[389-users] more MMR issues

Rich Megginson rmeggins at redhat.com
Thu Nov 12 15:57:07 UTC 2009 

Robert Viduya wrote:
>
> On Nov 10, 2009, at 3:25 PM, Rich Megginson wrote:
>>>
>> No.  Check the access log to see what operations were submitted to 
>> the directory server at or around [10/Nov/2009:08:56:27 -0500]
>>
>> Are your servers in time sync?  Is cn=people rewbell gertrude the 
>> agreement that sends updates to the master that is having the 
>> spontaneous import problem?
>
> Yes, "cn=people rewbell gertrude" is that agreement.  We name our 
> agreements with the name of the database ("people") followed by the 
> name of the source server ("rewbell") followed by the name of the 
> destination server ("gertrude").  Gertrude is the master that had the 
> spontaneous import problem.
>
> We have ntpd running on all our machines, so all times should be in sync.
>
> We have a lot going on, but I found the following in the access log on 
> the problem server:
>
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=71 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f38000000370000
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=72 MOD 
> dn="gtdirguid=54e468fd7520dbdb1da52263fb4a6576,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=72 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f38000100370000
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=73 MOD 
> dn="gtdirguid=af56dc17bc397b8371b9eed7d91b2af2,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=73 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f38000500370000
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=74 MOD 
> dn="gtdirguid=5261a6e61f97bca3f2741b428255daf4,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=74 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f39000000370000
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=75 MOD 
> dn="gtdirguid=ad5dddfb9ec4fe230644dc060ce641c7,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=75 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f39000100370000
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=76 MOD 
> dn="gtdirguid=0a87d4434e42edf9df3019b922fe2b63,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:19 -0500] conn=158624 op=76 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f39000200370000
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=77 MOD 
> dn="gtdirguid=8be9c47e00957f900b69af162cba8adf,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=77 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f7b000000370000
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=78 MOD 
> dn="gtdirguid=beef247b54a6e1289f3e392865e08e17,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=78 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f7b000400370000
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=79 MOD 
> dn="gtdirguid=db2aa7040d3b982cf1a32aad503d7e6f,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=79 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f7b000500370000
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=80 MOD 
> dn="gtdirguid=c9390deb6018475b4d5d5267ba70fb99,ou=people,dc=gted,dc=gatech,dc=edu" 
>
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=80 RESULT err=0 tag=103 
> nentries=0 etime=0 csn=4af96f7b000600370000
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=81 EXT 
> oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
> [10/Nov/2009:08:55:20 -0500] conn=158624 op=81 RESULT err=0 tag=120 
> nentries=0 etime=0
> [10/Nov/2009:08:55:24 -0500] conn=158624 op=83 EXT 
> oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
> [10/Nov/2009:08:55:24 -0500] conn=158624 op=83 RESULT err=0 tag=120 
> nentries=0 etime=0
> [10/Nov/2009:08:55:28 -0500] conn=158624 op=84 EXT 
> oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
> [10/Nov/2009:08:55:28 -0500] conn=158624 op=84 RESULT err=0 tag=120 
> nentries=0 etime=0
> [10/Nov/2009:08:56:06 -0500] conn=158624 op=86 EXT 
> oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
> [10/Nov/2009:08:56:06 -0500] conn=158624 op=87 EXT 
> oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
> [10/Nov/2009:08:56:07 -0500] conn=158624 op=87 RESULT err=0 tag=120 
> nentries=0 etime=1
> [10/Nov/2009:08:56:10 -0500] conn=158624 op=88 EXT 
> oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
> [10/Nov/2009:08:56:27 -0500] conn=158624 op=88 RESULT err=0 tag=120 
> nentries=0 etime=17
> [10/Nov/2009:08:56:59 -0500] conn=158624 op=89 EXT 
> oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
> [10/Nov/2009:08:56:59 -0500] conn=158624 op=89 RESULT err=0 tag=120 
> nentries=0 etime=0
> [10/Nov/2009:08:57:59 -0500] conn=158624 op=91 UNBIND
> [10/Nov/2009:08:57:59 -0500] conn=158624 op=91 fd=64 closed - U1
>
> You can see that replication was working until around 8:55:20 and then 
> there's a series of "Replication Start Session" operations with no 
> corresponding "End Session".  The log messages from the supplier 
> server (which I sent in the previous mail) seem to indicate that some 
> communication problems may have occurred (all those "Unable to receive 
> response" logs).
>
> Digging through the audit-log, I found the following:
>
> time: 20091110085608
> dn: cn="ou=people,dc=gted,dc=gatech,dc=edu",cn=mapping tree,cn=config
> changetype: modify
> replace: nsslapd-referral
> nsslapd-referral: 
> ldap://rewbell.iam.gatech.edu:389/ou%3Dpeople%2Cdc%3Dgted%2C
> dc%3Dgatech%2Cdc%3Dedu
> -
> replace: modifiersname
> modifiersname: cn=server,cn=plugins,cn=config
> -
> replace: modifytimestamp
> modifytimestamp: 20091110135607Z
> -
>
> time: 20091110085610
> dn: cn="ou=people,dc=gted,dc=gatech,dc=edu",cn=mapping tree,cn=config
> changetype: modify
> replace: nsslapd-referral
> nsslapd-referral: 
> ldaps://rw.gted.gatech.edu:636/ou=people,dc=gted,dc=gatech,d
> c=edu
> -
> replace: modifiersname
> modifiersname: cn=server,cn=plugins,cn=config
> -
> replace: modifytimestamp
> modifytimestamp: 20091110135610Z
> -
>
> time: 20091110085625
> dn: cn="ou=people,dc=gted,dc=gatech,dc=edu",cn=mapping tree,cn=config
> changetype: modify
> replace: nsslapd-state
> nsslapd-state: referral
> -
> replace: modifiersname
> modifiersname: cn=server,cn=plugins,cn=config
> -
> replace: modifytimestamp
> modifytimestamp: 20091110135625Z
> -
>
> time: 20091110085626
> dn: cn="ou=people,dc=gted,dc=gatech,dc=edu",cn=mapping tree,cn=config
> changetype: modify
> replace: nsslapd-state
> nsslapd-state: backend
> -
> replace: modifiersname
> modifiersname: cn=server,cn=plugins,cn=config
> -
> replace: modifytimestamp
> modifytimestamp: 20091110135626Z
> -
>
> The referral for that suffix first gets changed 
> "ldap://rewbell.iam.gatech.edu:389/...", which isn't right.
>
> Then it get changed to "ldaps://rw.gted.gatech.edu:636/..." which is 
> correct (and what we have configured in the nsDS5ReplicaReferral 
> attribute).
>
> Then the state gets changed a couple of times too.  Not sure if this 
> is a cause or effect of the problem we're seeing, but I'm inclined to 
> think it's an effect of the server thinking it's been told to do an 
> import, not a cause.  IMHO, of course.
Yes, I think you are correct.  The behavior in the logs on the consumer 
is consistent with that.  When a supplier starts an initialization of a 
consumer, it sets the consumer's database to referral mode - that is, 
the consumer should not attempt to process any requests for that 
database during initialization - it's database is offline while being 
initialized.

Another odd thing is that op=85 is not logged - not sure what happened 
there.

It would be useful to take a look at the supplier access and error logs 
from around 08:55:28 to 08:56:27
>
> -- 
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091112/6ebd9f19/attachment.bin>

More information about the Fedora-directory-users mailing list