I don't see anything off in your replication config. But noticed in the
ldapsearch that works you are using a CA certificate that is not in the
server's default certificate location. I suspect you need to import
your CA certificate into all your DS server' NSS db's.
HTH,
Mark
On 1/8/26 12:28 PM, Van Remoortere, Arnaud wrote:
Sure, I've removed hostnames etc, I hope that doesn't make it more
difficult for you, I've checked the hostnames and they are definitely
correct, the same one used from primary to secondary ldapsearch
command. Let me know if you want me to do a better job at changing
hostnames/dn and I'll send you better output.
dn: cn=replica,cn=dcxxxcn=mapping
tree,cn=config
objectClass: top
objectClass: nsds5Replica
cn: replica
nsDS5ReplicaRoot: dc=xxx
nsDS5Flags: 1
nsDS5ReplicaType: 3
nsDS5ReplicaId: 1
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsState:: AQAAAAAAAAD12F9pAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: 50acb882-eaf111f0-93db926e-a19d18f8
nsds5ReplicaChangeCount: 58
nsds5replicareapactive: 0
dn: cn=replication,cn=replica,cn=xxx
Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: replication
nsDS5ReplicaRoot: dc=xxx
description: replication
nsDS5ReplicaHost: secondary.xxx
nsDS5ReplicaPort: 636
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaTransportInfo: LDAPS
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaCredentials: xxx
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: Error (-1) Problem connecting to replica
- LDAP
error: Can't contact LDAP server (connection error)
nsds5replicaLastUpdateStatusJSON: {"state": "red", "ldap_rc": "-1",
"ldap_rc_t
ext": "Can't contact LDAP server", "repl_rc": "16", "repl_rc_text":
"connecti
on error", "date": "2026-01-08T17:12:39Z", "message": "Error (-1)
Problem con
necting to replica - LDAP error: Can't contact LDAP server
(connection error)
"}
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20260106114602Z
nsds5replicaLastInitEnd: 19700101000000Z
nsds5replicaLastInitStatus: Error (-1) - LDAP error: Can't contact
LDAP server
- no response received
nsds5replicaLastInitStatusJSON: {"state": "red", "ldap_rc": "-1",
"ldap_rc_tex
t": "Can't contact LDAP server", "repl_rc": "255", "repl_rc_text":
"no respon
se received", "conn_rc": "0", "conn_rc_text": "operation success",
"date": "2
026-01-06T11:46:18Z", "message": "Error (-1) - LDAP error: Can't
contact LDAP
server - no response received"}
------------------------------------------------------------------------
*From:* Mark Reynolds <[email protected]>
*Sent:* Thursday, January 8, 2026 1:29 PM
*To:* General discussion list for the 389 Directory server project.
<[email protected]>; William Brown <[email protected]>
*Cc:* Van Remoortere, Arnaud <[email protected]>
*Subject:* Re: [389-users] Re: replication via ldaps
On 1/8/26 6: 18 AM, Van Remoortere, Arnaud via 389-users wrote: Sure,
doesn't seem to have much in it, also including a screenshot of the
GUI showing the replication configured and enabled on the same server
(primary): # replication, config dn:
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
On 1/8/26 6:18 AM, Van Remoortere, Arnaud via 389-users wrote:
Sure, doesn't seem to have much in it, also including a screenshot of
the GUI showing the replication configured and enabled on the same
server (primary):
# replication, config
dn: cn=replication,cn=config
objectClass: top
objectClass: nsContainer
cn: replication
# replication manager, config
dn: cn=replication manager,cn=config
objectClass: top
objectClass: inetUser
objectClass: netscapeServer
objectClass: nsAccount
cn: replication manager
uid: replication manager
userPassword:: xxx
William wanted to see the replica config entry and the replica
agreement from cn=config. Here is an example:
cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5Replica
...
and most importantly the agreement:
dn:
cn=YOUR_AGREEMENT_NAME,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
...
Regards,
Mark
------------------------------------------------------------------------
*From:* William Brown <[email protected]> <mailto:[email protected]>
*Sent:* Wednesday, January 7, 2026 11:15 PM
*To:* [email protected]
<mailto:[email protected]>
<[email protected]>
<mailto:[email protected]>
*Cc:* Van Remoortere, Arnaud <[email protected]>
<mailto:[email protected]>
*Subject:* Re: [389-users] replication via ldaps
On 7 Jan 2026, at 20: 13, Van Remoortere, Arnaud via 389-users
<389-users@ lists. fedoraproject. org>
<mailto:389-users@ lists. fedoraproject. org> wrote: Yes it succeeds,
commands below (I've changed the real hostname and basedn in this
output). : On 6 Jan 2026, at 22: 06, Van Remoortere,
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
On 7 Jan 2026, at 20:13, Van Remoortere, Arnaud via 389-users
<[email protected]>
<mailto:[email protected]> wrote:
Yes it succeeds, commands below (I've changed the real hostname and
basedn in this output).:
On 6 Jan 2026, at 22:06, Van Remoortere, Arnaud via 389-users
<[email protected]>
<mailto:[email protected]> wrote:
Hi, I'm following the instructions to setup replication inCHAPTER
2. CONFIGURING SINGLE-SUPPLIER REPLICATION
<https://urldefense.com/v3/__https://docs.redhat.com/en-us/documentation/red_hat_directory_server/12/pdf/configuring_and_managing_replication/Red_Hat_Directory_Server-12-Configuring_and_managing_replication-en-US.pdf__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOuxhmi4MQ$>
USING THE WEB CONSOLE
<https://urldefense.com/v3/__https://docs.redhat.com/en-us/documentation/red_hat_directory_server/12/pdf/configuring_and_managing_replication/Red_Hat_Directory_Server-12-Configuring_and_managing_replication-en-US.pdf__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOuxhmi4MQ$>
I get a "/Error (-1) - LDAP error: Can't contact LDAP server - no
response received/ " in the GUI
_The logs on supplier say this:_
[06/Jan/2026:11:47:51.180037306 +0000] - ERR - slapi_ldap_bind -
Could not send bind request for id [cn=replication
manager,cn=config] authentication mechanism [SIMPLE]: error -1
(Can't contact LDAP server), system error -5987 (Invalid function
argument.), network error 0 (Unknown error, host
"second.xxx.com:636
<https://urldefense.com/v3/__http://second.xxx.com:636/__;!!GjvTz_vk!Vddz04F0k5drd2N8KkmbVo04ktCMdXM89Mv4L67yn9w-hCFiourlbm-YP8ZtOtRKDq8ixOt3DQU9CA$>")
Can you show us the replication configuration from cn=config in that
case? My guess is the URL is wrong in the config.
--
Sincerely,
William Brown
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
--
Identity Management Development Team
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
