<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 09/01/2016 06:13 AM, Andrey Rogovsky
wrote:<br>
</div>
<blockquote
cite="mid:CAM+V3zJ0bSjiwrAJMOrbLfCH1KKCqdRndtHDYXmbeA83o=eySw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi!
<div>I have 2 servers - ldap1 is FreeIPA (master) and ldap2 is
389 DS (slave).</div>
<div>One way replication ldap1 -> ldap2 is enabled but scheme
is not replicated:</div>
</div>
</blockquote>
What version of 389-ds-base are you using?<br>
<br>
rpm -qa | grep 389-ds-base<br>
<blockquote
cite="mid:CAM+V3zJ0bSjiwrAJMOrbLfCH1KKCqdRndtHDYXmbeA83o=eySw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Log file ldap1 have this line:</div>
<div>
<div>[01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin -
Warning: unable to replicate schema to host ldap2, port 389.
Continuing with total update session.</div>
</div>
</div>
</blockquote>
Is there anything in ldap2's errors/access log from this time
(01/Sep/2016:07:04:53)?<br>
<blockquote
cite="mid:CAM+V3zJ0bSjiwrAJMOrbLfCH1KKCqdRndtHDYXmbeA83o=eySw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>There is current status:</div>
<div>
<div>filter: (objectclass=nsds5replicationagreement)</div>
<div>requesting: All userApplication attributes</div>
<div># extended LDIF</div>
<div>#</div>
<div># LDAPv3</div>
<div># base <cn=config> with scope subtree</div>
<div># filter: (objectclass=nsds5replicationagreement)</div>
<div># requesting: ALL</div>
<div>#</div>
<div><br>
</div>
<div># ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom,
mapping tree, config</div>
<div>dn:
cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,</div>
<div> cn=config</div>
<div>objectClass: top</div>
<div>objectClass: nsds5replicationagreement</div>
<div>cn: ExampleAgreement</div>
<div>nsDS5ReplicaHost: ldap2</div>
<div>nsDS5ReplicaPort: 389</div>
<div>nsDS5ReplicaBindDN: cn=replication manager,cn=config</div>
<div>nsDS5ReplicaBindMethod: SIMPLE</div>
<div>nsDS5ReplicaRoot: dc=example,dc=com</div>
<div>description: agreement between supplier1 and consumer1</div>
<div>nsDS5ReplicaUpdateSchedule: 0000-0500 1</div>
<div>nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis</div>
<div> t</div>
<div>nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG</div>
<div> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ</div>
<div> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQURJbjhNUWpLM1VqU1</div>
<div> M1SGZEUTY0TA==}mwxKHUYWXjNeyo1AGRWe9A==</div>
<div>nsds5replicareapactive: 0</div>
<div>nsds5replicaLastUpdateStart: 19700101000000Z</div>
<div>nsds5replicaLastUpdateEnd: 19700101000000Z</div>
<div>nsds5replicaChangesSentSinceStartup:</div>
<div>nsds5replicaLastUpdateStatus: 0 No replication sessions
started since server s</div>
<div> tartup</div>
<div>nsds5replicaUpdateInProgress: FALSE</div>
<div>nsds5replicaLastInitStart: 20160901070452Z</div>
<div>nsds5replicaLastInitEnd: 20160901070455Z</div>
<div>nsds5replicaLastInitStatus: 0 Total update succeeded</div>
<div><br>
</div>
<div># search result</div>
<div>search: 2</div>
<div>result: 0 Success</div>
<div><br>
</div>
<div># numResponses: 2</div>
<div># numEntries: 1</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>After execute <a moz-do-not-send="true"
href="http://schema-reload.pl">schema-reload.pl</a> on ldap2
I have this lines in log:</div>
<div>
<div>Failed to add task entry
"cn=schema_reload_2016_9_1_10_6_17, cn=schema reload task,
cn=tasks, cn=config" error (49)</div>
</div>
</div>
</blockquote>
Error 49 = invalid credentials. You entered the wrong password -
this prevented the schema reload task from taking place. You can
also restart the directory server which will do the same thing as
the schema reload task. The schema reload task is just so you can
reload new schema files without having to restart the server.<br>
<blockquote
cite="mid:CAM+V3zJ0bSjiwrAJMOrbLfCH1KKCqdRndtHDYXmbeA83o=eySw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This
((targetattr = "gidnumber || krbprincipalname ||
uidnumber")(version 3.0;acl "permission:System: Read system
trust accounts";allow (compare,read,search) groupdn =
<a class="moz-txt-link-rfc2396E" href="ldap:///cn=System:Readsystemtrustaccounts,cn=permissions,cn=pbac,dc=example,dc=com">"ldap:///cn=System: Read system trust
accounts,cn=permissions,cn=pbac,dc=example,dc=com"</a>;)) ACL
will not be considered for evaluation because of syntax
errors.</div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin -
__aclp__init_targetattr: targetattr "ipaanchoruuid" does not
exist in schema. Please add attributeTypes "ipaanchoruuid"
to schema if necessary. </div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE
ERR(rv=-5): (targetattr = "cn</div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This
((targetattr = "cn || createtimestamp || description ||
entryusn || gidnumber || ipaanchoruuid || modifytimestamp ||
objectclass")(targetfilter =
"(objectclass=ipaGroupOverride)")(version 3.0;acl
"permission:System: Read Group ID Overrides";allow
(compare,read,search) userdn = <a class="moz-txt-link-rfc2396E" href="ldap:///all">"ldap:///all"</a>;)) ACL will not
be considered for evaluation because of syntax errors.</div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin -
__aclp__init_targetattr: targetattr "ipaanchoruuid" does not
exist in schema. Please add attributeTypes "ipaanchoruuid"
to schema if necessary. </div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE
ERR(rv=-5): (targetattr = "createtimestamp</div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This
((targetattr = "createtimestamp || description || entryusn
|| gecos || gidnumber || homedirectory || ipaanchoruuid ||
ipaoriginaluid || ipasshpubkey || loginshell ||
modifytimestamp || objectclass || uid ||
uidnumber")(targetfilter =
"(objectclass=ipaUserOverride)")(version 3.0;acl
"permission:System: Read User ID Overrides";allow
(compare,read,search) userdn = <a class="moz-txt-link-rfc2396E" href="ldap:///all">"ldap:///all"</a>;)) ACL will not
be considered for evaluation because of syntax errors.</div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin -
__aclp__init_targetattr: targetattr "a6record" does not
exist in schema. Please add attributeTypes "a6record" to
schema if necessary. </div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE
ERR(rv=-5): (targetattr = "a6record</div>
<div>[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This
((targetattr = "a6record || aaaarecord || afsdbrecord ||
aplrecord || arecord || certrecord || cn || cnamerecord ||
dhcidrecord || dlvrecord || dnamerecord || dnsclass ||
dnsttl || dsrecord || hinforecord || hiprecord ||
idnsallowdynupdate || idnsallowquery || idnsallowsyncptr ||
idnsallowtransfer || idnsforwarders || idnsforwardpolicy ||
idnsname || idnssecinlinesigning || idnssoaexpire ||
idnssoaminimum || idnssoamname || idnssoarefresh ||
idnssoaretry || idnssoarname || idnssoaserial ||
idnsupdatepolicy || idnszoneactive || ipseckeyrecord ||
keyrecord || kxrecord || locrecord || mdrecord ||
minforecord || mxrecord || naptrrecord || nsecrecord ||
nsec3paramrecord || nsrecord || nxtrecord || ptrrecord ||
rprecord || rrsigrecord || sigrecord || spfrecord ||
srvrecord || sshfprecord || tlsarecord || txtrecord ||
unknownrecord ")(target =
<a class="moz-txt-link-rfc2396E" href="ldap:///idnsname=*,cn=dns,dc=example,dc=com">"ldap:///idnsname=*,cn=dns,dc=example,dc=com"</a>)(version
3.0;acl "Update DNS entries in a zone";allow (write)
userattr = "parent[0,1].managedby#GROUPDN";)) ACL will not
be considered for evaluation because of syntax errors.</div>
</div>
<div><br>
</div>
<div>Looks, like ipaanchoruuid is missing. There is ldap scheme
update:</div>
<div>
<div>filter: (objectclass=*)</div>
<div>requesting: 00core.ldif 01core389.ldif 02common.ldif
05rfc2927.ldif 05rfc4523.ldif 05rfc4524.ldif
06inetorgperson.ldif 10automember-plugin.ldif
10dna-plugin.ldif 10mep-plugin.ldif 10rfc2307.ldif
20subscriber.ldif 25java-object.ldif 28pilot.ldif
30ns-common.ldif 50ns-admin.ldif 50ns-certificate.ldif
50ns-directory.ldif 50ns-mail.ldif 50ns-value.ldif
50ns-web.ldif 60acctpolicy.ldif 60autofs.ldif
60eduperson.ldif 60mozilla.ldif 60nss-ldap.ldif
60pam-plugin.ldif 60posix-winsync-plugin.ldif
60pureftpd.ldif 60rfc2739.ldif 60rfc3712.ldif 60sabayon.ldif
60sudo.ldif 60trust.ldif 99user.ldif </div>
</div>
<div><br>
</div>
<div>No one scheme files from ldap2 have no entry
for ipaanchoruuid. But from ldap1 they have:</div>
<div>
<div>root@ldap1 schema]# grep -i ipaanchoruuid *</div>
<div>71idviews.ldif:attributeTypes:
(2.16.840.1.113730.3.8.11.62 NAME 'ipaAnchorUUID' DESC
'Unique Anchor Identifier' EQUALITY caseIgnoreMatch ORDERING
caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE X-ORIGIN 'IPA v4')</div>
<div>71idviews.ldif:objectClasses:
(2.16.840.1.113730.3.8.12.30 NAME 'ipaOverrideAnchor' SUP
top STRUCTURAL MUST ( ipaAnchorUUID ) MAY ( description )
X-ORIGIN 'IPA v4' )</div>
<div>71idviews.ldif:objectClasses:
(2.16.840.1.113730.3.8.12.35 NAME 'ipaOverrideTarget' SUP
top STRUCTURAL MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA v4' )</div>
<div>[root@ldap1 schema]# </div>
</div>
<div><br>
</div>
<div>How to resolve this issue? Just copy schemes files from
ldap1 to ldap2?</div>
</div>
</blockquote>
That will work, but you need to restart the server for it to take
effect.<br>
<blockquote
cite="mid:CAM+V3zJ0bSjiwrAJMOrbLfCH1KKCqdRndtHDYXmbeA83o=eySw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>