----- Original Message -----
From: "Noriko Hosoi" <nhosoi(a)redhat.com>
To: 389-users(a)lists.fedoraproject.org
Sent: Monday, August 18, 2014 5:03:57 PM
Subject: Re: [389-users] cannot make replication work over SSL
You mentioned hosts test-ds1 and test-ds2. What is test-ds3? Is it
another
consumer?
No. Sorry, my mistake. I wanted to simplify the description, and so wrote
'test-ds2' when in
acutality, the host I'm trying to make a consumer via replication over ssl is
'test-ds3'. I just
thought it would read better as 'test-ds1 and test-ds2' instead of what I actually
have: test-ds1 the supplier, and test-ds3 the consumer.
Does this command line work on the host test-ds1?
ldapsearch -LLL -x -H ldaps://test-ds3 -s sub -b dc=infinityhealthcare,dc=com
uid=jdetert
Yes it works.
If yes, what happens if you add this to your agreement?
> nsDS5ReplicaTransportInfo: SSL
The replication agreement still had the state I reported below, so I 'restarted'
the replication by issuing this command:
ldapmodify -cax -h localhost -y ~jdetert/pword -D 'cn=Directory Manager'
<<BYE
dn: cn=dc-ihc-dc-com-to-ds3, cn=replica, cn="dc=infinityhealthcare,dc=com",
cn=mapping tree, cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start
BYE
However, replication still doesn't work. Here's what the agreement looks like
now:
dn: cn=dc-ihc-dc-com-to-ds3,cn=replica,cn=dc\3Dinfinityhealthcare\2Cdc\3Dcom,c
n=mapping tree,cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: agreement to replicate dc=ihc,dc=com tree from ds1 to ds3
cn: dc-ihc-dc-com-to-ds3
nsDS5ReplicaRoot: dc=infinityhealthcare,dc=com
nsDS5ReplicaHost:
test-ds3.infinityhealthcare.com
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: uid=replica-manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE authorityRevocationLis
t memberof
nsDS5ReplicaCredentials: {DES}Nz0qsqM5nShesnQPldsB7vYKQXOj2azjan8bTsUWxNM=
nsDS5ReplicaTransportInfo: SSL
nsds5BeginReplicaRefresh: start
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -5 Unable to acquire replicaLDAP error: Timed ou
t
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20140818205749Z
nsds5replicaLastInitEnd: 0
nsds5replicaLastInitStatus: 0
If it still does not work, could you try replacing the replica host
like
this?
> nsDS5ReplicaHost: test-ds3
Getting to that. Will reply when I've tried it.
Regards,
Jon