[Fedora-directory-users] Chain on Update Problem
Richard Megginson
rmeggins at redhat.com
Fri Sep 1 23:01:08 UTC 2006
James B Newby wrote:
> I found the MOD line in the consumer's access log. I saw no entry in
> the master's access log regarding that entry. It seems as if the
> request doesn't make it to the master. I can telnet into the ldap
> port on the master from the consumer.
>
> I installed Fedora Directory Server from
> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three
> machines are Intel/CentOS 4.3.
>
> -James
>
> In the consumer's access log:
> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH
> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole
> nsRoleDN objectClass nsAccountLock"
> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101
> nentries=1 etime=0
> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0
> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix"
> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101
> nentries=1 etime=0
> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm database,
> cn=plugins, cn=config" scope=2
> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix
> nsBackendSuffix"
> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101
> nentries=2 etime=0
> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0
> filter="(objectClass=*)" attrs="nsBackendSuffix"
> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101
> nentries=1 etime=0
> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC uid=jhines
> ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database,
> cn=plugins, cn=config" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn"
> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101
> nentries=0 etime=0
> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH
> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
> attrs="numSubordinates nscpEntryDN subschemaSubentry
> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic
> nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates
> nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText
> copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp
> nsTimeLimit passwordHistory retryCountResetTime
> passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom
> nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime
> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText
> pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *"
> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101
> nentries=1 etime=0
> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH
> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
> filter="(objectClass=*)" attrs="*"
> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101
> nentries=1 etime=0
> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH
> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101
> nentries=1 etime=0
> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD
> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com"
> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103
> nentries=0 etime=0
> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH
> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
> attrs="objectClass numSubordinates ref aci"
> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1)
> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101
> nentries=1 etime=0 notes=U
Weird. It looks as though you added the entry to the local server, and
were able to search for it right away. e.g. you search for uid=jhines,
and the server replies with err=0 and nentries=1. Can you try the same
search from the ldapsearch command line?
>
>
> Richard Megginson wrote:
>> James B Newby wrote:
>>> Hello all,
>>>
>>> I'm having a problem with my consumer's chain on update. I have a
>>> setup with two masters and one consumer. Multi-master replication
>>> is working properly. Changes made on either master propagate to the
>>> other master and to the consumer.
>>>
>>> Before setting up chaining, changes made on the consumer from the
>>> directory console would be denied. After setting up chaining per
>>> the wiki entry:
>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate ,
>>> changes could be made on the consumer through the directory console,
>>> but would not propagate to the master.
>> How are you testing/verifying the change doesn't get through? Note
>> that if you make the change in the console, the console will not
>> automatically refresh. I would first check the access log on the
>> consumer to find the ADD or MOD request, then see if that request
>> made it to a master, then see if the master rejected it and why.
>>>
>>> I saw an e-mail with a similar problem in the December 2005 archive,
>>> but didn't see any info in the replies that would help me. I've
>>> tried setting this up from scratch a couple times, but without
>>> success. The responses to ILoveJython's email in December suggested
>>> that certain entries be pasted in, so I've included them below.
>>>
>>> The following acl is included in dc=hg,dc=com:
>>> (targetattr = "*")(version 3.0; acl "Proxied authorization for
>>> database links";allow (proxy) (userdn = "ldap:///cn=Replication
>>> Manager, cn=config");)
>>> Since multi-master replication is set up, this entry is present on
>>> all three servers.
>>>
>>> Any help would be appreciated! Thanks!
>>>
>>> -James
>>>
>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> objectClass: nsMappingTree
>>> nsslapd-state: backend
>>> cn: "dc=hg,dc=com"
>>> cn: dc=hg,dc=com
>>> nsslapd-backend: userRoot
>>> nsslapd-backend: chainbe1
>>> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
>>> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
>>> nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so
>>> nsslapd-distribution-funct: repl_chain_on_update
>>>
>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config
>>> objectClass: nsDS5Replica
>>> objectClass: top
>>> nsDS5ReplicaRoot: dc=hg,dc=com
>>> nsDS5ReplicaType: 2
>>> nsDS5Flags: 0
>>> nsds5ReplicaPurgeDelay: 604800
>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
>>> cn: replica
>>> nsDS5ReplicaId: 65535
>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA=
>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000
>>> nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
>>> nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
>>> nsds5ReplicaChangeCount: 0
>>> nsds5replicareapactive: 0
>>>
>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
>>> cn: config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2
>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9
>>> nstransmittedcontrols: 1.2.840.113556.1.4.473
>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12
>>> nspossiblechainingcomponents: cn=resource
>>> limits,cn=components,cn=config
>>> nspossiblechainingcomponents: cn=certificate-based
>>> authentication,cn=component
>>> s,cn=config
>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config
>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config
>>> nspossiblechainingcomponents: cn=referential integrity
>>> postoperation,cn=plugin
>>> s,cn=config
>>> nspossiblechainingcomponents: cn=attribute
>>> uniqueness,cn=plugins,cn=config
>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> objectClass: nsBackendInstance
>>> cn: chainbe1
>>> nsslapd-suffix: dc=hg,dc=com
>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389
>>> ldap2.mw1.highergear.com
>>> :1389/
>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config
>>> nsmultiplexorcredentials: {DES}<PASSWORD ERASED>
>>> nsbindconnectionslimit: 3
>>> nsoperationconnectionslimit: 20
>>> nsabandonedsearchcheckinterval: 1
>>> nsconcurrentbindlimit: 10
>>> nsconcurrentoperationslimit: 2
>>> nsproxiedauthorization: on
>>> nsconnectionlife: 0
>>> nsbindtimeout: 15
>>> nsreferralonscopedsearch: off
>>> nschecklocalaci: on
>>> nsbindretrylimit: 3
>>> nsslapd-sizelimit: 2000
>>> nsslapd-timelimit: 3600
>>> nshoplimit: 10
>>> nsmaxresponsedelay: 60
>>> nsmaxtestresponsedelay: 15
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060901/f16997dc/attachment.bin>
More information about the Fedora-directory-users
mailing list