[Freeipa-devel] LDAP errors in the dirsrv logs during replica preparation

Oleg Fayans ofayans at redhat.com
Mon Jun 22 08:57:02 UTC 2015 

Hi Petr, team,

I was able to reproduce it today with sequential installation.
Again: one of three replicas caught this issue. Hostnames were other 
than those on Friday, all three vm's from the same template.

On 06/19/2015 05:10 PM, Petr Vobornik wrote:
> On 06/19/2015 04:27 PM, Oleg Fayans wrote:
>> Hi everybody,
>>
>> While preparing the replica files on the latest IPA master I've noticed
>> the following error messages in the dirsrv error log:
>>
>> [19/Jun/2015:15:26:10 +0200] NSMMReplicationPlugin -
>> agmt="cn=masterAgreement1-vm-244.idm.lab.eng.brq.redhat.com-pki-tomcat"
>> (vm-244:389): Replication bind with SIMPLE auth failed: LDAP error -1
>> (Can't contact LDAP server) ()
>
> Probably a leftover CA replication agreement with some removed master. 
> Can be removed with ipa-csreplica-manage del --force.
>
>> [19/Jun/2015:15:26:10 +0200] - Entry "uid=admin,ou=people,o=ipaca" --
>> attribute "krbExtraData" not allowed
>> [19/Jun/2015:15:26:13 +0200] slapi_ldap_bind - Error: could not send
>> startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
>>
>> Though the stdout of the replica preparation reports success, when I
>> later use the resulting gpg file to actually setup a replica the setup
>> process fails with the following output:
>>
>> Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
>>    [1/8]: adding sasl mappings to the directory
>>    [2/8]: configuring KDC
>>    [3/8]: creating a keytab for the directory
>>    [4/8]: creating a keytab for the machine
>>    [5/8]: adding the password extension to the directory
>>    [6/8]: enable GSSAPI for replication
>>    [error] RuntimeError: One of the ldap service principals is missing.
>> Replication agreement cannot be converted.
>> Replication error message: Unable to acquire replicaLDAP error: No such
>> object
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    One of the
>> ldap service principals is missing. Replication agreement cannot be
>> converted.
>> Replication error message: Unable to acquire replicaLDAP error: No such
>> object
>>
>> The corresponding part of the ipareplica-install.log is attached
>>
>> I've encountered this already twice. The strangest part is that I
>> prepared 3 replicas simultaneously: 2 of them installed successfully and
>> one - failed. All three replicas were launched from the same vm-template
>>
>
> Could this be the cause? It would be safer to run it sequentially.

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

More information about the Freeipa-devel mailing list