On Wednesday 12 December 2007 4:02 pm, Rich Megginson wrote:
> Chris G. Sellers wrote:
> > Sorry for jumping in here (just joined the list) but it sounds like
> > your replication user is being blocked by an ACI that you have
> > applied. These could be explicit or inherited from a parent OU in the
> > tree.
>
> And you should definitely be able to see something in the access log for
> host=infinity.xxx.ec.gc.ca. Keep in mind that the access log is
> buffered so events will not show up for a few minutes if there is no
> other activity.
>
I've turned off buffering for the time being
Here is the access log
[12/Dec/2007:16:22:29 +0000] conn=7 op=17 SRCH base="cn=Replication to
infinity.xxx.ec.gc.ca,cn=replica,cn=\22dc=xxx,dc=ec,dc=gc,dc=ca\22,cn=mapping
tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs=ALL
[12/Dec/2007:16:22:29 +0000] conn=7 op=17 RESULT err=0 tag=101 nentries=1
etime=0
[12/Dec/2007:16:22:29 +0000] conn=7 op=18 SRCH base="cn=Replication to
infinity.xxx.ec.gc.ca,cn=replica,cn=\22dc=xxx,dc=ec,dc=gc,dc=ca\22,cn=mapping
tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="description"
[12/Dec/2007:16:22:29 +0000] conn=7 op=18 RESULT err=0 tag=101 nentries=1
etime=0
[12/Dec/2007:16:22:36 +0000] conn=7 op=20 SRCH base="cn=Replication to
infinity.xxx.ec.gc.ca,cn=replica,cn=\22dc=xxx,dc=ec,dc=gc,dc=ca\22,cn=mapping
tree,cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs=ALL
[12/Dec/2007:16:22:36 +0000] conn=7 op=20 RESULT err=0 tag=101 nentries=1
etime=0
And the console log
ResourceSet:getString():Unable to resolve general-Apply-ttip
ResourceSet:getString():Unable to resolve general-Reset-ttip
ResourceSet:getString():Unable to resolve general-Help-ttip
ReplicationAgreement.updateAgreementFromServer: unable to read the replica
number of changes from {host=xxxldap1.xxx.ec.gc.ca} {port=389}
{authdn=cn=Directory Manager}
ReplicationAgreement.updateAgreementFromServer: unable to read the replica
refresh attribute {host=xxxldap1.xxx.ec.gc.ca} {port=389} {authdn=cn=Directory
Manager}
ReplicationAgreement.updateAgreementFromServer: unable to read the consumer
initialization status attribute (nsds5replicalastinitstatus)
{host=xxxldap1.xxx.ec.gc.ca} {port=389} {authdn=cn=Directory Manager}
BlankPanel.refresh:refreshed panel data. Class
com.netscape.admin.dirserv.panel.replication.AgreementInfoPanel
DSEntrySet.getAttributes(): read entry from DS:LDAPEntry: cn=Replication to
infinity.xxx.ec.gc.ca,cn=replica,cn="dc=xxx,dc=ec,dc=gc,dc=ca",cn=mapping
tree,cn=config; LDAPAttributeSet:
DSEntrySet.getAttributes(): attributes for this
entry:[Ljava.lang.String;@18235ed
DSEntrySet.getAttributes(): failed to get attribute description in
cn=Replication to
infinity.xxx.ec.gc.ca,cn=replica,cn="dc=xxx,dc=ec,dc=gc,dc=ca",cn=mapping
tree,cn=config
DSEntrySet.show(): some of the attributes of cn=Replication to
infinity.xxx.ec.gc.ca,cn=replica,cn="dc=xxx,dc=ec,dc=gc,dc=ca",cn=mapping
tree,cn=config could not be read. Either they are not present in the entry or
there is an ACI which prevents that attribute from being read. Try
authenticating as a user with more access
DSUtil.reauthenticate: begin: ldc={host=xxxldap1.xxx.ec.gc.ca} {port=389}
{authdn=cn=Directory Manager}
ReplicationAgreement.updateAgreementFromServer: unable to read the replica
number of changes from {host=xxxldap1.xxx.ec.gc.ca} {port=389}
{authdn=cn=Directory Manager}
ReplicationAgreement.updateAgreementFromServer: unable to read the replica
refresh attribute {host=xxxldap1.xxx.ec.gc.ca} {port=389} {authdn=cn=Directory
Manager}
ReplicationAgreement.updateAgreementFromServer: unable to read the consumer
initialization status attribute (nsds5replicalastinitstatus)
{host=xxxldap1.xxx.ec.gc.ca} {port=389} {authdn=cn=Directory Manager}
DSTabbedPanel.select:
com.netscape.admin.dirserv.panel.replication.AgreementPanel[,0,0,827x493,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=java.awt.Dimension[width=1,height=1],preferredSize=]
> > Make sure your Replication User is not part of a ACI or make it part
> > of a new ACI that allows objectclass=* full permissions.
There was no configuration done on the test servers. I installed the packages,
brought up the console and made sure everything was working then ran my
script. And the replication does in fact work across all machines. The
console client is the only thing throwing errors.
Here are the subs I use to create replication objects and rep agreements.
sub add_rep_agreement
{
my ($source, $source_port, $target, $target_port,$with_ssl, $bind_pw) =
@_;
my ($ldap, $msg);
$ldap = conn_bind($source, $source_port, $bind_pw);
print "adding to Replication Agreement $source -> $target\n";
$msg = $ldap->add(
"cn=Replication to
$target,cn=replica,cn=\"$config{BASE_DN}\",cn=mapping tree,cn=config",
attr => [
objectclass => [qw (top
nsDS5ReplicationAgreement)],
cn => "Replication to
$target",
nsDS5ReplicaHost => $target,
nsDS5ReplicaRoot => "$config{BASE_DN}",
nsDS5ReplicaPort => $target_port,
#nsDS5ReplicaTransportInfo => "SSL",
nsDS5ReplicaBindDN => $config{REP_DN},
nsDS5ReplicaBindMethod => "simple",
nsDS5ReplicaCredentials => $config{REPMAN_PW},
nsDS5ReplicaUpdateSchedule => "0000-2359 0123456",
nsDS5ReplicaTimeOut => 120,
]
);
if ($msg->code == LDAP_ALREADY_EXISTS) {
print "\t -> already exists\n\n";
# disconnect here and return if exists
disconnect($ldap);
return
} else {
$msg->code && die "failed to add replication agreement entry: "
. $msg->error;
}
if ($with_ssl eq 1) {
# TODO ldapmodify and add #nsDS5ReplicaTransportInfo =>
"SSL",
print "Should be adding SSL here!\n";
}
disconnect($ldap);
}
sub add_rep_object
{
# TODO specify multiple referral entries ?
#
# nsDS5ReplicaType
# 0 - reserved for internal use
# 1 - Dedicated Supplier
# 2 - Dedicated Consumer <---- consumer only
# 3 - Supplier/Consumer <---- MMR server
# passed variable $rep_type is not the same as the above!!
my ($server, $server_port, $referral, $referral_port, $bind_pw,
$rep_type) = @_;
my ($ldap, $msg);
# server is the server the object is getting created on
# referral is the server to send referrals to if setting up a consumer
read only
$ldap = conn_bind($server, $server_port, $bind_pw);
##############################
# add replica object
##############################
# type 1 is MMR
# type 2 is consumer read only
print "adding to Replica object to $server ->
cn=replica,cn=\"$config{BASE_DN}\",cn=mapping tree,cn=config\n";
# add consumer type rep
if ( $rep_type eq 2 ) {
$msg = $ldap->add(
"cn=replica,cn=\"$config{BASE_DN}\",cn=mapping
tree,cn=config",
attr => [
objectclass => [qw (top
nsDS5Replica)],
cn => "replica",
nsDS5ReplicaId => 65535,
nsDS5ReplicaReferral =>
"ldap://$referral:$referral_port/$config{BASE_DN}";,
nsDS5ReplicaRoot =>
$config{BASE_DN},
nsDS5Flags => 0,
nsDS5ReplicaBindDN => $config{REP_DN},
nsds5ReplicaPurgeDelay => 604800,
nsds5ReplicaLegacyConsumer => "off",
nsDS5ReplicaType => 2,
]
);
}
# add MMR type rep
if ($rep_type eq 1) {
$msg = $ldap->add(
"cn=replica,cn=\"$config{BASE_DN}\",cn=mapping
tree,cn=config",
attr => [
objectclass => [qw (top
nsDS5Replica)],
cn => "replica",
nsDS5ReplicaId => $config{REP_ID},
nsDS5ReplicaRoot =>
$config{BASE_DN},
nsDS5Flags => 1,
nsDS5ReplicaBindDN => $config{REP_DN},
nsds5ReplicaPurgeDelay => 604800,
nsds5ReplicaLegacyConsumer => "off",
nsDS5ReplicaType => 3,
]
);
}
if ($msg->code == LDAP_ALREADY_EXISTS)
{
print "\t -> already exists\n\n";
# disconnect and return here before incrementing the rep_id if
the object already exists
disconnect($ldap);
return;
} else {
$msg->code && die "failed to add replica entry: " . $msg->error;
}
# if MMR reptype, and we created an object, we need to increment the
rep_id in the config file
if ( $rep_type eq 1 ) {
$config{REP_ID} = $config{REP_ID} + 1;
save_config();
load_config();
}
disconnect($ldap);
}
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
