Re: [Freeipa-users] Replication error
On 04/29/2016 09:54 AM, Anton Rubets wrote:
> Hi
> Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file
> or directory) gone
> But still i have
> attrlist_replace - attr_replace (nsslapd-referral,
> ldap://ldap2.domain389/o%3Dipaca) failed.
> Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd
> etc
> Best Regards
> Anton Rubets
There is probably still some dangling RUV left in dirsrv o=ipaca suffix.
I'll repeat the procedure for future linking.
1. Get list of replicas with CA:
# ipa-csreplica-manage list
2. For *each* replica(here ipa1.example.test) get list of RUVs and its
replica ID:
# ldapsearch -ZZ -h ipa1.example.test -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=---))"
| grep "nsds50ruv\|nsDS5ReplicaId"
replica id looks like:
nsDS5ReplicaId: 6
ruv looks like:
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e7
note that it is wrapped and grepped, unwrapped RUV is e.g.:
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2840006
57278b7e0006
You can see that RUV contains a replica ID (8 in the example).
"nsds50ruv: {replicageneration} 56f3e2830006" can be ignored.
3. Find all RUVs which doesn't have existing replica ID. Hint: If
replica wasn't reinstalled then hostname will also differ which is a
nice indicator of a dangling RUV.
4. Run clearuv task for each dangling RUV identified in step 3, here the
RUV is 13.
# ldapmodify -ZZ -D "cn=directory manager" -W -a
dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: o=ipaca
replica-id: 13
cn: clean 13
So if you have e.g. 3 replicas with CA with IDs 8, 12, 10 (note that
versions prior FreeIPA 4.3 have higher number for CA suffix) and
nsds50ruv shows only these IDs then you don't need to clean anything.
Full example:
# ipa-csreplica-manage list
Directory Manager password:
ipa1.example.test: master
ipa2.example.test: master
ipa3.example.test: master
# ldapsearch -ZZ -h ipa1.example.test ...
nsDS5ReplicaId: 6
nsds50ruv: {replicageneration} 56f3e2830006
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2
nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2
nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7
# ldapsearch -ZZ -h ipa2.example.test ...
nsDS5ReplicaId: 5
nsds50ruv: {replicageneration} 56f3e2830006
nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2
nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7
nsds50ruv: {replica 3 ldap://ipa4.example.test:389} 56f3e1
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2
# ldapsearch -ZZ -h ipa3.example.test ...
nsDS5ReplicaId: 8
nsds50ruv: {replicageneration} 56f3e2830006
nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7
nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2
nsds50ruv: {replica 9 ldap://ipa2.example.test:389} 56f3d2
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2
Here the correct replica IDs are 8,5,5.
Dangling are 3,9. So the cleanall ruv task would be run for 3,9,
>
> From: Petr Vobornik <pvobo...@redhat.com>
> Sent: Thursday, April 28, 2016 1:49 PM
> To: Anton Rubets; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Replication error
>
> On 04/26/2016 02:02 PM, Anton Rubets wrote:
>> Hhi all
>>
>> I have issues with replication between to FreeIPA server
>>
>> In maters log
>>
>> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ldap2.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ldap2.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ldap2.domain389/o%3Dipaca) failed.
>> [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS
>> request: error -1 (Can't contact LDAP server) errno 2 (No such file or
>> directory)
>>
>>
>> On replica server
>>
>>
>> [26/Apr/2016:08:38:12 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ldap1.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ldap1domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ldap1.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace
>> (nsslapd-referral,
>> ldap://ldap1.domain:389/o%3Dipaca) failed.
>
&g
Re: [Freeipa-users] Replication error
Hi Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) gone But still i have attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain389/o%3Dipaca) failed. Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd etc Best Regards Anton Rubets From: Petr Vobornik <pvobo...@redhat.com> Sent: Thursday, April 28, 2016 1:49 PM To: Anton Rubets; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication error On 04/26/2016 02:02 PM, Anton Rubets wrote: > Hhi all > > I have issues with replication between to FreeIPA server > > In maters log > > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap2.domain389/o%3Dipaca) failed. > [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS > request: error -1 (Can't contact LDAP server) errno 2 (No such file or > directory) > > > On replica server > > > [26/Apr/2016:08:38:12 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. This is a symptom of dangling RUVs (replica update vector) of previously removed replicas. It happens when replica is removed using: # ipa-replica-manage del $replica # ipa-server-install --uninstall (on replica) without running: # ipa-csreplica-manage del $replica first resolution is to clear the RUVs manually using clean ruv DS task becase ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will receive a new command which will handle bot suffixes automatically - #5411. The instructions can found on the list: * https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html * https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html and * http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html * or general procedure for future feature: https://fedorahosted.org/freeipa/ticket/5411#comment:7 Important: Be very careful not to remove RUVs of existing replicas. > > > And i can't find source of this problem. I have checked permission and etc. > As > i see replica is working but this message disturb my email every few minutes > and > i wanna somehow fix this. Also I just migrate from 3.0 to 4.2. > Info: > Master : > rpm -qa | grep ipa > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64 > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64 > > Replica: > rpm -qa | grep ipa > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > Best Regards > Anton Rubets -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication error
On 04/26/2016 02:02 PM, Anton Rubets wrote: > Hhi all > > I have issues with replication between to FreeIPA server > > In maters log > > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap2.domain:389/o%3Dipaca) failed. > [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap2.domain389/o%3Dipaca) failed. > [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS > request: error -1 (Can't contact LDAP server) errno 2 (No such file or > directory) > > > On replica server > > > [26/Apr/2016:08:38:12 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. > [26/Apr/2016:08:43:13 +] attrlist_replace - attr_replace > (nsslapd-referral, > ldap://ldap1.domain:389/o%3Dipaca) failed. This is a symptom of dangling RUVs (replica update vector) of previously removed replicas. It happens when replica is removed using: # ipa-replica-manage del $replica # ipa-server-install --uninstall (on replica) without running: # ipa-csreplica-manage del $replica first resolution is to clear the RUVs manually using clean ruv DS task becase ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will receive a new command which will handle bot suffixes automatically - #5411. The instructions can found on the list: * https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html * https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html and * http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html * or general procedure for future feature: https://fedorahosted.org/freeipa/ticket/5411#comment:7 Important: Be very careful not to remove RUVs of existing replicas. > > > And i can't find source of this problem. I have checked permission and etc. > As > i see replica is working but this message disturb my email every few minutes > and > i wanna somehow fix this. Also I just migrate from 3.0 to 4.2. > Info: > Master : > rpm -qa | grep ipa > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64 > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64 > ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64 > > Replica: > rpm -qa | grep ipa > sssd-ipa-1.13.0-40.el7_2.2.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 > libipa_hbac-1.13.0-40.el7_2.2.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 > ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.2.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > Best Regards > Anton Rubets -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
