<div dir="ltr"><div>Here are the results of that command:</div><div><br></div><div>$ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'</div><div>Enter LDAP Password: </div> <div>dn: cn=Password Policy,cn=accounts,dc=the,dc=flatiron,dc=com</div><div>cn: Password Policy</div><div>cosspecifier: memberOf</div><div>cosAttribute: krbPwdPolicyReference override</div><div>costemplatedn: cn=cosTemplates,cn=accounts,dc=the,dc=flatiron,dc=com</div> <div>objectClass: top</div><div>objectClass: ldapsubentry</div><div>objectClass: cosSuperDefinition</div><div>objectClass: cosClassicDefinition</div><div>description: Password Policy based on group membership</div></div> <div class="gmail_extra"> <br><br><div class="gmail_quote">On Thu, Dec 19, 2013 at 7:07 AM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div class="im"> <div>On 12/19/2013 02:19 AM, Joe Mou wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Thanks for the speedy reply. I am running on Fedora 19. <div><br> </div> <div> <div>$ rpm -q 389-ds-base</div> <div>389-ds-base-1.3.1.16-1.fc19.x86_64</div> </div> <div> <div>$ rpm -q nss </div> <div>nss-3.15.3-1.fc19.x86_64</div> </div> </div> </blockquote> <br></div> Not sure what's going on, but let's see if we can get it "unstuck". It seems there is a conflict between the Class of Service plugin and the Member Of plugin. I think we may be able to disable the CoS plugin to allow the deletion to proceed.<br> <br> Do the following search to see what CoS definitions there are:<br> ldapsearch -xLLL -D "cn=directory manager" -W -b dc=the,dc=flatiron,dc=com '(objectclass=ldapsubentry)'<div><div class="h5"><br> <br> <blockquote type="cite"> <div dir="ltr"> <div> </div> </div> <div class="gmail_extra"><br> <br> <div class="gmail_quote">On Wed, Dec 18, 2013 at 2:54 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div> <div>On 12/18/2013 12:43 PM, Joe Mou wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">I have a broken IPA replica that appears to be suffering from a hung directory server. The master seems to be working fine, but LDAP requests to the replica hang indefinitely. I attached gdb to ns-slapd and suspect a deadlock in cos_cache.c. <div> <br> </div> <div>Thread 7 seems to be hung on an LDAP delete for a user account that we recently removed. Every time the directory server is started, it tries to issue this delete, apparently to sync the replica.</div> <div> <br> </div> <div>I have been unsuccessful in trying to remove the offending replica because ipa-replica-manage seems to need to make LDAP requests against the replica. For example:</div> <div><br> </div> <div>$ ipa-replica-manage del <a href="http://p-ipa-wd02.prod.the.flatiron.com" target="_blank">p-ipa-wd02.prod.the.flatiron.com</a> </div> <div>^CConnection to '<a href="http://p-ipa-wd02.prod.the.flatiron.com" target="_blank">p-ipa-wd02.prod.the.flatiron.com</a>' failed: Insufficient access: SASL(0): successful result:</div> <div>Unable to delete replica '<a href="http://p-ipa-wd02.prod.the.flatiron.com" target="_blank">p-ipa-wd02.prod.the.flatiron.com</a>'</div> <div><br> </div> <div>^CTraceback (most recent call last):</div> <div> File "/usr/sbin/ipa-replica-manage", line 1252, in <module></div> <div> main()</div> <div>KeyboardInterrupt</div> <div><br> </div> <div>Backtraces of the suspicious threads and log excerpts are at <a href="http://p.flatiron.com/%7Ejmou/ipa/" target="_blank">http://p.flatiron.com/~jmou/ipa/</a> . I was only able to install a limited set of debugging symbols; let me know if I can be of more help.</div> <div><br> </div> <div>Any help in fixing this replica or even just removing it would be greatly appreciated!</div> </div> </blockquote> <br> </div> </div> What is your platform? rpm -q 389-ds-base<br> <br> There were some hangs with rhel 6.4.z. Please update to the latest 389-ds-base (1.2.11.15-30 or later) and nss 3.15.3 or later.<br> <br> <blockquote type="cite"> <div dir="ltr"> <div><br> </div> <div>Joe</div> </div> <br> <fieldset></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> </div> </blockquote> </div> <br> </div> </blockquote> <br> </div></div></div> </blockquote></div><br></div>