[389-users] Multi master replication problem (389 DS - AD)

Alberto Viana albertocrj at gmail.com
Wed Jul 10 18:16:38 UTC 2013 

Hi Noriko,

DS Base:389-Directory/1.3.1.3 B2013.189.1813
389 DS + Win2008 (I use my windows as CA)


The error came out again, so I decide to investigate it.

The error:

[10/Jul/2013:10:52:23 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): Trying secure slapi_ldap_init_ext
[10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): binddn = CN=Conta de sincronizacao do AD com LDAP
389,OU=APLICACOES,DC=homolog,DC=rnp,  passwd = {DES}Zdi9SkO9E8Jpy/LJq528zg==
[10/Jul/2013:10:52:25 -0300] slapi_ldap_bind - Error: could not send bind
request for id [CN=Conta de sincronizacao do AD com LDAP
389,OU=APLICACOES,DC=homolog,DC=rnp] authentication mechanism [SIMPLE]:
error -1 (Can't contact LDAP server), system error -5987 (Invalid function
argument.), network error 115 (Operation now in progress, host
"hmg1.homolog.rnp")
[10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
(hmg1:636): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't
contact LDAP server) ((unknown error code))


The error starts when I set the option "Check hostname against name in
certifcate for outbound SSL connections" in Configuration -> Encryption tab.

If I uncheck this options, everything works fine again. As far as I know,
this option check if the CN of certificate is the same of the host in the
connection. Am I right?

I don´t thinks that is something with my certs, because I have the same
envoriment working fine with ds base
"389-Directory/1.2.10.12B2012.210.1745" with this options checked.

I also set nsslapd-errorlog-level to "16384", but it didn´t give me
anything else.

What could be? There´s anything else that I can provide to help to debug?

Thanks
Alberto Viana





On Mon, Jul 8, 2013 at 5:38 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:

>  Alberto Viana wrote:
>
> Hi,
>
>  I got it. Everything is working fine now, so it was something in the old
> branch (1.3.0.4)
>
> Glad to hear that.  Thanks so much for the report.  And please keep us
> updated...
> --noriko
>
>
>  Alberto Viana
>
>
> On Mon, Jul 8, 2013 at 5:17 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:
>
>>  Alberto Viana wrote:
>>
>> Hi man,
>>
>>  Where I can find the 1.3.1 source to download? I tried
>> http://directory.fedoraproject.org/wiki/Source#Directory_Server_Source_Code,
>> but it´s not available over there.
>>
>>  You can get it here:
>> A source tarball is available for download at
>> http://port389.org/sources/389-ds-base-1.3.1.3.tar.bz2
>> Please see also:
>> http://directory.fedoraproject.org/wiki/Releases/1.3.1.3
>> Thanks,
>> --noriko
>>
>>
>>  Alberto Viana
>>
>>
>> On Fri, Jul 5, 2013 at 3:24 PM, Alberto Viana <albertocrj at gmail.com>wrote:
>>
>>> No. It's a new server cert (it's the same name, but i prefered to revoke
>>> it and generate a new one).
>>>
>>>  Yes, for sure. I will try to rebuild everything on this branch (and
>>> make new certs just to ensure there is nothing related with it), and if the
>>> error persist, I will try this other branch and let you know.
>>>
>>>  Alberto Viana
>>>
>>>
>>> On Fri, Jul 5, 2013 at 3:15 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:
>>>
>>>>  Alberto Viana wrote:
>>>>
>>>> Norkio,
>>>>
>>>>  No, it's a new machine. I just rebuild everything.
>>>>
>>>>  When you switched to the new machine, you reuse the old server cert
>>>> from the previous DS or renewed it?
>>>>
>>>>         Subject: "CN=hmg2.homolog.rnp,OU=GTI,O=Rede Nacional de Ensino
>>>> e Pesquisa,L=Rio de Janeiro,C=BR"
>>>>
>>>>  And if you rebuild everything, do you have any chance to try the
>>>> branch 389-ds-base-1.3.1 instead of 1.3.0? (although there should be no
>>>> difference in the DS -> AD bind)
>>>> --noriko
>>>>
>>>>
>>>>  I'm using Ubuntu 12.04.2 LTS.
>>>>
>>>>  Alberto Viana
>>>>
>>>>
>>>> On Fri, Jul 5, 2013 at 2:50 PM, Noriko Hosoi <nhosoi at redhat.com> wrote:
>>>>
>>>>> Alberto Viana wrote:
>>>>>
>>>>>> I already imported my certificates into 389 ds and windows 2008. I
>>>>>> use win2008 as CA. Just to remeber that the same enviroment was
>>>>>> working fine with my previous 389DS version.
>>>>>>
>>>>>  You upgraded 389-ds-base from 1.2.10.12 to 1.3.0.4 using in-place
>>>>> upgrade?  What is your platform?
>>>>> --noriko
>>>>>
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>
>>
>> --
>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130710/b496a5f5/attachment.html>

More information about the 389-users mailing list