[389-users] Multi master replication problem (389 DS - AD)

Rich Megginson rmeggins at redhat.com
Wed Jul 10 18:32:42 UTC 2013 

On 07/10/2013 12:16 PM, Alberto Viana wrote:
> Hi Noriko,
>
> DS Base:389-Directory/1.3.1.3 <http://1.3.1.3> B2013.189.1813
> 389 DS + Win2008 (I use my windows as CA)
>
>
> The error came out again, so I decide to investigate it.
>
> The error:
>
> [10/Jul/2013:10:52:23 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1" 
> (hmg1:636): Trying secure slapi_ldap_init_ext
> [10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1" 
> (hmg1:636): binddn = CN=Conta de sincronizacao do AD com LDAP 
> 389,OU=APLICACOES,DC=homolog,DC=rnp,  passwd = 
> {DES}Zdi9SkO9E8Jpy/LJq528zg==
> [10/Jul/2013:10:52:25 -0300] slapi_ldap_bind - Error: could not send 
> bind request for id [CN=Conta de sincronizacao do AD com LDAP 
> 389,OU=APLICACOES,DC=homolog,DC=rnp] authentication mechanism 
> [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 
> (Invalid function argument.), network error 115 (Operation now in 
> progress, host "hmg1.homolog.rnp")
> [10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1" 
> (hmg1:636): Replication bind with SIMPLE auth failed: LDAP error -1 
> (Can't contact LDAP server) ((unknown error code))
>
>
> The error starts when I set the option "Check hostname against name in 
> certifcate for outbound SSL connections" in Configuration -> 
> Encryption tab.
>
> If I uncheck this options, everything works fine again. As far as I 
> know, this option check if the CN of certificate is the same of the 
> host in the connection. Am I right?

Right.

>
> I don´t thinks that is something with my certs, because I have the 
> same envoriment working fine with ds base "389-Directory/1.2.10.12 
> <http://1.2.10.12> B2012.210.1745" with this options checked.

Either it's something with your certs, or something with your hostname 
lookups (/etc/hosts, DNS, NIS, etc.)
>
> I also set nsslapd-errorlog-level to "16384", but it didn´t give me 
> anything else.
>
> What could be? There´s anything else that I can provide to help to debug?
>
> Thanks
> Alberto Viana
>
>
>
>
>
> On Mon, Jul 8, 2013 at 5:38 PM, Noriko Hosoi <nhosoi at redhat.com 
> <mailto:nhosoi at redhat.com>> wrote:
>
>     Alberto Viana wrote:
>>     Hi,
>>
>>     I got it. Everything is working fine now, so it was something in
>>     the old branch (1.3.0.4)
>     Glad to hear that.  Thanks so much for the report.  And please
>     keep us updated...
>     --noriko
>
>>
>>     Alberto Viana
>>
>>
>>     On Mon, Jul 8, 2013 at 5:17 PM, Noriko Hosoi <nhosoi at redhat.com
>>     <mailto:nhosoi at redhat.com>> wrote:
>>
>>         Alberto Viana wrote:
>>>         Hi man,
>>>
>>>         Where I can find the 1.3.1 source to download? I tried
>>>         http://directory.fedoraproject.org/wiki/Source#Directory_Server_Source_Code,
>>>         but it´s not available over there.
>>         You can get it here:
>>         A source tarball is available for download at
>>         http://port389.org/sources/389-ds-base-1.3.1.3.tar.bz2
>>         Please see also:
>>         http://directory.fedoraproject.org/wiki/Releases/1.3.1.3
>>         Thanks,
>>         --noriko
>>
>>>
>>>         Alberto Viana
>>>
>>>
>>>         On Fri, Jul 5, 2013 at 3:24 PM, Alberto Viana
>>>         <albertocrj at gmail.com <mailto:albertocrj at gmail.com>> wrote:
>>>
>>>             No. It's a new server cert (it's the same name, but i
>>>             prefered to revoke it and generate a new one).
>>>
>>>             Yes, for sure. I will try to rebuild everything on this
>>>             branch (and make new certs just to ensure there is
>>>             nothing related with it), and if the error persist, I
>>>             will try this other branch and let you know.
>>>
>>>             Alberto Viana
>>>
>>>
>>>             On Fri, Jul 5, 2013 at 3:15 PM, Noriko Hosoi
>>>             <nhosoi at redhat.com <mailto:nhosoi at redhat.com>> wrote:
>>>
>>>                 Alberto Viana wrote:
>>>>                 Norkio,
>>>>
>>>>                 No, it's a new machine. I just rebuild everything.
>>>                 When you switched to the new machine, you reuse the
>>>                 old server cert from the previous DS or renewed it?
>>>
>>>                         Subject: "CN=hmg2.homolog.rnp,OU=GTI,O=Rede
>>>                 Nacional de Ensino e Pesquisa,L=Rio de Janeiro,C=BR"
>>>
>>>                 And if you rebuild everything, do you have any
>>>                 chance to try the branch 389-ds-base-1.3.1 instead
>>>                 of 1.3.0? (although there should be no difference in
>>>                 the DS -> AD bind)
>>>                 --noriko
>>>
>>>>
>>>>                 I'm using Ubuntu 12.04.2 LTS.
>>>>
>>>>                 Alberto Viana
>>>>
>>>>
>>>>                 On Fri, Jul 5, 2013 at 2:50 PM, Noriko Hosoi
>>>>                 <nhosoi at redhat.com <mailto:nhosoi at redhat.com>> wrote:
>>>>
>>>>                     Alberto Viana wrote:
>>>>
>>>>                         I already imported my certificates into 389
>>>>                         ds and windows 2008. I use win2008 as CA.
>>>>                         Just to remeber that the same enviroment was
>>>>                         working fine with my previous 389DS version.
>>>>
>>>>                     You upgraded 389-ds-base from 1.2.10.12 to
>>>>                     1.3.0.4 using in-place upgrade?  What is your
>>>>                     platform?
>>>>                     --noriko
>>>>
>>>>                     --
>>>>                     389 users mailing list
>>>>                     389-users at lists.fedoraproject.org
>>>>                     <mailto:389-users at lists.fedoraproject.org>
>>>>                     https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>>
>>>>
>>>>
>>>>                 --
>>>>                 389 users mailing list
>>>>                 389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
>>>>                 https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>                 --
>>>                 389 users mailing list
>>>                 389-users at lists.fedoraproject.org
>>>                 <mailto:389-users at lists.fedoraproject.org>
>>>                 https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>>>
>>>
>>>         --
>>>         389 users mailing list
>>>         389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
>>>         https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>         --
>>         389 users mailing list
>>         389-users at lists.fedoraproject.org
>>         <mailto:389-users at lists.fedoraproject.org>
>>         https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>>
>>     --
>>     389 users mailing list
>>     389-users at lists.fedoraproject.org  <mailto:389-users at lists.fedoraproject.org>
>>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>     --
>     389 users mailing list
>     389-users at lists.fedoraproject.org
>     <mailto:389-users at lists.fedoraproject.org>
>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130710/fd564e9f/attachment.html>

More information about the 389-users mailing list