[Freeipa-users] IPA Replica Issues (Total update abortedLDAP error: Can't contact LDAP server)
Rich Megginson
rmeggins at redhat.com
Tue Apr 1 21:30:53 UTC 2014
On 04/01/2014 03:28 PM, Nevada Sanchez wrote:
> Okay, I just tried doing this on a FRESH fedora 19 image (applied all
> updates, installed freeipa, made a new replica file for the new test
> server, and went state to ipa-replica-insntall). Exact same errors.
> Anything else I should try?
I don't know.
Does anyone on the IPA team know what the ipa_lockout errors are about,
and if they would cause replication not to work?
>
>
> On Tue, Apr 1, 2014 at 3:22 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> On 04/01/2014 01:16 PM, Nevada Sanchez wrote:
>> 389-ds-base-1.3.1.22-1.fc19.x86_64
>>
>> The following, I think, summarizes the contents of the error log
>> (I probably uninstalled and tried reimporting 2 or 3 times in
>> what is shown).
>>
>> .
>> .
>> .
>> [01/Apr/2014:03:42:46 -0400] - WARNING: Import is running with
>> nsslapd-db-private-import-mem on; No other process is allowed to
>> access the database
>> [01/Apr/2014:03:42:46 -0400] - check_and_set_import_cache:
>> pagesize: 4096, pages: 1970554, procpages: 53717
>> [01/Apr/2014:03:42:46 -0400] - Import allocates 3152884KB import
>> cache.
>> [01/Apr/2014:03:42:46 -0400] - import userRoot: Beginning import
>> job...
>> [01/Apr/2014:03:42:46 -0400] - import userRoot: Index buffering
>> enabled with bucket size 100
>> [01/Apr/2014:03:42:46 -0400] - import userRoot: Processing file
>> "/var/lib/dirsrv/boot.ldif"
>> [01/Apr/2014:03:42:46 -0400] - import userRoot: Finished scanning
>> file "/var/lib/dirsrv/boot.ldif" (1 entries)
>> [01/Apr/2014:03:42:46 -0400] - import userRoot: Workers finished;
>> cleaning up...
>> [01/Apr/2014:03:42:47 -0400] - import userRoot: Workers cleaned up.
>> [01/Apr/2014:03:42:47 -0400] - import userRoot: Cleaning up
>> producer thread...
>> [01/Apr/2014:03:42:47 -0400] - import userRoot: Indexing
>> complete. Post-processing...
>> [01/Apr/2014:03:42:47 -0400] - import userRoot: Generating
>> numSubordinates complete.
>> [01/Apr/2014:03:42:47 -0400] - Nothing to do to build ancestorid
>> index
>> [01/Apr/2014:03:42:47 -0400] - import userRoot: Flushing caches...
>> [01/Apr/2014:03:42:47 -0400] - import userRoot: Closing files...
>> [01/Apr/2014:03:42:47 -0400] - All database threads now stopped
>> [01/Apr/2014:03:42:47 -0400] - import userRoot: Import complete.
>> Processed 1 entries in 1 seconds. (1.00 entries/sec)
>> [01/Apr/2014:03:42:47 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:03:42:47 -0400] - Db home directory is not set.
>> Possibly nsslapd-directory (optionally nsslapd-db-home-directory)
>> is missing in the config file.
>> [01/Apr/2014:03:42:48 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:03:42:48 -0400] - Db home directory is not set.
>> Possibly nsslapd-directory (optionally nsslapd-db-home-directory)
>> is missing in the config file.
>> [01/Apr/2014:03:42:48 -0400] - I'm resizing my cache now...cache
>> was 3228553216 and is now 8000000
>> [01/Apr/2014:03:42:48 -0400] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [01/Apr/2014:03:42:48 -0400] - The change of nsslapd-ldapilisten
>> will not take effect until the server is restarted
>> [01/Apr/2014:03:43:01 -0400] - Warning: Adding configuration
>> attribute "nsslapd-security"
>> [01/Apr/2014:03:43:01 -0400] - slapd shutting down - signaling
>> operation threads
>> [01/Apr/2014:03:43:01 -0400] - slapd shutting down - waiting for
>> 27 threads to terminate
>> [01/Apr/2014:03:43:01 -0400] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [01/Apr/2014:03:43:01 -0400] - Waiting for 4 database threads to stop
>> [01/Apr/2014:03:43:02 -0400] - All database threads now stopped
>> [01/Apr/2014:03:43:02 -0400] - slapd stopped.
>> [01/Apr/2014:03:43:03 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:03:43:03 -0400] attrcrypt - No symmetric key found
>> for cipher AES in backend userRoot, attempting to create one...
>> [01/Apr/2014:03:43:03 -0400] attrcrypt - Key for cipher AES
>> successfully generated and stored
>> [01/Apr/2014:03:43:03 -0400] attrcrypt - No symmetric key found
>> for cipher 3DES in backend userRoot, attempting to create one...
>> [01/Apr/2014:03:43:03 -0400] attrcrypt - Key for cipher 3DES
>> successfully generated and stored
>> [01/Apr/2014:03:43:03 -0400] ipalockout_get_global_config - [file
>> ipa_lockout.c, line 185]: Failed to get default realm (-1765328160)
>> [01/Apr/2014:03:43:04 -0400] ipaenrollment_start - [file
>> ipa_enrollment.c, line 393]: Failed to get default realm?!
>> [01/Apr/2014:03:43:04 -0400] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [01/Apr/2014:03:43:04 -0400] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [01/Apr/2014:03:43:04 -0400] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [01/Apr/2014:03:43:04 -0400] - slapd shutting down - signaling
>> operation threads
>> [01/Apr/2014:03:43:04 -0400] - slapd shutting down - waiting for
>> 27 threads to terminate
>> [01/Apr/2014:03:43:05 -0400] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [01/Apr/2014:03:43:05 -0400] - Waiting for 4 database threads to stop
>> [01/Apr/2014:03:43:05 -0400] - All database threads now stopped
>> [01/Apr/2014:03:43:05 -0400] - slapd stopped.
>> [01/Apr/2014:03:43:06 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:03:43:06 -0400] ipalockout_get_global_config - [file
>> ipa_lockout.c, line 185]: Failed to get default realm (-1765328160)
>> [01/Apr/2014:03:43:06 -0400] ipaenrollment_start - [file
>> ipa_enrollment.c, line 393]: Failed to get default realm?!
>> [01/Apr/2014:03:43:06 -0400] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [01/Apr/2014:03:43:06 -0400] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [01/Apr/2014:03:43:06 -0400] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [01/Apr/2014:03:43:08 -0400] NSMMReplicationPlugin -
>> agmt="cn=meToipa.example.com <http://meToipa.example.com>"
>> (ipa:389): The remote replica has a different database generation
>> ID than the local database. You may have to reinitialize the
>> remote replica, or the local replica.
>> [01/Apr/2014:03:43:08 -0400] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=example,dc=com is going
>> offline; disabling replication
>> [01/Apr/2014:03:43:08 -0400] - WARNING: Import is running with
>> nsslapd-db-private-import-mem on; No other process is allowed to
>> access the database
>> [01/Apr/2014:03:43:11 -0400] - import userRoot: Workers finished;
>> cleaning up...
>> [01/Apr/2014:03:43:11 -0400] - import userRoot: Workers cleaned up.
>> [01/Apr/2014:03:43:11 -0400] - import userRoot: Indexing
>> complete. Post-processing...
>> [01/Apr/2014:03:43:11 -0400] - import userRoot: Generating
>> numSubordinates complete.
>> [01/Apr/2014:03:43:12 -0400] - import userRoot: Flushing caches...
>> [01/Apr/2014:03:43:12 -0400] - import userRoot: Closing files...
>> [01/Apr/2014:03:43:12 -0400] - import userRoot: Import complete.
>> Processed 453 entries in 4 seconds. (113.25 entries/sec)
>> [01/Apr/2014:03:43:12 -0400] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=example,dc=com is coming
>> online; enabling replication
>> [01/Apr/2014:03:43:12 -0400] - Skipping CoS Definition
>> cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS
>> Templates found, which should be added before the CoS Definition.
>> [01/Apr/2014:03:43:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:03:43:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:03:48:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:03:48:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:03:53:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:03:53:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:03:58:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:03:58:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:03:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:03:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:08:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:08:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:13:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:13:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:18:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:18:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:23:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:23:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:28:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:28:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:33:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:33:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:38:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:38:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:43:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:43:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:48:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:48:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:53:19 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:53:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:58:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:04:58:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:03:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:03:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:08:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:08:18 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:13:18 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:13:19 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:36 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:36 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:41 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:41 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:46 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:46 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:58 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:14:58 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:15:00 -0400] - slapd shutting down - signaling
>> operation threads
>> [01/Apr/2014:05:15:00 -0400] - slapd shutting down - waiting for
>> 28 threads to terminate
>> [01/Apr/2014:05:15:00 -0400] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [01/Apr/2014:05:15:01 -0400] - Waiting for 4 database threads to stop
>> [01/Apr/2014:05:15:01 -0400] - All database threads now stopped
>> [01/Apr/2014:05:15:01 -0400] - slapd stopped.
>> [01/Apr/2014:05:27:38 -0400] - WARNING: Import is running with
>> nsslapd-db-private-import-mem on; No other process is allowed to
>> access the database
>> [01/Apr/2014:05:27:38 -0400] - check_and_set_import_cache:
>> pagesize: 4096, pages: 1970554, procpages: 53717
>> [01/Apr/2014:05:27:38 -0400] - Import allocates 3152884KB import
>> cache.
>> [01/Apr/2014:05:27:38 -0400] - import userRoot: Beginning import
>> job...
>> [01/Apr/2014:05:27:38 -0400] - import userRoot: Index buffering
>> enabled with bucket size 100
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Processing file
>> "/var/lib/dirsrv/boot.ldif"
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Finished scanning
>> file "/var/lib/dirsrv/boot.ldif" (1 entries)
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Workers finished;
>> cleaning up...
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Workers cleaned up.
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Cleaning up
>> producer thread...
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Indexing
>> complete. Post-processing...
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Generating
>> numSubordinates complete.
>> [01/Apr/2014:05:27:39 -0400] - Nothing to do to build ancestorid
>> index
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Flushing caches...
>> [01/Apr/2014:05:27:39 -0400] - import userRoot: Closing files...
>> [01/Apr/2014:05:27:40 -0400] - All database threads now stopped
>> [01/Apr/2014:05:27:40 -0400] - import userRoot: Import complete.
>> Processed 1 entries in 2 seconds. (0.50 entries/sec)
>> [01/Apr/2014:05:27:40 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:05:27:40 -0400] - Db home directory is not set.
>> Possibly nsslapd-directory (optionally nsslapd-db-home-directory)
>> is missing in the config file.
>> [01/Apr/2014:05:27:40 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:05:27:40 -0400] - Db home directory is not set.
>> Possibly nsslapd-directory (optionally nsslapd-db-home-directory)
>> is missing in the config file.
>> [01/Apr/2014:05:27:40 -0400] - I'm resizing my cache now...cache
>> was 3228553216 and is now 8000000
>> [01/Apr/2014:05:27:41 -0400] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [01/Apr/2014:05:27:41 -0400] - The change of nsslapd-ldapilisten
>> will not take effect until the server is restarted
>> [01/Apr/2014:05:27:54 -0400] - Warning: Adding configuration
>> attribute "nsslapd-security"
>> [01/Apr/2014:05:27:54 -0400] - slapd shutting down - signaling
>> operation threads
>> [01/Apr/2014:05:27:54 -0400] - slapd shutting down - waiting for
>> 28 threads to terminate
>> [01/Apr/2014:05:27:54 -0400] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [01/Apr/2014:05:27:54 -0400] - Waiting for 4 database threads to stop
>> [01/Apr/2014:05:27:55 -0400] - All database threads now stopped
>> [01/Apr/2014:05:27:55 -0400] - slapd stopped.
>> [01/Apr/2014:05:27:56 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:05:27:56 -0400] attrcrypt - No symmetric key found
>> for cipher AES in backend userRoot, attempting to create one...
>> [01/Apr/2014:05:27:56 -0400] attrcrypt - Key for cipher AES
>> successfully generated and stored
>> [01/Apr/2014:05:27:56 -0400] attrcrypt - No symmetric key found
>> for cipher 3DES in backend userRoot, attempting to create one...
>> [01/Apr/2014:05:27:56 -0400] attrcrypt - Key for cipher 3DES
>> successfully generated and stored
>> [01/Apr/2014:05:27:56 -0400] ipalockout_get_global_config - [file
>> ipa_lockout.c, line 185]: Failed to get default realm (-1765328160)
>> [01/Apr/2014:05:27:56 -0400] ipaenrollment_start - [file
>> ipa_enrollment.c, line 393]: Failed to get default realm?!
>> [01/Apr/2014:05:27:56 -0400] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [01/Apr/2014:05:27:56 -0400] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [01/Apr/2014:05:27:56 -0400] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [01/Apr/2014:05:27:56 -0400] - slapd shutting down - signaling
>> operation threads
>> [01/Apr/2014:05:27:56 -0400] - slapd shutting down - waiting for
>> 29 threads to terminate
>> [01/Apr/2014:05:27:57 -0400] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [01/Apr/2014:05:27:57 -0400] - Waiting for 4 database threads to stop
>> [01/Apr/2014:05:27:57 -0400] - All database threads now stopped
>> [01/Apr/2014:05:27:57 -0400] - slapd stopped.
>> [01/Apr/2014:05:27:58 -0400] - 389-Directory/1.3.1.22.a1
>> B2014.073.1751 starting up
>> [01/Apr/2014:05:27:59 -0400] ipalockout_get_global_config - [file
>> ipa_lockout.c, line 185]: Failed to get default realm (-1765328160)
>> [01/Apr/2014:05:27:59 -0400] ipaenrollment_start - [file
>> ipa_enrollment.c, line 393]: Failed to get default realm?!
>> [01/Apr/2014:05:27:59 -0400] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [01/Apr/2014:05:27:59 -0400] - Listening on All Interfaces port
>> 636 for LDAPS requests
>> [01/Apr/2014:05:27:59 -0400] - Listening on
>> /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests
>> [01/Apr/2014:05:28:01 -0400] NSMMReplicationPlugin -
>> agmt="cn=meToipa.example.com <http://meToipa.example.com>"
>> (ipa:389): The remote replica has a different database generation
>> ID than the local database. You may have to reinitialize the
>> remote replica, or the local replica.
>> [01/Apr/2014:05:28:01 -0400] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=example,dc=com is going
>> offline; disabling replication
>> [01/Apr/2014:05:28:01 -0400] - WARNING: Import is running with
>> nsslapd-db-private-import-mem on; No other process is allowed to
>> access the database
>> [01/Apr/2014:05:28:04 -0400] - import userRoot: Workers finished;
>> cleaning up...
>> [01/Apr/2014:05:28:05 -0400] - import userRoot: Workers cleaned up.
>> [01/Apr/2014:05:28:05 -0400] - import userRoot: Indexing
>> complete. Post-processing...
>> [01/Apr/2014:05:28:05 -0400] - import userRoot: Generating
>> numSubordinates complete.
>> [01/Apr/2014:05:28:05 -0400] - import userRoot: Flushing caches...
>> [01/Apr/2014:05:28:05 -0400] - import userRoot: Closing files...
>> [01/Apr/2014:05:28:06 -0400] - import userRoot: Import complete.
>> Processed 453 entries in 5 seconds. (90.60 entries/sec)
>> [01/Apr/2014:05:28:06 -0400] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=example,dc=com is coming
>> online; enabling replication
>> [01/Apr/2014:05:28:06 -0400] - Skipping CoS Definition
>> cn=Password Policy,cn=accounts,dc=example,dc=com--no CoS
>> Templates found, which should be added before the CoS Definition.
>> [01/Apr/2014:05:32:38 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:05:32:38 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> .
>> .
>> .
>> [01/Apr/2014:13:12:39 -0400] ipalockout_preop - [file
>> ipa_lockout.c, line 749]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>> [01/Apr/2014:13:12:39 -0400] ipalockout_postop - [file
>> ipa_lockout.c, line 503]: Failed to retrieve entry
>> "cn=Replication Manager
>> cloneAgreement1-ipa2.example.com-pki-tomcat,ou=csusers,cn=config": 32
>
> This seems bad, but I'm not sure if this is the root of the
> replication problem.
>
>
>>
>>
>>
>> On Tue, Apr 1, 2014 at 1:13 PM, Rich Megginson
>> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>> wrote:
>>
>> On 04/01/2014 03:46 AM, Nevada Sanchez wrote:
>>> I've had a replica working with FreeIPA 3.2.1 for awhile.
>>> After upgrading to 3.3.4, the replica wouldn't recognize my
>>> admin login anymore. After much troubleshooting, I decided
>>> to try to redo the replica since it was quite
>>> straightforward when I first set it up (what could go wrong,
>>> right?)
>> What is your version of 389-ds-base? rpm -q 389-ds-base
>>
>> What is in your dirsrv errors log?
>> /var/log/dirsrv/slapd-DOMAIN-TLD/errors
>>
>>>
>>> Unfortunately, I've spent most of my day trying to get the
>>> replica to work this time. I've tried turning off all
>>> firewalls on both machines, rebooting both machines,
>>> upgrading all packages on both machines (both are running
>>> Fedora 19), reinstalling FreeIPA packages, and several other
>>> things, but I keep getting stuck at the same step (see
>>> output below).
>>>
>>> =================================================================
>>> [root at ipa2 ipaserver]# ipa-replica-install --setup-dns
>>> --no-forwarders /var/lib/ipa/replica-info-ipa2.example.com.gpg
>>> WARNING: conflicting time&date synchronization service
>>> 'chronyd' will
>>> be disabled in favor of ntpd
>>>
>>> Run connection check to master
>>> Check connection from replica to remote master
>>> 'ipa.example.com <http://ipa.example.com>':
>>> Directory Service: Unsecure port (389): OK
>>> Directory Service: Secure port (636): OK
>>> Kerberos KDC: TCP (88): OK
>>> Kerberos Kpasswd: TCP (464): OK
>>> HTTP Server: Unsecure port (80): OK
>>> HTTP Server: Secure port (443): OK
>>>
>>> The following list of ports use UDP protocol and would need
>>> to be
>>> checked manually:
>>> Kerberos KDC: UDP (88): SKIPPED
>>> Kerberos Kpasswd: UDP (464): SKIPPED
>>>
>>> Connection from replica to master is OK.
>>> Start listening on required ports for remote master check
>>> Get credentials to log in to remote master
>>> Check SSH connection to remote master
>>> Execute check on remote master
>>> Check connection from master to remote replica
>>> 'ipa2.example.com <http://ipa2.example.com>':
>>> Directory Service: Unsecure port (389): OK
>>> Directory Service: Secure port (636): OK
>>> Kerberos KDC: TCP (88): OK
>>> Kerberos KDC: UDP (88): OK
>>> Kerberos Kpasswd: TCP (464): OK
>>> Kerberos Kpasswd: UDP (464): OK
>>> HTTP Server: Unsecure port (80): OK
>>> HTTP Server: Secure port (443): OK
>>>
>>> Connection from master to replica is OK.
>>>
>>> Connection check OK
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv): Estimated time 1 minute
>>> [1/34]: creating directory server user
>>> [2/34]: creating directory server instance
>>> [3/34]: adding default schema
>>> [4/34]: enabling memberof plugin
>>> [5/34]: enabling winsync plugin
>>> [6/34]: configuring replication version plugin
>>> [7/34]: enabling IPA enrollment plugin
>>> [8/34]: enabling ldapi
>>> [9/34]: configuring uniqueness plugin
>>> [10/34]: configuring uuid plugin
>>> [11/34]: configuring modrdn plugin
>>> [12/34]: configuring DNS plugin
>>> [13/34]: enabling entryUSN plugin
>>> [14/34]: configuring lockout plugin
>>> [15/34]: creating indices
>>> [16/34]: enabling referential integrity plugin
>>> [17/34]: configuring ssl for ds instance
>>> [18/34]: configuring certmap.conf
>>> [19/34]: configure autobind for root
>>> [20/34]: configure new location for managed entries
>>> [21/34]: configure dirsrv ccache
>>> [22/34]: enable SASL mapping fallback
>>> [23/34]: restarting directory server
>>> [24/34]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> Update in progress, 5 seconds elapsed
>>> [ipa.example.com <http://ipa.example.com>] reports: Update
>>> failed! Status: [-1 Total update abortedLDAP error: Can't
>>> contact LDAP server]
>>>
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> Failed to start replication
>>> =================================================================
>>>
>>> I've confirmed that I can do ldapsearch from each machine to
>>> the other one for the replica status records (through ldap
>>> and ldaps), so I know that they can communicate. Trouble is,
>>> something behind the scenes is throwing the status error (as
>>> seen in the nsds5ReplicaLastInitStatus attribute).
>>>
>>> =================================================================
>>> [root at ipa2 ipaserver]# ldapsearch
>>> ldaps://ipa.example.com:636 <http://ipa.example.com:636> -D
>>> 'cn=Directory Manager' -w ##### -b 'cn=meToipa2.example.com
>>> <http://meToipa2.example.com>,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
>>> tree,cn=config' '(objectClass=*)' -s base
>>> nsds5ReplicaLastInitStart nsds5replicaUpdateInProgress
>>> nsds5ReplicaLastInitStatus cn nsds5BeginReplicaRefresh
>>> nsds5ReplicaLastInitEnd
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=meToipa2.example.com
>>> <http://meToipa2.example.com>,cn=replica,cn=dc\=example\,dc\=com,cn=mapping
>>> tree,cn=config> with scope baseObject
>>> # filter: (objectclass=*)
>>> # requesting: ldaps://ipa.example.com:636
>>> <http://ipa.example.com:636> (objectClass=*)
>>> nsds5ReplicaLastInitStart nsds5replicaUpdateInProgress
>>> nsds5ReplicaLastInitStatus cn nsds5BeginReplicaRefresh
>>> nsds5ReplicaLastInitEnd
>>> #
>>>
>>> # meToipa2.example.com <http://meToipa2.example.com>,
>>> replica, dc\3Dexample\2Cdc\3Dcom,
>>> mapping tree, config
>>> dn: cn=meToipa2.example.com
>>> <http://meToipa2.example.com>,cn=replica,cn=dc\3Dexample\2Cd
>>> c\3Dcom,cn=mapping tree,cn=config
>>> nsds5ReplicaLastInitStart: 20140401092800Z
>>> nsds5replicaUpdateInProgress: FALSE
>>> nsds5ReplicaLastInitStatus: -1 Total update abortedLDAP
>>> error: Can't contact L
>>> DAP server
>>> cn: meToipa2.example.com <http://meToipa2.example.com>
>>> nsds5ReplicaLastInitEnd: 20140401092804Z
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>> =================================================================
>>>
>>> I'd really love for someone to help out with this, as I
>>> can't afford another entire night trying to figure this out.
>>> Thanks in advance!
>>>
>>> -Nevada
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140401/33927c0c/attachment.htm>
More information about the Freeipa-users
mailing list