[Freeipa-users] Replication scheme problem

Andrey Rogovsky a.rogovsky at gmail.com
Thu Sep 1 10:13:10 UTC 2016 

Hi!
I have 2 servers - ldap1 is FreeIPA (master) and ldap2 is 389 DS (slave).
One way replication ldap1 -> ldap2 is enabled but scheme is not replicated:

Log file ldap1 have this line:
[01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ldap2, port 389. Continuing with total update
session.

There is current status:
filter: (objectclass=nsds5replicationagreement)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=nsds5replicationagreement)
# requesting: ALL
#

# ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,
 cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: ExampleAgreement
nsDS5ReplicaHost: ldap2
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsDS5ReplicaUpdateSchedule: 0000-0500 1
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis
 t
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
 RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQURJbjhNUWpLM1VqU1
 M1SGZEUTY0TA==}mwxKHUYWXjNeyo1AGRWe9A==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 19700101000000Z
nsds5replicaLastUpdateEnd: 19700101000000Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since
server s
 tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20160901070452Z
nsds5replicaLastInitEnd: 20160901070455Z
nsds5replicaLastInitStatus: 0 Total update succeeded

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


After execute schema-reload.pl on ldap2 I have this lines in log:
Failed to add task entry "cn=schema_reload_2016_9_1_10_6_17, cn=schema
reload task, cn=tasks, cn=config" error (49)
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr =
"gidnumber || krbprincipalname || uidnumber")(version 3.0;acl
"permission:System: Read system trust accounts";allow (compare,read,search)
groupdn = "ldap:///cn=System: Read system trust
accounts,cn=permissions,cn=pbac,dc=example,dc=com";)) ACL will not be
considered for evaluation because of syntax errors.
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - __aclp__init_targetattr:
targetattr "ipaanchoruuid" does not exist in schema. Please add
attributeTypes "ipaanchoruuid" to schema if necessary.
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr = "cn
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr = "cn
|| createtimestamp || description || entryusn || gidnumber || ipaanchoruuid
|| modifytimestamp || objectclass")(targetfilter =
"(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read
Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all";))
ACL will not be considered for evaluation because of syntax errors.
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - __aclp__init_targetattr:
targetattr "ipaanchoruuid" does not exist in schema. Please add
attributeTypes "ipaanchoruuid" to schema if necessary.
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr = "createtimestamp
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr =
"createtimestamp || description || entryusn || gecos || gidnumber ||
homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey ||
loginshell || modifytimestamp || objectclass || uid ||
uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl
"permission:System: Read User ID Overrides";allow (compare,read,search)
userdn = "ldap:///all";)) ACL will not be considered for evaluation because
of syntax errors.
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - __aclp__init_targetattr:
targetattr "a6record" does not exist in schema. Please add attributeTypes
"a6record" to schema if necessary.
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr = "a6record
[01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr =
"a6record || aaaarecord || afsdbrecord || aplrecord || arecord ||
certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord
|| dnsclass || dnsttl || dsrecord || hinforecord || hiprecord ||
idnsallowdynupdate || idnsallowquery || idnsallowsyncptr ||
idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname ||
idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname ||
idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial ||
idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord ||
kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord
|| nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord ||
rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord ||
sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target =
"ldap:///idnsname=*,cn=dns,dc=example,dc=com")(version 3.0;acl "Update DNS
entries in a zone";allow (write) userattr =
"parent[0,1].managedby#GROUPDN";)) ACL will not be considered for
evaluation because of syntax errors.

Looks, like ipaanchoruuid is missing. There is ldap scheme update:
filter: (objectclass=*)
requesting: 00core.ldif 01core389.ldif 02common.ldif 05rfc2927.ldif
05rfc4523.ldif 05rfc4524.ldif 06inetorgperson.ldif 10automember-plugin.ldif
10dna-plugin.ldif 10mep-plugin.ldif 10rfc2307.ldif 20subscriber.ldif
25java-object.ldif 28pilot.ldif 30ns-common.ldif 50ns-admin.ldif
50ns-certificate.ldif 50ns-directory.ldif 50ns-mail.ldif 50ns-value.ldif
50ns-web.ldif 60acctpolicy.ldif 60autofs.ldif 60eduperson.ldif
60mozilla.ldif 60nss-ldap.ldif 60pam-plugin.ldif
60posix-winsync-plugin.ldif 60pureftpd.ldif 60rfc2739.ldif 60rfc3712.ldif
60sabayon.ldif 60sudo.ldif 60trust.ldif 99user.ldif

No one scheme files from ldap2 have no entry for ipaanchoruuid. But from
ldap1 they have:
root at ldap1 schema]# grep -i ipaanchoruuid *
71idviews.ldif:attributeTypes: (2.16.840.1.113730.3.8.11.62 NAME
'ipaAnchorUUID' DESC 'Unique Anchor Identifier' EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE X-ORIGIN 'IPA v4')
71idviews.ldif:objectClasses: (2.16.840.1.113730.3.8.12.30 NAME
'ipaOverrideAnchor' SUP top STRUCTURAL MUST ( ipaAnchorUUID ) MAY (
description ) X-ORIGIN 'IPA v4' )
71idviews.ldif:objectClasses: (2.16.840.1.113730.3.8.12.35 NAME
'ipaOverrideTarget' SUP top STRUCTURAL MUST ( ipaAnchorUUID ) X-ORIGIN 'IPA
v4' )
[root at ldap1 schema]#

How to resolve this issue? Just copy schemes files from ldap1 to ldap2?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160901/6b754d16/attachment.htm>

More information about the Freeipa-users mailing list