[Freeipa-users] more replication issues

Rich Megginson rmeggins at redhat.com
Wed May 13 17:32:52 UTC 2015 

On 05/13/2015 10:34 AM, Janelle wrote:
> On 5/13/15 9:13 AM, Rich Megginson wrote:
>> On 05/13/2015 10:04 AM, Janelle wrote:
>>> On 5/13/15 8:49 AM, Rich Megginson wrote:
>>>> On 05/13/2015 09:40 AM, Janelle wrote:
>>>>> Recently I started seeing these crop up across my servers:
>>>>>
>>>>> slapi_ldap_bind - Error: could not bind id [cn=Replication Manager 
>>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config] authentication 
>>>>> mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success)
>>>>
>>>> Does that entry exist?
>>>>
>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s 
>>>> base -b "cn=Replication Manager 
>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config"
>>>>
>>>> Does the parent exist?
>>>>
>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s 
>>>> base -b "ou=csusers,cn=config"
>>>
>>> I am finding that there does seem to be a relation to the above 
>>> error and a possible CSN issue:
>>>
>>> Can't locate CSN 555131e5000200190000 in the changelog (DB 
>>> rc=-30988). If replication stops, the consumer may need to be 
>>> reinitialized.
>>>
>>> I guess what concerns me is what could be causing this. We don't do 
>>> a lot of changes all the time.
>>>
>>> And in answer to the question above - we seem to have last the 
>>> agreement somehow:
>>>
>>> No such object (32)
>>>
>>
>> Is there a DEL operation in the access log for "cn=Replication 
>> Manager 
>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config"?
>>
>> maybe something like
>>
>> # grep DEL /var/log/dirsrv/slapd-INST/access|grep -i "Replication 
>> Manager"
>>
> nope -- none of the servers have it.
>

Either there is some internal op that is deleting it, or there is a bug 
that is causing it to be removed.

To see what internal operation could be doing this, you could enable 
internal access logging:
ldapmodify -x -h consumer.host -D "cn=directory manager" -w "password" <<EOF
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-accesslog-level: 4
EOF

Then you will have to wait until the problem reoccurs

Is or was the server ipa01.example.com the target of a host delete, 
replica delete, or cleanallruv operation?

More information about the Freeipa-users mailing list