[Freeipa-users] Replication scheme problem

Fri Sep 2 13:41:38 UTC 2016


On 09/01/2016 06:13 AM, Andrey Rogovsky wrote:
> Hi!
> I have 2 servers - ldap1 is FreeIPA (master) and ldap2 is 389 DS (slave).
> One way replication ldap1 -> ldap2 is enabled but scheme is not
> replicated:
What version of 389-ds-base are you using?

rpm -qa | grep 389-ds-base
>
> Log file ldap1 have this line:
> [01/Sep/2016:07:04:53 +0000] NSMMReplicationPlugin - Warning: unable
> to replicate schema to host ldap2, port 389. Continuing with total
> update session.
Is there anything in ldap2's errors/access log from this time
(01/Sep/2016:07:04:53)?
>
> There is current status:
> filter: (objectclass=nsds5replicationagreement)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: (objectclass=nsds5replicationagreement)
> # requesting: ALL
> #
>
> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
> dn:
> cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,
>  cn=config
> objectClass: top
> objectClass: nsds5replicationagreement
> cn: ExampleAgreement
> nsDS5ReplicaHost: ldap2
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindMethod: SIMPLE
> nsDS5ReplicaRoot: dc=example,dc=com
> description: agreement between supplier1 and consumer1
> nsDS5ReplicaUpdateSchedule: 0000-0500 1
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
> authorityRevocationLis
>  t
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
>  RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
>  0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQURJbjhNUWpLM1VqU1
>  M1SGZEUTY0TA==}mwxKHUYWXjNeyo1AGRWe9A==
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 19700101000000Z
> nsds5replicaLastUpdateEnd: 19700101000000Z
> nsds5replicaChangesSentSinceStartup:
> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
> server s
>  tartup
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 20160901070452Z
> nsds5replicaLastInitEnd: 20160901070455Z
> nsds5replicaLastInitStatus: 0 Total update succeeded
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> After execute schema-reload.pl <http://schema-reload.pl> on ldap2 I
> have this lines in log:
> Failed to add task entry "cn=schema_reload_2016_9_1_10_6_17, cn=schema
> reload task, cn=tasks, cn=config" error (49)
Error 49 = invalid credentials.  You entered the wrong password - this
prevented the schema reload task from taking place.  You can also
restart the directory server which will do the same thing as the schema
reload task.  The schema reload task is just so you can reload new
schema files without having to restart the server.
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr =
> "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl
> "permission:System: Read system trust accounts";allow
> (compare,read,search) groupdn = "ldap:///cn=System: Read system trust
> accounts,cn=permissions,cn=pbac,dc=example,dc=com";)) ACL will not be
> considered for evaluation because of syntax errors.
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - __aclp__init_targetattr:
> targetattr "ipaanchoruuid" does not exist in schema. Please add
> attributeTypes "ipaanchoruuid" to schema if necessary. 
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE ERR(rv=-5):
> (targetattr = "cn
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr =
> "cn || createtimestamp || description || entryusn || gidnumber ||
> ipaanchoruuid || modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System:
> Read Group ID Overrides";allow (compare,read,search) userdn =
> "ldap:///all";)) ACL will not be considered for evaluation because of
> syntax errors.
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - __aclp__init_targetattr:
> targetattr "ipaanchoruuid" does not exist in schema. Please add
> attributeTypes "ipaanchoruuid" to schema if necessary. 
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE ERR(rv=-5):
> (targetattr = "createtimestamp
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr =
> "createtimestamp || description || entryusn || gecos || gidnumber ||
> homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey ||
> loginshell || modifytimestamp || objectclass || uid ||
> uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version
> 3.0;acl "permission:System: Read User ID Overrides";allow
> (compare,read,search) userdn = "ldap:///all";)) ACL will not be
> considered for evaluation because of syntax errors.
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - __aclp__init_targetattr:
> targetattr "a6record" does not exist in schema. Please add
> attributeTypes "a6record" to schema if necessary. 
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - ACL PARSE ERR(rv=-5):
> (targetattr = "a6record
> [01/Sep/2016:07:04:59 +0000] NSACLPlugin - Error: This  ((targetattr =
> "a6record || aaaarecord || afsdbrecord || aplrecord || arecord ||
> certrecord || cn || cnamerecord || dhcidrecord || dlvrecord ||
> dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord ||
> hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr
> || idnsallowtransfer || idnsforwarders || idnsforwardpolicy ||
> idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum ||
> idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname ||
> idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord
> || keyrecord || kxrecord || locrecord || mdrecord || minforecord ||
> mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord
> || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord ||
> spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord ||
> unknownrecord ")(target =
> "ldap:///idnsname=*,cn=dns,dc=example,dc=com")(version 3.0;acl "Update
> DNS entries in a zone";allow (write) userattr =
> "parent[0,1].managedby#GROUPDN";)) ACL will not be considered for
> evaluation because of syntax errors.
>
> Looks, like ipaanchoruuid is missing. There is ldap scheme update:
> filter: (objectclass=*)
> requesting: 00core.ldif 01core389.ldif 02common.ldif 05rfc2927.ldif
> 05rfc4523.ldif 05rfc4524.ldif 06inetorgperson.ldif
> 10automember-plugin.ldif 10dna-plugin.ldif 10mep-plugin.ldif
> 10rfc2307.ldif 20subscriber.ldif 25java-object.ldif 28pilot.ldif
> 30ns-common.ldif 50ns-admin.ldif 50ns-certificate.ldif
> 50ns-directory.ldif 50ns-mail.ldif 50ns-value.ldif 50ns-web.ldif
> 60acctpolicy.ldif 60autofs.ldif 60eduperson.ldif 60mozilla.ldif
> 60nss-ldap.ldif 60pam-plugin.ldif 60posix-winsync-plugin.ldif
> 60pureftpd.ldif 60rfc2739.ldif 60rfc3712.ldif 60sabayon.ldif
> 60sudo.ldif 60trust.ldif 99user.ldif 
>
> No one scheme files from ldap2 have no entry for ipaanchoruuid. But
> from ldap1 they have:
> root at ldap1 schema]# grep -i ipaanchoruuid *
> 71idviews.ldif:attributeTypes: (2.16.840.1.113730.3.8.11.62 NAME
> 'ipaAnchorUUID' DESC 'Unique Anchor Identifier' EQUALITY
> caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4')
> 71idviews.ldif:objectClasses: (2.16.840.1.113730.3.8.12.30 NAME
> 'ipaOverrideAnchor' SUP top STRUCTURAL MUST ( ipaAnchorUUID ) MAY (
> description ) X-ORIGIN 'IPA v4' )
> 71idviews.ldif:objectClasses: (2.16.840.1.113730.3.8.12.35 NAME
> 'ipaOverrideTarget' SUP top STRUCTURAL MUST ( ipaAnchorUUID ) X-ORIGIN
> 'IPA v4' )
> [root at ldap1 schema]# 
>
> How to resolve this issue? Just copy schemes files from ldap1 to ldap2?
That will work, but you need to restart the server for it to take effect.
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160902/820f2828/attachment.htm>