On 11/12/19 4:47 PM, Graham Leggett wrote:
Hi all,

We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this:

[12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”)

What is the bind method of the agreement?  SSLCLIENTAUTH?  The problem is that the ID is anonymous (anon).  So it's not binding correctly to the consumer.   What do you have for these attributes in the replication agreement:

This is what I have:

dn: cn=blah,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config

nsDS5ReplicaBindMethod: sslclientauth
nsDS5ReplicaTransportInfo: LDAPS
nsDS5ReplicaBindDN: cn=replication manager,cn=config


Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”.

Has anyone seen this kind of thing before?

This is 389ds running on CentOS7 as follows:



389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

389 Directory Server Development Team