[389-users] Re: replication via ldaps

[Van Remoortere, Arnaud via 389-users]

Yes it succeeds, commands below  (I've changed the real hostname and basedn in 
this output).:

[me@primary ~]$ export LDAPTLS_CACERT=/etc/openldap/certs/secondary_ca.crt

[me@primary ~]$ ldapsearch -x -b dc=com -H ldaps://secondary.xxx.com -D 
"cn=replication manager,cn=config" -W

Enter LDAP Password:
control: 2.16.840.1.113730.3.4.4 false MA==
# PasswordExpired control
# extended LDIF
#
# LDAPv3
# base <dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 53 Server is unwilling to perform
control: 2.16.840.1.113730.3.4.4 false MA==
# PasswordExpired control

# numResponses: 1
________________________________
From: William Brown <wbr...@suse.de>
Sent: Tuesday, January 6, 2026 11:55 PM
To: 389-users@lists.fedoraproject.org <389-users@lists.fedoraproject.org>
Cc: Van Remoortere, Arnaud <avanr...@akamai.com>
Subject: Re: [389-users] replication via ldaps

On 6 Jan 2026, at 22: 06, Van Remoortere, Arnaud via 389-users <389-users@ 
lists. fedoraproject. org> wrote: Hi, I'm following the instructions to setup 
replication in CHAPTER 2. CONFIGURING SINGLE-SUPPLIER REPLICATION USING THE WEB 
CONSOLE
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd


On 6 Jan 2026, at 22:06, Van Remoortere, Arnaud via 389-users 
<389-users@lists.fedoraproject.org> wrote:

Hi, I'm following the instructions to setup replication in CHAPTER 2. 
CONFIGURING SINGLE-SUPPLIER 
REPLICATION<https://urldefense.com/v3/__https://docs.redhat.com/en-us/documentation/red_hat_directory_server/12/pdf/configuring_and_managing_replication/Red_Hat_Directory_Server-12-Configuring_and_managing_replication-en-US.pdf__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOuxhmi4MQ$>
USING THE WEB 
CONSOLE<https://urldefense.com/v3/__https://docs.redhat.com/en-us/documentation/red_hat_directory_server/12/pdf/configuring_and_managing_replication/Red_Hat_Directory_Server-12-Configuring_and_managing_replication-en-US.pdf__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOuxhmi4MQ$>

I get a "Error (-1) - LDAP error: Can't contact LDAP server - no response 
received " in the GUI

The logs on supplier say this:

[06/Jan/2026:11:47:51.180037306 +0000] - ERR - slapi_ldap_bind - Could not send 
bind request for id [cn=replication manager,cn=config] authentication mechanism 
[SIMPLE]: error -1 (Can't contact LDAP server), system error -5987 (Invalid 
function argument.), network error 0 (Unknown error, host 
"second.xxx.com:636<https://urldefense.com/v3/__http://second.xxx.com:636/__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOt3DQU9CA$>")

LDAPS definitely is enabled and working on the secondary though, I've used 
ldapsearch to confirm it:

ldapsearch -x -b ou=users,dc=com -H ldaps://second.xxx.com -D 
"cn=ldap_ro,dc=com" -W

If you run this command from the primary does it connect correctly? Can you do 
the same bind with the replication manager?


The logs on the consumer don't show anything strange

There's no failed bind so it's not getting that far.

Suspecting that it might have something to do with the self signed ssl I've 
added the primary CA cert to the secondary and vice versa, Trusted Certificate 
Authorities but no joy.

Any help appreciated
Arnaud
--
_______________________________________________
389-users mailing list -- 
389-users@lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to 
389-users-le...@lists.fedoraproject.org<mailto:389-users-le...@lists.fedoraproject.org>
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://urldefense.com/v3/__https://docs.fedoraproject.org/en-US/project/code-of-conduct/__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOu_sW6WZw$>
List Guidelines: 
https://fedoraproject.org/wiki/Mailing_list_guidelines<https://urldefense.com/v3/__https://fedoraproject.org/wiki/Mailing_list_guidelines__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOuWsEAwUA$>
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org<https://urldefense.com/v3/__https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOuYazeCcg$>
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue<https://urldefense.com/v3/__https://pagure.io/fedora-infrastructure/new_issue__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOvQEHh9BA$>

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia


-- 
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue