[389-users] Multi master replication problem (389 DS - AD)
Alberto Viana
albertocrj at gmail.com
Wed Jul 10 18:16:38 UTC 2013
Hi Noriko,
DS Base:389-Directory/1.3.1.3 B2013.189.1813
389 DS + Win2008 (I use my windows as CA)
The error came out again, so I decide to investigate it.
The error:
[10/Jul/2013:10:52:23 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): Trying secure slapi_ldap_init_ext
[10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): binddn = CN=Conta de sincronizacao do AD com LDAP
389,OU=APLICACOES,DC=homolog,DC=rnp, passwd = {DES}Zdi9SkO9E8Jpy/LJq528zg==
[10/Jul/2013:10:52:25 -0300] slapi_ldap_bind - Error: could not send bind
request for id [CN=Conta de sincronizacao do AD com LDAP
389,OU=APLICACOES,DC=homolog,DC=rnp] authentication mechanism [SIMPLE]:
error -1 (Can't contact LDAP server), system error -5987 (Invalid function
argument.), network error 115 (Operation now in progress, host
"hmg1.homolog.rnp")
[10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't
contact LDAP server) ((unknown error code))
The error starts when I set the option "Check hostname against name in
certifcate for outbound SSL connections" in Configuration -> Encryption tab.
If I uncheck this options, everything works fine again. As far as I know,
this option check if the CN of certificate is the same of the host in the
connection. Am I right?
I don´t thinks that is something with my certs, because I have the same
envoriment working fine with ds base
"389-Directory/1.2.10.12B2012.210.1745" with this options checked.
I also set nsslapd-errorlog-level to "16384", but it didn´t give me
anything else.
What could be? There´s anything else that I can provide to help to debug?
Thanks
Alberto Viana
On Mon, Jul 8, 2013 at 5:38 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:
> Alberto Viana wrote:
>
> Hi,
>
> I got it. Everything is working fine now, so it was something in the old
> branch (1.3.0.4)
>
> Glad to hear that. Thanks so much for the report. And please keep us
> updated...
> --noriko
>
>
> Alberto Viana
>
>
> On Mon, Jul 8, 2013 at 5:17 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:
>
>> Alberto Viana wrote:
>>
>> Hi man,
>>
>> Where I can find the 1.3.1 source to download? I tried
>> http://directory.fedoraproject.org/wiki/Source#Directory_Server_Source_Code,
>> but it´s not available over there.
>>
>> You can get it here:
>> A source tarball is available for download at
>> http://port389.org/sources/389-ds-base-1.3.1.3.tar.bz2
>> Please see also:
>> http://directory.fedoraproject.org/wiki/Releases/1.3.1.3
>> Thanks,
>> --noriko
>>
>>
>> Alberto Viana
>>
>>
>> On Fri, Jul 5, 2013 at 3:24 PM, Alberto Viana <albertocrj at gmail.com>wrote:
>>
>>> No. It's a new server cert (it's the same name, but i prefered to revoke
>>> it and generate a new one).
>>>
>>> Yes, for sure. I will try to rebuild everything on this branch (and
>>> make new certs just to ensure there is nothing related with it), and if the
>>> error persist, I will try this other branch and let you know.
>>>
>>> Alberto Viana
>>>
>>>
>>> On Fri, Jul 5, 2013 at 3:15 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:
>>>
>>>> Alberto Viana wrote:
>>>>
>>>> Norkio,
>>>>
>>>> No, it's a new machine. I just rebuild everything.
>>>>
>>>> When you switched to the new machine, you reuse the old server cert
>>>> from the previous DS or renewed it?
>>>>
>>>> Subject: "CN=hmg2.homolog.rnp,OU=GTI,O=Rede Nacional de Ensino
>>>> e Pesquisa,L=Rio de Janeiro,C=BR"
>>>>
>>>> And if you rebuild everything, do you have any chance to try the
>>>> branch 389-ds-base-1.3.1 instead of 1.3.0? (although there should be no
>>>> difference in the DS -> AD bind)
>>>> --noriko
>>>>
>>>>
>>>> I'm using Ubuntu 12.04.2 LTS.
>>>>
>>>> Alberto Viana
>>>>
>>>>
>>>> On Fri, Jul 5, 2013 at 2:50 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:
>>>>
>>>>> Alberto Viana wrote:
>>>>>
>>>>>> I already imported my certificates into 389 ds and windows 2008. I
>>>>>> use win2008 as CA. Just to remeber that the same enviroment was
>>>>>> working fine with my previous 389DS version.
>>>>>>
>>>>> You upgraded 389-ds-base from 1.2.10.12 to 1.3.0.4 using in-place
>>>>> upgrade? What is your platform?
>>>>> --noriko
>>>>>
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>
>>
>> --
>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130710/b496a5f5/attachment.html>
More information about the 389-users
mailing list