[389-users] Multi master replication problem (389 DS - AD)
Rich Megginson
rmeggins at redhat.com
Wed Jul 10 18:32:42 UTC 2013
On 07/10/2013 12:16 PM, Alberto Viana wrote:
> Hi Noriko,
>
> DS Base:389-Directory/1.3.1.3 <http://1.3.1.3> B2013.189.1813
> 389 DS + Win2008 (I use my windows as CA)
>
>
> The error came out again, so I decide to investigate it.
>
> The error:
>
> [10/Jul/2013:10:52:23 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
> (hmg1:636): Trying secure slapi_ldap_init_ext
> [10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
> (hmg1:636): binddn = CN=Conta de sincronizacao do AD com LDAP
> 389,OU=APLICACOES,DC=homolog,DC=rnp, passwd =
> {DES}Zdi9SkO9E8Jpy/LJq528zg==
> [10/Jul/2013:10:52:25 -0300] slapi_ldap_bind - Error: could not send
> bind request for id [CN=Conta de sincronizacao do AD com LDAP
> 389,OU=APLICACOES,DC=homolog,DC=rnp] authentication mechanism
> [SIMPLE]: error -1 (Can't contact LDAP server), system error -5987
> (Invalid function argument.), network error 115 (Operation now in
> progress, host "hmg1.homolog.rnp")
> [10/Jul/2013:10:52:25 -0300] NSMMReplicationPlugin - agmt="cn=AD-HMG1"
> (hmg1:636): Replication bind with SIMPLE auth failed: LDAP error -1
> (Can't contact LDAP server) ((unknown error code))
>
>
> The error starts when I set the option "Check hostname against name in
> certifcate for outbound SSL connections" in Configuration ->
> Encryption tab.
>
> If I uncheck this options, everything works fine again. As far as I
> know, this option check if the CN of certificate is the same of the
> host in the connection. Am I right?
Right.
>
> I don´t thinks that is something with my certs, because I have the
> same envoriment working fine with ds base "389-Directory/1.2.10.12
> <http://1.2.10.12> B2012.210.1745" with this options checked.
Either it's something with your certs, or something with your hostname
lookups (/etc/hosts, DNS, NIS, etc.)
>
> I also set nsslapd-errorlog-level to "16384", but it didn´t give me
> anything else.
>
> What could be? There´s anything else that I can provide to help to debug?
>
> Thanks
> Alberto Viana
>
>
>
>
>
> On Mon, Jul 8, 2013 at 5:38 PM, Noriko Hosoi <nhosoi at redhat.com
> <mailto:nhosoi at redhat.com>> wrote:
>
> Alberto Viana wrote:
>> Hi,
>>
>> I got it. Everything is working fine now, so it was something in
>> the old branch (1.3.0.4)
> Glad to hear that. Thanks so much for the report. And please
> keep us updated...
> --noriko
>
>>
>> Alberto Viana
>>
>>
>> On Mon, Jul 8, 2013 at 5:17 PM, Noriko Hosoi <nhosoi at redhat.com
>> <mailto:nhosoi at redhat.com>> wrote:
>>
>> Alberto Viana wrote:
>>> Hi man,
>>>
>>> Where I can find the 1.3.1 source to download? I tried
>>> http://directory.fedoraproject.org/wiki/Source#Directory_Server_Source_Code,
>>> but it´s not available over there.
>> You can get it here:
>> A source tarball is available for download at
>> http://port389.org/sources/389-ds-base-1.3.1.3.tar.bz2
>> Please see also:
>> http://directory.fedoraproject.org/wiki/Releases/1.3.1.3
>> Thanks,
>> --noriko
>>
>>>
>>> Alberto Viana
>>>
>>>
>>> On Fri, Jul 5, 2013 at 3:24 PM, Alberto Viana
>>> <albertocrj at gmail.com <mailto:albertocrj at gmail.com>> wrote:
>>>
>>> No. It's a new server cert (it's the same name, but i
>>> prefered to revoke it and generate a new one).
>>>
>>> Yes, for sure. I will try to rebuild everything on this
>>> branch (and make new certs just to ensure there is
>>> nothing related with it), and if the error persist, I
>>> will try this other branch and let you know.
>>>
>>> Alberto Viana
>>>
>>>
>>> On Fri, Jul 5, 2013 at 3:15 PM, Noriko Hosoi
>>> <nhosoi at redhat.com <mailto:nhosoi at redhat.com>> wrote:
>>>
>>> Alberto Viana wrote:
>>>> Norkio,
>>>>
>>>> No, it's a new machine. I just rebuild everything.
>>> When you switched to the new machine, you reuse the
>>> old server cert from the previous DS or renewed it?
>>>
>>> Subject: "CN=hmg2.homolog.rnp,OU=GTI,O=Rede
>>> Nacional de Ensino e Pesquisa,L=Rio de Janeiro,C=BR"
>>>
>>> And if you rebuild everything, do you have any
>>> chance to try the branch 389-ds-base-1.3.1 instead
>>> of 1.3.0? (although there should be no difference in
>>> the DS -> AD bind)
>>> --noriko
>>>
>>>>
>>>> I'm using Ubuntu 12.04.2 LTS.
>>>>
>>>> Alberto Viana
>>>>
>>>>
>>>> On Fri, Jul 5, 2013 at 2:50 PM, Noriko Hosoi
>>>> <nhosoi at redhat.com <mailto:nhosoi at redhat.com>> wrote:
>>>>
>>>> Alberto Viana wrote:
>>>>
>>>> I already imported my certificates into 389
>>>> ds and windows 2008. I use win2008 as CA.
>>>> Just to remeber that the same enviroment was
>>>> working fine with my previous 389DS version.
>>>>
>>>> You upgraded 389-ds-base from 1.2.10.12 to
>>>> 1.3.0.4 using in-place upgrade? What is your
>>>> platform?
>>>> --noriko
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> <mailto:389-users at lists.fedoraproject.org>
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> <mailto:389-users at lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> <mailto:389-users at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130710/fd564e9f/attachment.html>
More information about the 389-users
mailing list