[Freeipa-users] Replication error

Anton Rubets a.rubets at levi9.com
Fri Apr 29 07:54:32 UTC 2016 

Hi
Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) gone 
But still i have 
attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain389/o%3Dipaca) failed.
Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd etc 
Best Regards
Anton Rubets


________________________________________
From: Petr Vobornik <pvoborni at redhat.com>
Sent: Thursday, April 28, 2016 1:49 PM
To: Anton Rubets; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Replication error

On 04/26/2016 02:02 PM, Anton Rubets wrote:
> Hhi all
>
> I have issues with replication between to FreeIPA server
>
> In maters log
>
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap2.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap2.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap2.domain389/o%3Dipaca) failed.
> [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS
> request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory)
>
>
> On replica server
>
>
> [26/Apr/2016:08:38:12 +0000] attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap1.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap1domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap1.domain:389/o%3Dipaca) failed.
> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap1.domain:389/o%3Dipaca) failed.

This is a symptom of dangling RUVs (replica update vector) of previously
removed replicas.

It happens when replica is removed using:
  # ipa-replica-manage del $replica
  # ipa-server-install --uninstall (on replica)

without running:
  # ipa-csreplica-manage del $replica
first

resolution is to clear the RUVs manually using clean ruv DS task becase
ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will
receive a new command which will handle bot suffixes automatically - #5411.

The instructions can found on the list:
* https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html
* https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html

and
* http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html
* or general procedure for future feature:
https://fedorahosted.org/freeipa/ticket/5411#comment:7


Important: Be very careful not to remove RUVs of existing replicas.


>
>
> And  i can't find source of this problem. I have checked permission and etc. As
> i see replica is working but this message disturb my email every few minutes and
> i wanna somehow fix this. Also I  just migrate from 3.0 to 4.2.
> Info:
> Master :
>   rpm -qa | grep ipa
> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64
> ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64
> sssd-ipa-1.13.0-40.el7_2.2.x86_64
> ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
> libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
> ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64​
>
> Replica:
> rpm -qa | grep ipa
> sssd-ipa-1.13.0-40.el7_2.2.x86_64
> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
> libipa_hbac-1.13.0-40.el7_2.2.x86_64
> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64
> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64​
>
>
> Best Regards
> Anton Rubets
--
Petr Vobornik

More information about the Freeipa-users mailing list