[389-users] Weird issue with searching cn=config

[Prashant Bapat]

Hi,

There close to a dozen 389-DS as part of our FreeIPA infra. On one of these
servers, I'm encountering a strange problem.

We monitor the state of replication among the 389 servers using a
python-ldap based script. This works on all servers except 1.

What I'm doing is fairly basic. Something along lines of ;

ldapsearch -x -b cn=config '(objectclass=nsds5replicationagreement)'
nsds5replicaLastUpdateStatus -LLL -o ldif-wrap=no

Corresponding python code is below;

conn.search_s("cn=config" ,ldap.SCOPE_SUBTREE,
'(objectclass=nsds5replicationagreement)', ["nsDS5ReplicaHost",
"nsds5replicaLastUpdateStatus", "nsds5replicaLastUpdateStart",
"nsds5replicaLastUpdateEnd"])

Now for the strange issue.

The above commands return the status of replication on all servers except 1
which returns an empty response. This happens only for the python and the
example perl script here
<http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationmonitoring.html>.
The ldapsearch command works fine!!!

Below is the log from a server where this runs fine.

[18/Jan/2016:07:09:19 +0000] conn=420951 fd=564 slot=564 connection from
::1 to ::1
[18/Jan/2016:07:09:19 +0000] conn=420951 op=0 BIND dn="" method=128
version=3
[18/Jan/2016:07:09:19 +0000] conn=420951 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[18/Jan/2016:07:09:19 +0000] conn=420951 op=1 SRCH base="cn=config" scope=2
filter="(objectClass=nsds5replicationagreement)" attrs="nsDS5ReplicaHost
nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart
nsds5replicaLastUpdateEnd"
[18/Jan/2016:07:09:19 +0000] conn=420951 op=1 RESULT err=0 tag=101
nentries=3 etime=0
[18/Jan/2016:07:09:19 +0000] conn=420951 op=2 UNBIND
[18/Jan/2016:07:09:19 +0000] conn=420951 op=2 fd=564 closed - U1

Below is the log from the 1 server where this fails.

[18/Jan/2016:07:05:20 +0000] conn=226 fd=80 slot=80 connection from ::1 to
::1
[18/Jan/2016:07:05:20 +0000] conn=226 op=0 BIND dn="" method=128 version=3
[18/Jan/2016:07:05:20 +0000] conn=226 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[18/Jan/2016:07:05:20 +0000] conn=226 op=1 SRCH base="cn=config" scope=2
filter="(objectClass=nsds5replicationagreement)" attrs="nsDS5ReplicaHost
nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart
nsds5replicaLastUpdateEnd"
[18/Jan/2016:07:05:20 +0000] conn=226 op=1 RESULT err=0 tag=101 nentries=0
etime=0
[18/Jan/2016:07:05:20 +0000] conn=226 op=2 UNBIND
[18/Jan/2016:07:05:20 +0000] conn=226 op=2 fd=80 closed - U1

I have an ACI which allows anonymous access to the replication info.

Version is : 389-ds-base-1.3.3.13-1.fc21.x86_64

Any help would be appreciated.

Thanks.
--Prashant

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org