It does. Running the ldapsearch command gives me the expected output. Below is what I'm running.
$ ldapsearch -x -b cn=config '(objectclass=nsds5replicationagreement)' nsds5replicaLastUpdateStatus -LLL -o ldif-wrap=no dn: cn=meToipa2.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded dn: cn=meToipa3.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 1 Can't acquire busy replica dn: cn=meToipa4.example.com,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded This also indicates that the aci is proper. Thanks. --Prashant On 18 January 2016 at 14:01, William Brown <[email protected]> wrote: > On Mon, 2016-01-18 at 12:53 +0530, Prashant Bapat wrote: > > Hi, > > > > There close to a dozen 389-DS as part of our FreeIPA infra. On one of > > these > > servers, I'm encountering a strange problem. > > > > We monitor the state of replication among the 389 servers using a > > python-ldap based script. This works on all servers except 1. > > > > What I'm doing is fairly basic. Something along lines of ; > > > > ldapsearch -x -b cn=config '(objectclass=nsds5replicationagreement)' > > nsds5replicaLastUpdateStatus -LLL -o ldif-wrap=no > > > > Corresponding python code is below; > > > > conn.search_s("cn=config" ,ldap.SCOPE_SUBTREE, > > '(objectclass=nsds5replicationagreement)', ["nsDS5ReplicaHost", > > "nsds5replicaLastUpdateStatus", "nsds5replicaLastUpdateStart", > > "nsds5replicaLastUpdateEnd"]) > > > > Now for the strange issue. > > > > The above commands return the status of replication on all servers > > except 1 > > which returns an empty response. This happens only for the python and > > the > > example perl script here > > <http://directory.fedoraproject.org/docs/389ds/howto/howto-replicatio > > nmonitoring.html>. > > The ldapsearch command works fine!!! > > > > Below is the log from a server where this runs fine. > > > > [18/Jan/2016:07:09:19 +0000] conn=420951 fd=564 slot=564 connection > > from > > ::1 to ::1 > > [18/Jan/2016:07:09:19 +0000] conn=420951 op=0 BIND dn="" method=128 > > version=3 > > [18/Jan/2016:07:09:19 +0000] conn=420951 op=0 RESULT err=0 tag=97 > > nentries=0 etime=0 dn="" > > [18/Jan/2016:07:09:19 +0000] conn=420951 op=1 SRCH base="cn=config" > > scope=2 > > filter="(objectClass=nsds5replicationagreement)" > > attrs="nsDS5ReplicaHost > > nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart > > nsds5replicaLastUpdateEnd" > > [18/Jan/2016:07:09:19 +0000] conn=420951 op=1 RESULT err=0 tag=101 > > nentries=3 etime=0 > > [18/Jan/2016:07:09:19 +0000] conn=420951 op=2 UNBIND > > [18/Jan/2016:07:09:19 +0000] conn=420951 op=2 fd=564 closed - U1 > > > > Below is the log from the 1 server where this fails. > > > > [18/Jan/2016:07:05:20 +0000] conn=226 fd=80 slot=80 connection from > > ::1 to > > ::1 > > [18/Jan/2016:07:05:20 +0000] conn=226 op=0 BIND dn="" method=128 > > version=3 > > [18/Jan/2016:07:05:20 +0000] conn=226 op=0 RESULT err=0 tag=97 > > nentries=0 > > etime=0 dn="" > > [18/Jan/2016:07:05:20 +0000] conn=226 op=1 SRCH base="cn=config" > > scope=2 > > filter="(objectClass=nsds5replicationagreement)" > > attrs="nsDS5ReplicaHost > > nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart > > nsds5replicaLastUpdateEnd" > > [18/Jan/2016:07:05:20 +0000] conn=226 op=1 RESULT err=0 tag=101 > > nentries=0 > > etime=0 > > [18/Jan/2016:07:05:20 +0000] conn=226 op=2 UNBIND > > [18/Jan/2016:07:05:20 +0000] conn=226 op=2 fd=80 closed - U1 > > > > I have an ACI which allows anonymous access to the replication info. > > > > Version is : 389-ds-base-1.3.3.13-1.fc21.x86_64 > > > > Any help would be appreciated. > > > > Thanks. > > --Prashant > > -- > > 389 users mailing list > > 389-users@%(host_name)s > > http://lists.fedoraproject.org/admin/lists/[email protected] > > ect.org > > > The obvious first check is, does the server actually have a valid > replication agreement? You can check this by looking at > /etc/dirsrv/slapd-INSTANCE_NAME/dse.ldif. > > Second, check the aci on the server. > > Hope this helps. > > -- > Sincerely, > > William Brown > Software Engineer > Red Hat, Brisbane > > > -- > 389 users mailing list > 389-users@%(host_name)s > > http://lists.fedoraproject.org/admin/lists/[email protected] >
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/[email protected]
