NSMMReplicationPlugin - agmt="cn=test5toSing1" (consumerhost:636): Consumer failed to replay change (uniqueid 5d458a02-27c011e4-a066d327-58be45f0, CSN 53f37f89000000050000): Server is unwilling to perform (53). Will retry later.
A cl-dump shows the following:
changetype: add
replgen: 53e0f14e000000050000
csn: 53f37f89000000050000
nsuniqueid: 5d458a02-27c011e4-a066d327-58be45f0
parentuniqueid: bcd34401-21ba11df-80799838-3cd697e9
dn: uid=shilen3,ou=people,ou=test,dc=duke,dc=edu
change::
add: objectClass
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
-
add: cn
cn: test
-
add: sn
sn: test
-
add: uid
uid: shilen3
-
add: creatorsName
creatorsName: cn=directory manager
-
add: modifiersName
modifiersName: cn=directory manager
-
add: createTimestamp
createTimestamp: 20140819164704Z
-
add: modifyTimestamp
modifyTimestamp: 20140819164704Z
-
add: nsUniqueId
nsUniqueId: 5d458a02-27c011e4-a066d327-58be45f0
-
add: parentid
parentid: 2
-
add: entryid
entryid: 277
-
add: entrydn
entrydn: uid=shilen3,ou=people,ou=test,dc=duke,dc=edu
-
If anyone has any thoughts on this one, that would be appreciated.
Thanks!
-- Shilen
9 years, 8 months
Re: [389-users] Autofs Configuration with 389 Directory Server.
by Dhiraj Deshpande
Hi,
I am trying to configure automount with 389 directory server. But facing strange issue.
Even if i have added automountmap and automount objectclass it is not working. Debug log says it fails to fing objectclass. Please help me with it. Pasting the automount configuration as well as logs.
dn: ou=auto.master,dc=win,dc=com
ou: auto.master
objectClass: top
objectClass: organizationalunit
objectClass: automountmap
dn: ou=auto.direct,dc=win,dc=com
ou: auto.direct
objectClass: top
objectClass: organizationalunit
objectClass: automountmap
dn: cn=/repo,ou=auto.direct,dc=win,dc=com
objectClass: top
objectClass: automount
cn: /repo
automountInformation: -rw,hard,intr,nfsvers=3,tcp,rsize=524288,wsize=524288 test1:/ifs/Projects03/Tech
dn: cn=/-,ou=auto.master,dc=win,dc=com
objectClass: top
objectClass: automount
cn: /-
automountInformation: ldap:server1.win.com:ou=auto.direct,dc=win,dc=com
Aug 23 21:07:24 ibm001 automount[8900]: Starting automounter version 5.0.5-54.el6, master map auto.master
Aug 23 21:07:24 ibm001 automount[8900]: using kernel protocol version 5.02
Aug 23 21:07:24 ibm001 automount[8900]: lookup_nss_read_master: reading master files auto.master
Aug 23 21:07:24 ibm001 automount[8900]: parse_init: parse(sun): init gathered global options: (null)
Aug 23 21:07:24 ibm001 automount[8900]: lookup_read_master: lookup(file): read entry /net
Aug 23 21:07:24 ibm001 automount[8900]: lookup_read_master: lookup(file): read entry /-
Aug 23 21:07:24 ibm001 automount[8900]: master_do_mount: mounting /net
Aug 23 21:07:24 ibm001 automount[8900]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-net
Aug 23 21:07:24 ibm001 automount[8900]: lookup_nss_read_map: reading map hosts (null)
Aug 23 21:07:24 ibm001 automount[8900]: parse_init: parse(sun): init gathered global options: (null)
Aug 23 21:07:24 ibm001 automount[8900]: mounted indirect on /net with timeout 300, freq 75 seconds
Aug 23 21:07:24 ibm001 automount[8900]: st_ready: st_ready(): state = 0 path /net
Aug 23 21:07:24 ibm001 automount[8900]: master_do_mount: mounting /-
Aug 23 21:07:24 ibm001 automount[8900]: automount_path_to_fifo: fifo name /var/run/autofs.fifo--
Aug 23 21:07:24 ibm001 automount[8900]: lookup_nss_read_map: reading map ldap ldap:server1.win.com:ou=auto.direct,dc=win,dc=com
Aug 23 21:07:24 ibm001 automount[8900]: parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "ldap:server1.win.com:ou=auto.direct,dc=win,dc=com".
Aug 23 21:07:24 ibm001 automount[8900]: parse_server_string: lookup(ldap): server "ldap://server1.win.com/", base dn "ou=auto.direct,dc=win,dc=com"
Aug 23 21:07:24 ibm001 automount[8900]: parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
Aug 23 21:07:24 ibm001 automount[8900]: parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 2, sasl_mech: PLAIN
Aug 23 21:07:24 ibm001 automount[8900]: parse_ldap_config: lookup(ldap): user: proxyuser, secret: specified, client principal: (null) credential cache: (null)
Aug 23 21:07:24 ibm001 automount[8900]: parse_init: parse(sun): init gathered global options: (null)
Aug 23 21:07:25 ibm001 automount[8900]: do_bind: lookup(ldap): auth_required: 2, sasl_mech PLAIN
Aug 23 21:07:25 ibm001 automount[8900]: sasl_bind_mech: Attempting sasl bind with mechanism PLAIN
Aug 23 21:07:25 ibm001 automount[8900]: getuser_func: called with context (nil), id 16386.
Aug 23 21:07:25 ibm001 automount[8900]: getuser_func: called with context (nil), id 16385.
Aug 23 21:07:25 ibm001 automount[8900]: getpass_func: context (nil), id 16388
Aug 23 21:07:25 ibm001 automount[8900]: sasl_bind_mech: sasl bind with mechanism PLAIN succeeded
Aug 23 21:07:25 ibm001 automount[8900]: do_bind: lookup(ldap): autofs_sasl_bind returned 0
Aug 23 21:07:25 ibm001 automount[8900]: get_query_dn: lookup(ldap): query succeeded, no matches for (objectclass=automountMap)
Aug 23 21:07:25 ibm001 automount[8900]: do_bind: lookup(ldap): failed to get query dn
Aug 23 21:07:25 ibm001 automount[8900]: do_bind: lookup(ldap): auth_required: 2, sasl_mech PLAIN
Aug 23 21:07:25 ibm001 automount[8900]: sasl_bind_mech: Attempting sasl bind with mechanism PLAIN
Aug 23 21:07:25 ibm001 automount[8900]: getuser_func: called with context (nil), id 16386.
Aug 23 21:07:25 ibm001 automount[8900]: getuser_func: called with context (nil), id 16385.
Aug 23 21:07:25 ibm001 automount[8900]: getpass_func: context (nil), id 16388
Aug 23 21:07:25 ibm001 automount[8900]: sasl_bind_mech: sasl bind with mechanism PLAIN succeeded
Aug 23 21:07:25 ibm001 automount[8900]: do_bind: lookup(ldap): autofs_sasl_bind returned 0
Aug 23 21:07:25 ibm001 automount[8900]: get_query_dn: lookup(ldap): query succeeded, no matches for (objectclass=automountMap)
Aug 23 21:07:25 ibm001 automount[8900]: do_bind: lookup(ldap): failed to get query dn
Aug 23 21:07:25 ibm001 automount[8900]: lookup(ldap): couldn't connect to server ldap://server1.win.com/
Aug 23 21:07:25 ibm001 automount[8900]: mount_autofs_direct: failed to read direct map
Aug 23 21:07:25 ibm001 automount[8900]: handle_mounts: mount of /- failed!
Aug 23 21:07:25 ibm001 automount[8900]: master_do_mount: failed to startup mount
--
Thanks & Regards
Dhiraj S. Deshpande
9 years, 8 months
Back up of database for desaster recovery
by Alberto Suárez
Hello:
I would like to make a valid copy of the LDAP data so that I could
restore it in another 389 installation in case of a crash. ¿What is the
best way? I have tried the 389 commands but came across with issues.
Thank you.
Alberto Suárez
9 years, 8 months
Replication error with userPassword
by Shilen Patel
Hi,
I'm running 1.2.11.30 and having an issue replicating the userPassword attribute. The problem appears to only occur if I'm adding the attribute (rather than replacing) and when it is not in plaintext. For example, the following replicates without any issues:
dn: uid=shilen3,ou=people,ou=test,dc=duke,dc=edu
changetype: modify
add: userPassword
userPassword: test
The following is good too:
dn: uid=shilen3,ou=people,ou=test,dc=duke,dc=edu
changetype: modify
replace: userPassword
userPassword: {SSHA}DMK4S6PK6+rKSLNOL1Hl01mVJmgGi5jH
But the following updates successfully on the server that I'm directly hitting, but replication fails.
dn: uid=shilen3,ou=people,ou=test,dc=duke,dc=edu
changetype: modify
add: userPassword
userPassword: {SSHA}DMK4S6PK6+rKSLNOL1Hl01mVJmgGi5jH
In all cases, userPassword had no values in the entry to begin with. When the error occurs, I receive the following message on the supplier:
[19/Aug/2014:15:26:33 +0100] NSMMReplicationPlugin - agmt="cn=test5to6" (host:636): Consumer failed to replay change (uniqueid 1056b901-27aa11e4-a066d327-58be45f0, CSN 53f35e82000000050000): Protocol error (2). Will retry later.
If I do a cl-dump, I see the following:
changetype: modify
replgen: 53e0f14e000000050000
csn: 53f35e82000000050000
nsuniqueid: 1056b901-27aa11e4-a066d327-58be45f0
dn: uid=shilen3,ou=people,ou=test,dc=duke,dc=edu
change::
add: userPassword
userPassword:: e1NTSEF9RE1LNFM2UEs2K3JLU0xOT0wxSGwwMW1WSm1nR2k1akg=
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20140819142609Z
-
add: unhashed#user#password
-
Any clues as to what the problem might be? Also, when a problem like this occurs, is there any way to fix it without having to re-init the suffix on all the consumers?
Thanks!
-- Shilen
9 years, 8 months
cannot make replication work over SSL
by Jon Detert
Hello,
I'm failing to make replication work over SSL. Hoping one of you can see what I'm missing:
My test involves one supplier (named test-ds1) and one consumer (named test-ds2), both running version 1.3.2.16.
Both supplier and consumer are listening to tcp 389 and 636. I can query each over ldaps (e.g. like this:
ldapsearch -LLL -x -H ldaps://test-ds2 -s sub -b dc=infinityhealthcare,dc=com uid=jdetert)
Replication works fine when I don't try to use ssl: a change on test-ds1 is automatically made on test-ds2 as well.
To try to use ssl, I delete the replication agreement and then recreate it, but specify nsDS5ReplicaPort as 636 instead of 389. Here's how the agreement looks when I've tried to use ssl:
dn: cn=dc-ihc-dc-com-to-ds3,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c
n=mapping tree,cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds3
cn: dc-ihc-dc-com-to-ds3
nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com
nsDS5ReplicaHost: test-ds3.infinityhealthcare.com
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: uid=replica-manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis
t memberof
nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM=
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since server s
tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20140818205749Z
nsds5replicaLastInitEnd: 0
nsds5replicaLastInitStatus: -5 - LDAP error: Timed out
The supplier's error log says this:
[18/Aug/2014:15:57:49 -0500] NSMMReplicationPlugin - agmt="cn=dc-ihc-dc-com-to-ds3" (test-ds3:636): Replication bind with SIMPLE auth failed: LDAP error -5 (Timed out) ()
[18/Aug/2014:16:07:49 -0500] slapi_ldap_bind - Error: timeout after [600.0] seconds reading bind response for [uid=replica-manager,cn=config] authentication mechanism [SIMPLE]
The consumer's error log says nothing about the replication attempt. However, I know the supplier has spoken to the consumer over ssl, because:
a) the consumer's access log shows that the supplier connected over SSL:
[18/Aug/2014:16:07:50 -0500] conn=11 fd=64 slot=64 SSL connection from 192.168.190.9 to 192.168.190.13
and
b) packet sniffing on the supplier shows the same.
aTdHvAaNnKcSe for any help you lend,
Jon Detert
9 years, 8 months
Returned mail: see transcript for details
by Rich Megginson
This message was not delivered due to the following reason(s):
Your message was not delivered because the destination computer was
unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within 8 days:
Host 93.134.249.199 is not responding.
The following recipients could not receive this message:
<389-users(a)lists.fedoraproject.org>
Please reply to postmaster(a)redhat.com
if you feel this message to be in error.
9 years, 8 months
Dirsrv service at boot time
by Ghiurea, Isabella
Hi List,
I need to know how to cfg dirsrv at boot time in EL6 , no systemctl available.
Thank you
Isabella
9 years, 8 months
Re: [389-users] cfg archiving transactions log
by Ghiurea, Isabella
Thank you for feedback !
I would like to know if for recovery in time of db I need this files beside the log/transactions log file?
Do I have to force to flush the trans to disk before running db2bak.pl script?
I assume the output of db2bak.pl new directory c will re-store the whole DS , will this be the best option for disaster recovery ? ( better than export /db2ldif.?)
Isabella
9 years, 8 months