Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/16/2015 04:06 PM, Nathan Peters wrote: I have updated the bug report you filed below. The issue was that the instructions would only work in Windows Server 2003 because My Network Places was removed in 2008 and above. Since the manual clearly states that the AD sync is to be performed with server 2008 / 2012 only it made no sense to give instructions for an incompatible version of windows. I have added to the ticket 2 methods to get the *correct* certificate that will work in both server 2008 r2 and server 2012 r2. I am cc'd on the bug and have seen all of the information you added. Thanks! On 05/15/2015 03:09 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Ok. Have you tried enabling the replication log level? http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Ok, that helped a lot. I got this fixed now. Because the manual tells you to export the cert using a way that doesn't work on newer versions of windows, I tried to improvise and my first attempt exported the wrong cert. The correct way is to go to mmc.exe and add the certificates snap-in. Then go to personal certificates store for the machine account and export the one that has -CA at the end of it in the issued to column. Now that the correct certificate was exported, replication succeeded. The docs should be updated though to reflect the proper way to export. https://bugzilla.redhat.com/show_bug.cgi?id=1222161 Please add yourself to the bug and provide any additional information. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
I have updated the bug report you filed below. The issue was that the instructions would only work in Windows Server 2003 because My Network Places was removed in 2008 and above. Since the manual clearly states that the AD sync is to be performed with server 2008 / 2012 only it made no sense to give instructions for an incompatible version of windows. I have added to the ticket 2 methods to get the *correct* certificate that will work in both server 2008 r2 and server 2012 r2. On 05/15/2015 03:09 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Ok. Have you tried enabling the replication log level? http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Ok, that helped a lot. I got this fixed now. Because the manual tells you to export the cert using a way that doesn't work on newer versions of windows, I tried to improvise and my first attempt exported the wrong cert. The correct way is to go to mmc.exe and add the certificates snap-in. Then go to personal certificates store for the machine account and export the one that has -CA at the end of it in the issued to column. Now that the correct certificate was exported, replication succeeded. The docs should be updated though to reflect the proper way to export. https://bugzilla.redhat.com/show_bug.cgi?id=1222161 Please add yourself to the bug and provide any additional information. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/15/2015 03:09 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Ok. Have you tried enabling the replication log level? http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Ok, that helped a lot. I got this fixed now. Because the manual tells you to export the cert using a way that doesn't work on newer versions of windows, I tried to improvise and my first attempt exported the wrong cert. The correct way is to go to mmc.exe and add the certificates snap-in. Then go to personal certificates store for the machine account and export the one that has -CA at the end of it in the issued to column. Now that the correct certificate was exported, replication succeeded. The docs should be updated though to reflect the proper way to export. I will file a doc bug. What version of Windows are you using that does not have the correct instructions? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/15/2015 03:09 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Ok. Have you tried enabling the replication log level? http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Ok, that helped a lot. I got this fixed now. Because the manual tells you to export the cert using a way that doesn't work on newer versions of windows, I tried to improvise and my first attempt exported the wrong cert. The correct way is to go to mmc.exe and add the certificates snap-in. Then go to personal certificates store for the machine account and export the one that has -CA at the end of it in the issued to column. Now that the correct certificate was exported, replication succeeded. The docs should be updated though to reflect the proper way to export. https://bugzilla.redhat.com/show_bug.cgi?id=1222161 Please add yourself to the bug and provide any additional information. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Ok. Have you tried enabling the replication log level? http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting After doing that and poking around in /var/log/dirsrv/slapd-IPADOMAIN-NET/errors I found this : [15/May/2015:20:27:17 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [15/May/2015:20:27:17 +] NSMMReplicationPlugin - windows sync - agmt=cn=meToaddc2.test.mycompany.net (addc2:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.) So it's complaining that it doesn't recognize the certificate that was signed by my AD certificate authority as suggested in here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req I copied the certificate to my server though and created the hashes just like the manual said. The only issue I had was the directions here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html tell you to go to my network places but that didn't exist on my server. I did it through start menu - administrative tools - certification authority. The rest of double clicking on the cert and going to the details tab and copy to file was the same though. So how do I get FreeIPA to not choke up on the self signed cert? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/15/2015 02:44 PM, nat...@nathanpeters.com wrote: On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Ok. Have you tried enabling the replication log level? http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting After doing that and poking around in /var/log/dirsrv/slapd-IPADOMAIN-NET/errors I found this : [15/May/2015:20:27:17 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [15/May/2015:20:27:17 +] NSMMReplicationPlugin - windows sync - agmt=cn=meToaddc2.test.mycompany.net (addc2:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.) So it's complaining that it doesn't recognize the certificate that was signed by my AD certificate authority as suggested in here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req I copied the certificate Which certificate? The CA cert or the server cert? You need the CA cert, not the server cert. to my server though and created the hashes just like the manual said. created the hashes? There is nothing in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req about creating any hashes. The only issue I had was the directions here : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/managing-sync-agmt.html tell you to go to my network places but that didn't exist on my server. I did it through start menu - administrative tools - certification authority. The rest of double clicking on the cert and going to the details tab and copy to file was the same though. Was it the CA cert or the server cert? You need the CA cert, not the server cert. So how do I get FreeIPA to not choke up on the self signed cert? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote: [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Ok. Have you tried enabling the replication log level? http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Ok, that helped a lot. I got this fixed now. Because the manual tells you to export the cert using a way that doesn't work on newer versions of windows, I tried to improvise and my first attempt exported the wrong cert. The correct way is to go to mmc.exe and add the certificates snap-in. Then go to personal certificates store for the machine account and export the one that has -CA at the end of it in the issued to column. Now that the correct certificate was exported, replication succeeded. The docs should be updated though to reflect the proper way to export. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote: I have tried to setup synchronization between a FreeIPA domain and an AD domain. The certificates are in the right place. [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn cn=sync user,cn=Users,dc=datacenter,dc=addomain,dc=net --bindpw secretpassword --passsync secretpassword --cacert /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication This is the system journal while the failure is happening May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't contact LDAP server: ldap_sync_poll() failed May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl will reconnect in 60 seconds May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa : ERRORsyncrepl_poll: LDAP error ({'desc': Can't contact LDAP server}) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback (most recent call last): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/libexec/ipa/ipa-dnskeysyncd, line 106, in module May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/syncrepl.py, line 349, in syncrepl_poll May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: add_intermediates=1, add_ctrls=1, all = 0 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 483, in result4 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 106, in _ldap_call May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result = func(*args,**kwargs) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN: {'desc': Can't contact LDAP server} May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: Configured NSS Ciphers May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/14/2015 05:43 PM, nat...@nathanpeters.com wrote: On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote: I have tried to setup synchronization between a FreeIPA domain and an AD domain. The certificates are in the right place. [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn cn=sync user,cn=Users,dc=datacenter,dc=addomain,dc=net --bindpw secretpassword --passsync secretpassword --cacert /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication This is the system journal while the failure is happening May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't contact LDAP server: ldap_sync_poll() failed May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl will reconnect in 60 seconds May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa : ERRORsyncrepl_poll: LDAP error ({'desc': Can't contact LDAP server}) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback (most recent call last): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/libexec/ipa/ipa-dnskeysyncd, line 106, in module May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/syncrepl.py, line 349, in syncrepl_poll May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: add_intermediates=1, add_ctrls=1, all = 0 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 483, in result4 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 106, in _ldap_call May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result = func(*args,**kwargs) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN: {'desc': Can't contact LDAP server} May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: Configured NSS Ciphers May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote: I have tried to setup synchronization between a FreeIPA domain and an AD domain. The certificates are in the right place. [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn cn=sync user,cn=Users,dc=datacenter,dc=addomain,dc=net --bindpw secretpassword --passsync secretpassword --cacert /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication This is the system journal while the failure is happening May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't contact LDAP server: ldap_sync_poll() failed May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl will reconnect in 60 seconds May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa : ERRORsyncrepl_poll: LDAP error ({'desc': Can't contact LDAP server}) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback (most recent call last): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/libexec/ipa/ipa-dnskeysyncd, line 106, in module May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/syncrepl.py, line 349, in syncrepl_poll May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: add_intermediates=1, add_ctrls=1, all = 0 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 483, in result4 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 106, in _ldap_call May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result = func(*args,**kwargs) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN: {'desc': Can't contact LDAP server} May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: Configured NSS Ciphers May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
[root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net --bindpw supersecretpassword --passsync supersecretpassword --cacert /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc2-test.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=test,DC=mycompany,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Have you tried using ldapsearch to verify the connection? # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* and/or # LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* Both commands give the same successful result. I don't think it's a problem with the credentials because I was able to generate different error messages during the attempted sync setup if I intentionally gave a bad password or username. Here is what happens when I run the above commands : [root@ipadc1 cacerts]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* dn: cn=Users,dc=test,dc=mycompany,dc=net objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=test,DC=mycompany,DC=net instanceType: 4 whenCreated: 20150515024307.0Z whenChanged: 20150515024307.0Z uSNCreated: 5696 uSNChanged: 5696 showInAdvancedViewOnly: FALSE name: Users objectGUID:: V9KaoufynkWbJpSo2PjxiA== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=test,DC=mycompany,DC=net isCriticalSystemObject: TRUE dSCorePropagationData: 20150515025646.0Z dSCorePropagationData: 1601010101.0Z [root@ipadc1 cacerts]# LDAPTLS_CACERT=/etc/openldap/cacerts/addc2-test.cer ldapsearch -xLLL -ZZ -h addc2.test.mycompany.net -D cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net -w supersecretpassword -s base -b cn=Users,dc=test,dc=mycompany,dc=net objectclass=* dn: cn=Users,dc=test,dc=mycompany,dc=net objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=test,DC=mycompany,DC=net instanceType: 4 whenCreated: 20150515024307.0Z whenChanged: 20150515024307.0Z uSNCreated: 5696 uSNChanged: 5696 showInAdvancedViewOnly: FALSE name: Users objectGUID:: V9KaoufynkWbJpSo2PjxiA== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=test,DC=mycompany,DC=net isCriticalSystemObject: TRUE dSCorePropagationData: 20150515025646.0Z dSCorePropagationData: 1601010101.0Z -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR
On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote: I have tried to setup synchronization between a FreeIPA domain and an AD domain. The certificates are in the right place. [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn cn=sync user,cn=Users,dc=datacenter,dc=addomain,dc=net --bindpw secretpassword --passsync secretpassword --cacert /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to certificate database for ipadc1.ipadomain.net ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net Windows PassSync system account exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication This is the system journal while the failure is happening May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't contact LDAP server: ldap_sync_poll() failed May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl will reconnect in 60 seconds May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa : ERRORsyncrepl_poll: LDAP error ({'desc': Can't contact LDAP server}) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback (most recent call last): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/libexec/ipa/ipa-dnskeysyncd, line 106, in module May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/syncrepl.py, line 349, in syncrepl_poll May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: add_intermediates=1, add_ctrls=1, all = 0 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 483, in result4 May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File /usr/lib64/python2.7/site-packages/ldap/ldapobject.py, line 106, in _ldap_call May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result = func(*args,**kwargs) May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN: {'desc': Can't contact LDAP server} May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory Server IPADOMAIN-NET May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory Server IPADOMAIN-NET.. May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: Configured NSS Ciphers May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 +] - SSL alert: