[Freeipa-users] ui login error and questions about replication

Rich Megginson rmeggins at redhat.com
Wed Nov 6 01:08:38 UTC 2013 

On 11/05/2013 04:23 PM, Tamas Papp wrote:
> On 11/05/2013 09:25 PM, Rich Megginson wrote:
>> On 11/05/2013 01:03 PM, Tamas Papp wrote:
>>> On 11/05/2013 03:58 PM, Rich Megginson wrote:
>>>> On 11/05/2013 07:53 AM, Tamas Papp wrote:
>>>>> On 11/05/2013 03:17 PM, Rich Megginson wrote:
>>>>>> https://fedorahosted.org/389/ticket/47516
>>>>>>
>>>>>> This has been fixed upstream and in some releases - to allow
>>>>>> replication to proceed despite excessive clock skew - what is your
>>>>>> 389-ds-base version and platform?
>>>>> What is the clock skewed? The date and time is the same on both
>>>>> machines.
>>>> VMs are notorious for having the clocks get out of sync - even
>>>> temporarily.
>>> What do you mean by this?
>>> I definitely see the same time on the machines.
>>> Also I can see in the log, that the replication is resumed. There is no
>>> messages about the broken replication after the resume message.
>>>
>>>>> freeipa-admintools-3.3.2-1.fc19.x86_64
>>>>> freeipa-client-3.3.2-1.fc19.x86_64
>>>>> freeipa-python-3.3.2-1.fc19.x86_64
>>>>> freeipa-server-3.3.2-1.fc19.x86_64
>>>>> libipa_hbac-1.11.1-4.fc19.x86_64
>>>>> libipa_hbac-python-1.11.1-4.fc19.x86_64
>>>>> sssd-ipa-1.11.1-4.fc19.x86_64
>>>>> 389-ds-base-libs-1.3.1.12-1.fc19.x86_64
>>>>> 389-ds-base-1.3.1.12-1.fc19.x86_64
>>>>>
>>>>> Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2
>>>>> 14:09:09 UTC
>>>>> 2013 x86_64 x86_64 x86_64 GNU/Linux
>>>>> Fedora 19.
>>>>>
>>>>>
>>>>> How can I fix it?
>>>> ldapmodify -x -D "cn=directory manager" -W <<EOF
>>>> dn: cn=config
>>>> changetype: modify
>>>> replace: nsslapd-ignore-time-skew
>>>> nsslapd-ignore-time-skew: on
>>>> EOF
>>>>
>>>> Do this on all of your servers.
>>> I tried this, but no joy. Still not good:/
>> Can you describe the exact steps you took, on all replicas?
> I created ldif files:
>
> # cat replication_ignore-time-skew.ldif
> dn: cn=config
> changetype: modify
> replace: nsslapd-ignore-time-skew
> nsslapd-ignore-time-skew: on
>
> Then:
>
> $ ldapmodify -x -D "cn=directory manager" -W -f
> replication_ignore-time-skew.ldif
>
>
>
> But I don't see the changes:
>
> # ldapsearch -x|grep -i ignore
ldapsearch -x -D "cn=directory manager" -W -s base -b cn=config 
'objectclass=*' nsslapd-ignore-time-skew
> #
>
> Probably you realized, I'm not an ldap expert:)
> But I assume it's because it doesn't exist right now, therefore it
> should be add ot modify?
It is always ok to do a changetype: modify replace
>
> I don't wan't to try it now, because currently it's working. Maybe when
> it gets fail again.
Ok.
>
>
> Thanks,
> tamas

More information about the Freeipa-users mailing list