[Freeipa-users] migrate-ds aborts
Martin Kosek
mkosek at redhat.com
Fri Jan 16 07:43:55 UTC 2015
On 01/15/2015 06:31 PM, Quayle, Bill wrote:
> I am migrating an openLDAP tree into ipa, and when I run ipa migrate-ds, the
> migration aborts after roughly 36 seconds with:
>
> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389’:
>
> It has transferred 9762 records, but seems to hit a timeout that causes it to stop.
>
> I’ve run it in debug mode, which only provides this:
>
> ipa: DEBUG: Starting external process
>
> ipa: DEBUG: args=keyctl pupdate 774698354
>
> ipa: DEBUG: Process finished, return code=0
>
> ipa: DEBUG: stdout=
>
> ipa: DEBUG: stderr=
>
> ipa: DEBUG: Caught fault 907 from server
> https://foo.example.com/ipa/session/xml: cannot connect to 'ldap://10.x.x.x:389':
>
> ipa: DEBUG: Destroyed connection context.xmlclient
>
> ipa: ERROR: cannot connect to 'ldap://10.x.x.x:389':
>
> Initially, it had transferred 2000 records and stopped, until I set
> nsslapd-sizelimit in cn=config:
>
> nsslapd-sizelimit: 20000
>
> I then re-ran the migration a dozen times, each time it would transfer more
> records, but would always time out at around the 36 second mark. Now that I’m
> at 9762 records, it seems to have reached a peak.
>
> I suspect this is another tunable, but haven’t been able to find it, any
> document that mentions it, or anyone else hitting this issue.
>
> RHEL 7.0 server
>
> idM ipa-server-3.3.3-28
>
> source is RHEL 6.5 running openldap-2.4.23-34
>
> command used to migrate:
>
> ipa migrate-ds --continue --bind-dn="uid=me,ou=people,ou=foo,dc=example,dc=com"
> --base-dn="ou=foo,dc=example,dc=com" ldap://10.x.x.x:389
>
> *Cheers,*
>
> *-Bill*
Ludwig, do you know? I am just thinking it may be also caused by some form of
timelimit, as mentioned in
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
(those apply both for bind DNs and global cn=config). Maybe nsslapd-timelimit
could be increased? Although I saw the default is 3600, I assume it means 1
hour, i.e. not being the root cause.
Martin
More information about the Freeipa-users
mailing list