[Freeipa-users] Re: replication problem

Tue, 13 Jun 2017 07:47:38 -0700

If the problem occurs during the new installation of DS, you need to get a modification of the IPA install script, setting this parameter befor setting up replication. Otherwise there is a hack to modify the configuration template: /usr/share/dirsrv/data/template-dse.ldif 

and add the
nsslapd-maxsasliosize:  YOUR_NEW_VALUE

line to the cn=config entry


On 06/13/2017 03:49 PM, Adrian HY via FreeIPA-users wrote:
Hi Mark, my problem is during the replica installation. I can't use ldapmodify because *cn=directory manager * does not have the password assigned. 

Regards.
On Mon, Jun 12, 2017 at 1:38 PM, Mark Reynolds <marey...@redhat.com <mailto:marey...@redhat.com>> wrote: 



    On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote:

    I think I detected the problem. The error log in the replica writes:

    *[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet
    length exceeds maximum allowed limit (length=2483849,
    limit=2097152).  Change the nsslapd-maxsasliosize attribute in
    cn=config to increase limit.*
    *
    [11/Jun/2017:13:36:06.361177815 -0400] ERROR bulk import abandoned

    *
    According this:
    
(https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/pdf/Configuration_and_Command-Line_Tool_Reference/Red_Hat_Directory_Server-8.2-Configuration_and_Command-Line_Tool_Reference-en-US.pdf
    
<https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/pdf/Configuration_and_Command-Line_Tool_Reference/Red_Hat_Directory_Server-8.2-Configuration_and_Command-Line_Tool_Reference-en-US.pdf>)

    "When an incoming SASL IO packet is larger than the
    nsslapd-maxsasliosize limit, the server  immediately disconnects
    the client and logs a message to the error log, so that an
    administrator can adjust the setting if necessary"

    The problem now is how can I change the value of the attribute
    during replication.

    You just use ldapmodify to change the value on each replica:

    # ldapmodify -D "cn=directory manager" -W
    dn: cn=config
    changetype: modify
    replace: nsslapd-maxsasliosize
    nsslapd-maxsasliosize:  YOUR_NEW_VALUE



    Regards.

    On Sun, Jun 11, 2017 at 2:20 AM, Adrian HY <ayeja...@gmail.com
    <mailto:ayeja...@gmail.com>> wrote:

        Hi folks, I had a problem with replication and I tried to add
        the slave back to the replica. The process stops in the
        initial replication phase.

        The firewall and selinux are down and both servers are
        synchronized with the time.

        Centos 7.3
        Freeipa 4.4.0-14

        *Master error log:*

        11/Jun/2017:01:11:45.690402715 -0400] NSMMReplicationPlugin -
        agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): Replication bind with GSSAPI auth
        failed: LDAP error 49 (Invalid credentials) ()
        [11/Jun/2017:01:11:45.690877649 -0400] NSMMReplicationPlugin
        - Warning: unable to acquire replica for total update, error:
        49, retrying in 1 seconds.
        [11/Jun/2017:01:11:46.966060891 -0400] NSMMReplicationPlugin
        - agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): Replication bind with GSSAPI auth resumed
        [11/Jun/2017:01:11:47.095800971 -0400] NSMMReplicationPlugin
        - Beginning total update of replica
        "agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389)".
        [11/Jun/2017:01:12:06.873713837 -0400] NSMMReplicationPlugin
        - agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): Failed to send extended operation:
        LDAP error -1 (Can't contact LDAP server)
        [11/Jun/2017:01:12:06.874590112 -0400] NSMMReplicationPlugin
        - agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): Received error -1 (Can't contact LDAP
        server):  for total updat
        e operation
        [11/Jun/2017:01:12:06.874950648 -0400] NSMMReplicationPlugin
        - agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): Warning: unable to send
        endReplication extended operation (Can'
        t contact LDAP server)
        [11/Jun/2017:01:12:06.875217640 -0400] NSMMReplicationPlugin
        - Total update failed for replica
        "agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389)", error (-11)
        [11/Jun/2017:01:12:06.894882383 -0400] NSMMReplicationPlugin
        - agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): Replication bind with GSSAPI auth resumed
        [11/Jun/2017:01:12:06.905304992 -0400] NSMMReplicationPlugin
        - agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): The remote replica has a different
        database generation ID than
        the local database.  You may have to reinitialize the remote
        replica, or the local replica.
        [11/Jun/2017:01:12:09.912282245 -0400] NSMMReplicationPlugin
        - agmt="cn=meTousuarios-replica.ipa.server.com
        <http://meTousuarios-replica.ipa.server.com>"
        (usuarios-replica:389): The remote replica has a different
        database generation ID than
        the local database.  You may have to reinitialize the remote
        replica, or the local replica.

        *Client ipareplica-install.log:*

        2017-06-11T05:24:24Z DEBUG stderr=
        2017-06-11T05:24:24Z DEBUG wait_for_open_ports: localhost
        [389] timeout 300
        2017-06-11T05:24:24Z DEBUG Fetching nsDS5ReplicaId from
        master [attempt 1/5]
        2017-06-11T05:24:24Z DEBUG flushing
        ldap://usuarios.ipa.server.com:389
        <http://usuarios.ipa.server.com:389> from SchemaCache
        2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
        url=ldap://usuarios.ipa.server.com:389
        <http://usuarios.ipa.server.com:389>
        conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x86909e0>
        2017-06-11T05:24:24Z DEBUG Successfully updated nsDS5ReplicaId.
        2017-06-11T05:24:24Z DEBUG flushing
        ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket from
        SchemaCache
        2017-06-11T05:24:24Z DEBUG retrieving schema for SchemaCache
        url=ldapi://%2fvar%2frun%2fslapd-IPA.SERVER.COM.socket
        conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x9e74440>
        2017-06-11T05:24:46Z DEBUG Traceback (most recent call last):
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
        line 449, in start_creation
            run_step(full_msg, method)
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
        line 439, in run_step
            method()
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
        line 416, in __setup_replica
        repl.setup_promote_replication(self.master_fqdn)
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
        line 1643, in setup_promote_replication
            raise RuntimeError("Failed to start replication")
        RuntimeError: Failed to start replication

        2017-06-11T05:24:46Z DEBUG [error] RuntimeError: Failed to
        start replication
        2017-06-11T05:24:46Z DEBUG Destroyed connection
        context.ldap2_101192976
        2017-06-11T05:24:46Z DEBUG File
        "/usr/lib/python2.7/site-packages/ipapython/admintool.py",
        line 171, in execute
            return_value = self.run()
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/cli.py",
        line 318, in run
            cfgr.run()
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 310, in run
            self.execute()
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 332, in execute
            for nothing in self._executor():
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 372, in __runner
        self._handle_exception(exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 394, in _handle_exception
            six.reraise(*exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 362, in __runner
            step()
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 359, in <lambda>
            step = lambda: next(self.__gen)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
        line 81, in run_generator_with_yield_from
            six.reraise(*exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
        line 59, in run_generator_with_yield_from
            value = gen.send(prev_value)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 586, in _configure
            next(executor)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 372, in __runner
        self._handle_exception(exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 449, in _handle_exception
        self.__parent._handle_exception(exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 394, in _handle_exception
            six.reraise(*exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 446, in _handle_exception
            super(ComponentBase, self)._handle_exception(exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 394, in _handle_exception
            six.reraise(*exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 362, in __runner
            step()
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
        line 359, in <lambda>
            step = lambda: next(self.__gen)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
        line 81, in run_generator_with_yield_from
            six.reraise(*exc_info)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
        line 59, in run_generator_with_yield_from
            value = gen.send(prev_value)
          File
        "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
        line 63, in _install
            for nothing in self._installer(self.parent):
          File
        
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
        line 1722, in main
            promote(self)
          File
        
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
        line 372, in decorated
            func(installer)
          File
        
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
        line 1423, in promote
            promote=True, pkcs12_info=dirsrv_pkcs12_info)
          File
        
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
        line 135, in install_replica_ds
            api=remote_api,
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
        line 401, in create_replica
        self.start_creation(runtime=60)
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
        line 449, in start_creation
            run_step(full_msg, method)
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
        line 439, in run_step
            method()
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
        line 416, in __setup_replica
        repl.setup_promote_replication(self.master_fqdn)
          File
        "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
        line 1643, in setup_promote_replication
            raise RuntimeError("Failed to start replication")




    _______________________________________________
    FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org  
<mailto:freeipa-users@lists.fedorahosted.org>
    To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org  
<mailto:freeipa-users-le...@lists.fedorahosted.org>





_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to