[Freeipa-users] What am I missing? ipaca?
thierry bordaz
tbordaz at redhat.com
Tue Mar 24 09:01:31 UTC 2015
On 03/24/2015 09:49 AM, Łukasz Jaworski wrote:
> Wiadomość napisana przez Martin Kosek <mkosek at redhat.com> w dniu 23 mar 2015, o godz. 12:04:
>> On 03/23/2015 04:07 AM, Janelle wrote:
>>> attrlist_replace - attr_replace (nsslapd-referral,
>>> ldap://ipa1.example.com:389/o%3Dipaca) failed.
>> Hm, I do not met this error yet. This looks like error from 389-ds-base, it has
>> functions like attrlist_replace.
>>
>> If this is the case, can you please share a bigger section of the errors log,
>> ideally for the whole day (if not too big)? There might be some other related
>> error messages. CCing Ludwig and Thierry for reference.
>>
>> Also, what environment are we talking about, is this still
>> FreeIPA 4.1.3 at CentOS-7? Maybe the server also has a replication agreement also
>> with CentOS-6? We need to know this also.
> We have the same problem (yesterday we've migrated users to IPA4, 8 server wit --setup-ca), on every server we have many:
>
> [24/Mar/2015:09:40:04 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:08 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:14 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx51.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:16 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:16 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:16 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx26.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:17 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:17 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
> [24/Mar/2015:09:40:17 +0100] attrlist_replace - attr_replace (nsslapd-referral, ldap://xxxxx28.xxxxx:389/o%3Dipaca) failed.
>
> Distributor ID: Fedora
> Description: Fedora release 21 (Twenty One)
>
> 389-ds and freeipa:
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> 389-ds-base-libs-1.3.3.8-1.fc21.x86_64
> freeipa-server-4.1.3-2.fc21.x86_64
>
>
> Best regards,
> Ender
>
>
Hello,
It seems that this error is logged each time a replication session
is started. At the beginning of the session, the replica that
receive the replication request, tries to update the referral list
of the replicated suffix (replica) according to the metadata sent by
the master.
At this step, it fails with these logs.
I would like to check the validity (duplicate ?) of if the referrals
contained in the master metadata. Would it be possible you do the
following command on all your instances:
ldapsearch -h.. -pxxx -D "cn=directory manager" -w xxx -b "o=ipaca""(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" nscpentrywsi
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150324/74fdb556/attachment.htm>
More information about the Freeipa-users
mailing list