[Freeipa-users] more replication issues
Janelle
janellenicole80 at gmail.com
Fri May 15 12:45:14 UTC 2015
On 5/15/15 3:30 AM, Ludwig Krispenz wrote:
>
> On 05/13/2015 06:34 PM, Janelle wrote:
>> On 5/13/15 9:13 AM, Rich Megginson wrote:
>>> On 05/13/2015 10:04 AM, Janelle wrote:
>>>> On 5/13/15 8:49 AM, Rich Megginson wrote:
>>>>> On 05/13/2015 09:40 AM, Janelle wrote:
>>>>>> Recently I started seeing these crop up across my servers:
>>>>>>
>>>>>> slapi_ldap_bind - Error: could not bind id [cn=Replication
>>>>>> Manager
>>>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config]
>>>>>> authentication mechanism [SIMPLE]: error 32 (No such object)
>>>>>> errno 0 (Success)
>>>>>
>>>>> Does that entry exist?
>>>>>
>>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s
>>>>> base -b "cn=Replication Manager
>>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config"
>>>>>
>>>>> Does the parent exist?
>>>>>
>>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s
>>>>> base -b "ou=csusers,cn=config"
>>>>
>>>> I am finding that there does seem to be a relation to the above
>>>> error and a possible CSN issue:
>>>>
>>>> Can't locate CSN 555131e5000200190000 in the changelog (DB
>>>> rc=-30988). If replication stops, the consumer may need to be
>>>> reinitialized.
>>>>
>>>> I guess what concerns me is what could be causing this. We don't do
>>>> a lot of changes all the time.
>>>>
>>>> And in answer to the question above - we seem to have last the
>>>> agreement somehow:
>>>>
>>>> No such object (32)
>>>>
>>>
>>> Is there a DEL operation in the access log for "cn=Replication
>>> Manager
>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config"?
>>>
>>> maybe something like
>>>
>>> # grep DEL /var/log/dirsrv/slapd-INST/access|grep -i "Replication
>>> Manager"
>>>
>> nope -- none of the servers have it.
> your original message is very clear:
>
> could not bind id [cn=Replication Manager
> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config]
> authentication mechanism [SIMPLE]: error 32 (No such object) errno 0
> (Success)
>
> this means that you have replication agreement wth SIMPLE auth which
> uses a
> nsDS5ReplicaBindDN: cn=Replication Manager
> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config
>
> which does not exist on the target server of the agreement. Now you
> say it was never deleted, so it was probably never added, but used in
> the replication agreements. How do you manage and setup replication
> agreements ?
>
All replicas are configred simply:
ipa-replica-prepare hostname...
scp ..
ipa-replica-install --no-ntp --setup-ca Replica-file
That is it. NTP is not set because internal NTP servers are used. All
replicas are CA replicas for safety (no certs are managed)
After a few days to a week the message starts popping up in logs.
~J
More information about the Freeipa-users
mailing list