[Freeipa-users] more replication issues
Ludwig Krispenz
lkrispen at redhat.com
Fri May 15 13:57:45 UTC 2015
On 05/15/2015 02:45 PM, Janelle wrote:
> On 5/15/15 3:30 AM, Ludwig Krispenz wrote:
>>
>> On 05/13/2015 06:34 PM, Janelle wrote:
>>> On 5/13/15 9:13 AM, Rich Megginson wrote:
>>>> On 05/13/2015 10:04 AM, Janelle wrote:
>>>>> On 5/13/15 8:49 AM, Rich Megginson wrote:
>>>>>> On 05/13/2015 09:40 AM, Janelle wrote:
>>>>>>> Recently I started seeing these crop up across my servers:
>>>>>>>
>>>>>>> slapi_ldap_bind - Error: could not bind id [cn=Replication
>>>>>>> Manager
>>>>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config]
>>>>>>> authentication mechanism [SIMPLE]: error 32 (No such object)
>>>>>>> errno 0 (Success)
>>>>>>
>>>>>> Does that entry exist?
>>>>>>
>>>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s
>>>>>> base -b "cn=Replication Manager
>>>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config"
>>>>>>
>>>>>> Does the parent exist?
>>>>>>
>>>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s
>>>>>> base -b "ou=csusers,cn=config"
>>>>>
>>>>> I am finding that there does seem to be a relation to the above
>>>>> error and a possible CSN issue:
>>>>>
>>>>> Can't locate CSN 555131e5000200190000 in the changelog (DB
>>>>> rc=-30988). If replication stops, the consumer may need to be
>>>>> reinitialized.
>>>>>
>>>>> I guess what concerns me is what could be causing this. We don't
>>>>> do a lot of changes all the time.
>>>>>
>>>>> And in answer to the question above - we seem to have last the
>>>>> agreement somehow:
>>>>>
>>>>> No such object (32)
>>>>>
>>>>
>>>> Is there a DEL operation in the access log for "cn=Replication
>>>> Manager
>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config"?
>>>>
>>>> maybe something like
>>>>
>>>> # grep DEL /var/log/dirsrv/slapd-INST/access|grep -i "Replication
>>>> Manager"
>>>>
>>> nope -- none of the servers have it.
>> your original message is very clear:
>>
>> could not bind id [cn=Replication Manager
>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config]
>> authentication mechanism [SIMPLE]: error 32 (No such object) errno 0
>> (Success)
>>
>> this means that you have replication agreement wth SIMPLE auth which
>> uses a
>> nsDS5ReplicaBindDN: cn=Replication Manager
>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config
>>
>> which does not exist on the target server of the agreement. Now you
>> say it was never deleted, so it was probably never added, but used in
>> the replication agreements. How do you manage and setup replication
>> agreements ?
>>
> All replicas are configred simply:
>
> ipa-replica-prepare hostname...
> scp ..
> ipa-replica-install --no-ntp --setup-ca Replica-file
>
> That is it. NTP is not set because internal NTP servers are used. All
> replicas are CA replicas for safety (no certs are managed)
ok, I was a bit puzzled because ipa uses ldapprincipals and gssapi for
the main suffix replication.
But I just verified that after ipa-replica-install --setup-ca CA
replication is setup with users in ou=csusers,cn=config and uses it as
replica binddn, I have no idea why it would disappear.
when Rich asked to search for a DEL, did you check this on the server
that logged the message or on the endpoint of the replication agreement
(it should be there), and you may have to check in the rotated access
logs access.<timestamp> as well
>
> After a few days to a week the message starts popping up in logs.
>
> ~J
>
More information about the Freeipa-users
mailing list