<div dir="ltr">My guess would be it's failing to validate the SSL certificate. Are you using a self-signed cert? If so, you'll need to import that CA cert across all of your servers.<div><br></div><div>You also could check serverc's error log when you start the server to see if it says that the server started up on 636 successfully.</div>
<div><br></div><div>You could try to switch it to not use SSL temporarily just to see if it works.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, May 4, 2014 at 9:59 AM, Graham Leggett <span dir="ltr"><<a href="mailto:minfrin@sharp.fm" target="_blank">minfrin@sharp.fm</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
Some more digging reveals that when an attempt is made for serverb to try and commence replication with serverc, I get the following in the error log:<br>
<br>
[04/May/2014:17:46:55 +0100] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=Agreement <a href="http://serverc.example.com" target="_blank">serverc.example.com</a>" (serverc:636)".<br>
[04/May/2014:17:47:02 +0100] NSMMReplicationPlugin - agmt="cn=Agreement <a href="http://serverc.example.com" target="_blank">serverc.example.com</a>" (serverc:636): Failed to send extended operation: LDAP error -1 (Can't contact LDAP server)<br>
[04/May/2014:17:47:02 +0100] NSMMReplicationPlugin - agmt="cn=Agreement <a href="http://serverc.example.com" target="_blank">serverc.example.com</a>" (serverc:636): Received error -1 (Can't contact LDAP server): for total update operation<br>
[04/May/2014:17:47:03 +0100] NSMMReplicationPlugin - agmt="cn=Agreement <a href="http://serverc.example.com" target="_blank">serverc.example.com</a>" (serverc:636): Warning: unable to send endReplication extended operation (Can't contact LDAP server)<br>
[04/May/2014:17:47:04 +0100] NSMMReplicationPlugin - agmt="cn=Agreement <a href="http://serverc.example.com" target="_blank">serverc.example.com</a>" (serverc:636): Replication bind with SIMPLE auth resumed<br>
<br>
Unfortunately the error message "Failed to send extended operation: LDAP error -1 (Can't contact LDAP server)" is too vague to be useful because there is no clear and unambiguous indication of *which* server it is unable to connect to and on what port. The "(serverc:636)" would imply that it is trying to connect to "serverc", but "serverc" is the name of the instance, it is not the name of the server, so any attempt to connect to this will fail. The server is called <a href="http://serverc.example.com" target="_blank">serverc.example.com</a>, and this name appears exclusively in the replication agreement:<br>
<br>
dn: cn=Agreement <a href="http://serverc.example.com" target="_blank">serverc.example.com</a>,cn=replica,cn=o\3DFoo\,c\3Dza,cn=mapping tr<br>
ee,cn=config<br>
objectClass: nsDS5ReplicationAgreement<br>
objectClass: top<br>
cn: Agreement <a href="http://serverc.example.com" target="_blank">serverc.example.com</a><br>
description: Replication agreement between <a href="http://serverb.example.com" target="_blank">serverb.example.com</a> and <a href="http://serverc.example.com" target="_blank">serverc.example.com</a><br>
nsds5BeginReplicaRefresh: start<br>
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config<br>
nsDS5ReplicaBindMethod: SIMPLE<br>
nsds5replicaChangesSentSinceStartup:<br>
nsDS5ReplicaCredentials:: xxx<br>
nsDS5ReplicaHost: <a href="http://serverc.example.com" target="_blank">serverc.example.com</a><br>
nsds5replicaLastInitEnd: 0<br>
nsds5replicaLastInitStart: 20140504164654Z<br>
nsds5replicaLastInitStatus: 0<br>
nsds5replicaLastUpdateEnd: 20140504164652Z<br>
nsds5replicaLastUpdateStart: 20140504164652Z<br>
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental u<br>
pdate started<br>
nsDS5ReplicaPort: 636<br>
nsDS5ReplicaRoot: o=Foo,c=ZA<br>
nsDS5ReplicaTransportInfo: SSL<br>
nsds5replicaUpdateInProgress: FALSE<br>
<br>
At the same time, ssldump reveals that <a href="http://serverb.example.com" target="_blank">serverb.example.com</a> and <a href="http://serverc.example.com" target="_blank">serverc.example.com</a> are successfully speaking to one another, and have a lot to say - data seems to be constantly flowing between them, but not to any successful end.<br>
<br>
Does any of this behaviour look familiar to anybody?<br>
<br>
Regards,<br>
Graham<br>
--<br>
<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote></div><br></div>