On 3/26/19 11:19 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 3/21/19 9:41 PM, Günther J. Niederwimmer via FreeIPA-users wrote:Hello,Am Donnerstag, 21. März 2019, 17:39:41 CET schrieb François Cami via FreeIPA-users:Hi,Can you explain more precisely what you meant by "I change the domain Name" in the original email?I mean only, I have change my Domain to example.com in the Email, also mydomain is xxxxx.xxx and in the mail I wrote example.com.Regards, François Cami On Thu, Mar 21, 2019 at 12:42 PM Günther J. Niederwimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:Hello, Why I have Errorr 32 Pleasd answer, Am Samstag, 16. März 2019, 14:37:48 CET schrieb Günther J. Niederwimmer viaFreeIPA-users:Hello, I found thousands of Errors in my "dirsrv Log" I mean after update to thelast CentOS 7.6, or after I have to reinstall my secondary IPA Server ?What is the way to correct this mistake Problem?I have a second pair of IPA Server without this Problem and I can't saywhythis is now a Problem!The Errors are on the "oldest" Server, this Server is upgraded continuous from CentOS 7 to 7.6 Can any help or can say why I now have this Problem? The Log on the master/replica Server ipa.example.com I change the domain Name[16/Mar/2019:13:59:39.333399526 +0100] - ERR - slapi_ldap_bind - Error:could not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki- tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)[16/Mar/2019:14:04:39.497505189 +0100] - ERR - slapi_ldap_bind - Error:could not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki- tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)[16/Mar/2019:14:09:39.673523056 +0100] - ERR - slapi_ldap_bind - Error:could not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki- tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)[16/Mar/2019:14:14:39.457745480 +0100] - ERR - slapi_ldap_bind - Error:could not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki- tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)[16/Mar/2019:14:19:39.435129140 +0100] - ERR - slapi_ldap_bind - Error:could not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki- tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)[16/Mar/2019:14:24:39.460920984 +0100] - ERR - slapi_ldap_bind - Error:could not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki- tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)[16/Mar/2019:14:29:39.687580220 +0100] - ERR - slapi_ldap_bind - Error:could not bind id [cn=Replication Manager cloneAgreement1-ipa1.example.com-pki- tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)Hi, Can you provide the output of$ ldapsearch -D "cn=directory manager" -W -b cn=config "(objectclass=nsds5replica)"$ ldapsearch -D cn=directory\ manager -W -b cn=config "(objectclass=nsds5replicationagreement)"floThank's for a answer,-- mit freundliche Grüßen / best regards,Günther J. Niederwimmer_______________________________________________FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.orgFedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.orgFedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Hi,from the output sent privately, we can see that the replication for the o=ipaca suffix is configured to use Simple authentication with a bind DN=cn=Replication Manager cloneAgreement1-ipa1.xxx,ou=csusers,cn=config (and this entry does not exist). This is the origin of your issue.
If I recall correctly, the installation of a CA replica is done is multiple phases. It starts with setting replication with simple bind, and then later on switches to replication authentication with SASL/GSSAPI. It looks like this step failed on your replica.
I would try to modify the replication agreement so that it uses SASL/GSSAPI: ldapmodify -D cn=directory\ manager -Wdn: cn=masterAgreement1-ipa1.xxx.xxx,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
changetype: modify replace: nsDS5ReplicaBindMethod nsDS5ReplicaBindMethod: SASL/GSSAPIthen restart dirsrv and check if it fixed your issue. With GSSAPI the replication will use the credentials stored in /etc/dirsrv/ds.keytab to authenticate to the remote master, so you need to make sure that the keytab is available and contains correct keys.
HTH, flo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org