Bernhard Kneip
2017-05-19 07:06:38 UTC
Hi guys,
our current setup consists of 3 replicated free-ipa servers in a
master-master configuration.
What we are currently trying to do, is to add a standalone 389-ds on our
mailserver which should only readonly-replicate
cn=accounts,dc=ipa,dc=example,dc=com to enable our mailserver to have a
local ldap cache (for alias/mailbox mapping in postfix/dovecot) and to
be able to add a local ldap-addressbook to our mailserver without the
need to have it on our ipa-servers.
Our environment is:
3 free-ipa servers
(centos7, 389-ds-base.x86_64 1.3.5.10-20.el7_3)
1 Mailserver
(debian stretch, 389-ds 1.3.5.15-2)
What we did do:
Basically following this guide:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/Managing_Replication-Configuring-Replication-cmd#Configuring-Replication-Suppliers-cmd
on consumer (our mailserver):
...first we created the missing root
(cn=accounts,dc=ipa,dc=example,dc=com) by hand....
# readonly replication manager
dn: cn=readonly replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: readonly replication manager
sn: RORM
userPassword: NotTheRealPassword
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
Replication Entry:
# no dc=ipa in the dn!
dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaid: 65535
nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com
nsds5replicatype: 2
nsds5ReplicaPurgeDelay: 604800
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsds5flags: 1
# on supplier (one of our IPA-servers)
# on our IPA-servers, dc=ipa is included
dn:
cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping
tree,cn=config
objectclass: top
objectclass: nsds5ReplicationAgreement
cn: accounts2hermes
nsds5replicahost: mail.example.com
nsds5replicaport: 389
nsds5ReplicaBindDN: cn=readonly replication manager,cn=config
nsds5replicabindmethod: SIMPLE
nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com
description: replicate cn=accounts from ipa to hermes
nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE
authorityRevocationList accountUnlockTime memberof
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
accountUnlockTime
nsds5replicacredentials: notTheRealButSameAsAbove
nsds5ReplicaIgnoreMissingChange: once
nsds5BeginReplicaRefresh: start
After some log-entries regarding the schema versions, we stopped the
consumer and copied the schema from the supplier to the consumer by hand...
This fixed most of the noise in the log, but we are still getting the
following error:
[18/May/2017:10:23:41.311816674 +0200] NSMMReplicationPlugin -
agmt="cn=accountsToMail" (mail:389): The remote replica has a different
database generation ID tha
n the local database. You may have to reinitialize the remote replica,
or the local replica.
Of course, we tried to re-initialize the remote-replica by,
dn:
cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping
tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start
What are we missing?
Best regards,
Bernhard
--
Bernhard Kneip
Systemadministration
E-Mail: ***@isa.de.com
Tel: +49(0)3677/46929-144
Internet: www.isa.de.com
ISA Institut für Serviceautomation GmbH & Co. KG
Ziolkowskistraße 8, 98693 Ilmenau
Amtsgericht Jena, HRA 301735
persönlich haftende Gesellschafterin: ISA GmbH
Amtsgericht Jena, HRB 306708
Geschäftsführer: Dr.-Ing. Walther Spies, Dipl.-Ing. (FH) Peter Mayer
Member of SIELAFF GROUP
our current setup consists of 3 replicated free-ipa servers in a
master-master configuration.
What we are currently trying to do, is to add a standalone 389-ds on our
mailserver which should only readonly-replicate
cn=accounts,dc=ipa,dc=example,dc=com to enable our mailserver to have a
local ldap cache (for alias/mailbox mapping in postfix/dovecot) and to
be able to add a local ldap-addressbook to our mailserver without the
need to have it on our ipa-servers.
Our environment is:
3 free-ipa servers
(centos7, 389-ds-base.x86_64 1.3.5.10-20.el7_3)
1 Mailserver
(debian stretch, 389-ds 1.3.5.15-2)
What we did do:
Basically following this guide:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/Managing_Replication-Configuring-Replication-cmd#Configuring-Replication-Suppliers-cmd
on consumer (our mailserver):
...first we created the missing root
(cn=accounts,dc=ipa,dc=example,dc=com) by hand....
# readonly replication manager
dn: cn=readonly replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: readonly replication manager
sn: RORM
userPassword: NotTheRealPassword
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
Replication Entry:
# no dc=ipa in the dn!
dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaid: 65535
nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com
nsds5replicatype: 2
nsds5ReplicaPurgeDelay: 604800
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsds5flags: 1
# on supplier (one of our IPA-servers)
# on our IPA-servers, dc=ipa is included
dn:
cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping
tree,cn=config
objectclass: top
objectclass: nsds5ReplicationAgreement
cn: accounts2hermes
nsds5replicahost: mail.example.com
nsds5replicaport: 389
nsds5ReplicaBindDN: cn=readonly replication manager,cn=config
nsds5replicabindmethod: SIMPLE
nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com
description: replicate cn=accounts from ipa to hermes
nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE
authorityRevocationList accountUnlockTime memberof
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE
accountUnlockTime
nsds5replicacredentials: notTheRealButSameAsAbove
nsds5ReplicaIgnoreMissingChange: once
nsds5BeginReplicaRefresh: start
After some log-entries regarding the schema versions, we stopped the
consumer and copied the schema from the supplier to the consumer by hand...
This fixed most of the noise in the log, but we are still getting the
following error:
[18/May/2017:10:23:41.311816674 +0200] NSMMReplicationPlugin -
agmt="cn=accountsToMail" (mail:389): The remote replica has a different
database generation ID tha
n the local database. You may have to reinitialize the remote replica,
or the local replica.
Of course, we tried to re-initialize the remote-replica by,
dn:
cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping
tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start
What are we missing?
Best regards,
Bernhard
--
Bernhard Kneip
Systemadministration
E-Mail: ***@isa.de.com
Tel: +49(0)3677/46929-144
Internet: www.isa.de.com
ISA Institut für Serviceautomation GmbH & Co. KG
Ziolkowskistraße 8, 98693 Ilmenau
Amtsgericht Jena, HRA 301735
persönlich haftende Gesellschafterin: ISA GmbH
Amtsgericht Jena, HRB 306708
Geschäftsführer: Dr.-Ing. Walther Spies, Dipl.-Ing. (FH) Peter Mayer
Member of SIELAFF GROUP
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org