[Freeipa-users] What am I missing? ipaca?

thierry bordaz tbordaz at redhat.com
Tue Mar 24 09:01:31 UTC 2015 

On 03/24/2015 09:49 AM, Łukasz Jaworski wrote:
> Wiadomość napisana przez Martin Kosek <mkosek at redhat.com> w dniu 23 mar 2015, o godz. 12:04:
>> On 03/23/2015 04:07 AM, Janelle wrote:
>>> attrlist_replace - attr_replace (nsslapd-referral,
>>> ldap://ipa1.example.com:389/o%3Dipaca) failed.
>> Hm, I do not met this error yet. This looks like error from 389-ds-base, it has
>> functions like attrlist_replace.
>>
>> If this is the case, can you please share a bigger section of the errors log,
>> ideally for the whole day (if not too big)? There might be some other related
>> error messages. CCing Ludwig and Thierry for reference.
>>
>> Also, what environment are we talking about, is this still
>> FreeIPA 4.1.3 at CentOS-7? Maybe the server also has a replication agreement also
>> with CentOS-6? We need to know this also.
> We have the same problem (yesterday we've migrated users to IPA4, 8 server wit --setup-ca), on every server we have many:
>
> [24/Mar/2015:09:40:04 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:16 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:16 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:16 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:17 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:17 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:17 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
>
> Distributor ID:	Fedora
> Description:	Fedora release 21 (Twenty One)
>
> 389-ds and freeipa:
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> freeipa-server-4.1.3-2.fc21.x86_64
>
>
> Best regards,
> Ender
>
>
Hello,

    It seems that this error is logged each time a replication session
    is started. At the beginning of the session, the replica that
    receive the replication request, tries to update the referral list
    of the replicated suffix (replica) according to the metadata sent by
    the master.
    At this step, it fails with these logs.
    I would like to check the validity (duplicate ?) of if the referrals
    contained in the master metadata. Would it be possible you do the
    following command on all your instances:

    ldapsearch -h.. -pxxx -D "cn=directory manager" -w xxx -b "o=ipaca""(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" nscpentrywsi

    thanks
    thierry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150324/74fdb556/attachment.htm>

More information about the Freeipa-users mailing list