Hi Arpit, On 7/26/19 9:18 AM, Arpit Tolani wrote: > I added Replication timeout in /usr/share/dirsrv/data/template-dse.ldif > on replica before ipa-replica-install which took care of time consumed > for large data getting replicated. > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/setting-replication-timeout-periods > You > need to setup timeout as per this link.
Thanks for the hint, but I really don't think a timeout is the issue here. After I did what François suggested, the replication went through (as before) and it then waited for 60 (instead of 5) minutes for pki-tomcatd to start, which repeatedly fails to authenticate with the following error: netscape.ldap.LDAPException: Authentication failed (48) There's is nothing else going on, so increasing more timeouts will just increase the time until it fails. To see if this is related to some leftover config flying around for the replica host, I set up a second replica host, which now fails much earlier during setup with the following error: NSMMReplicationPlugin - acquire_replica - agmt="cn=master.fqdn" (master:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. I tried this multiple times, always resulting in the same error. Kind regards, Till > > On Thu, Jul 25, 2019 at 1:37 AM Till Hofmann via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > > > On 7/24/19 6:03 PM, François Cami wrote: > > On Wed, Jul 24, 2019 at 5:52 PM François Cami <fc...@redhat.com > <mailto:fc...@redhat.com>> wrote: > >> > >> On Wed, Jul 24, 2019 at 5:48 PM Till Hofmann > <thofm...@fedoraproject.org <mailto:thofm...@fedoraproject.org>> wrote: > >>> > >>> > >>> > >>> On 7/24/19 4:03 PM, Till Hofmann wrote: > >>>> Hi François, > >>>> > >>>> Thanks for the reply! > >>>> > >>>> On 7/24/19 2:32 PM, François Cami wrote: > >>>> > >>>>>> > >>>>>> Interestingly, during the setup of the replica, the setup is > stuck for quite some time (~30 minutes) in the step " [1/28]: > configuring certificate server instance". In the ns-slapd log, I can > see a lot of the following: > >>>>>> INFO - import_monitor_threads - import ipaca: Processed 40105 > entries -- average rate 123.8/sec, recent rate 114.0/sec, hit ratio 100% > >>>>>> I'm surprised by the number of entries. I had set up the same > host as a replica in a previous try, but needed to remove it due to > another error. May those be left-overs from the previous replica > instance? I didn't see this happening on the first attempt. Before > redoing the setup, I removed the host from the replica set with > `ipa-replica-manage del --force`, from the csreplica with > `ipa-csreplica-manage del --force`, and also deleted the host entry > itself with `ipa host-del`. I also uninstalled the freeipa server on > the replica host. > >>>>> > >>>>> Could you count the actual number of requests records in the > o=ipaca > >>>>> suffix and examine them? > >>>> > >>>> > >>>> I'm not exactly sure what you mean (I don't have much > experience with > >>>> LDAP). Searching for "(objectclass=ipaca*)" gives me 2 results > (but I > >>>> guess that's not what you meant). On the replica, ns-slapd > processed > >>>> 267358 entries before finishing. > >>> > >>> OK, I was looking in the wrong place. The number of request > records in > >>> LDAP is 268721. I'm not sure what exactly I should be looking > for, but I > >>> don't see anything unusual. > >> > >> I could be wrong but at 114 entries processed per second, 268721 > would > >> need 37 mins to complete and the timeout is at 5 mins (the 300 > seconds > >> above). > >> > >> Let me investigate a bit more and I'll get back to you. > > > > So it looks like you are hitting an issue Rob is already working on: > > https://github.com/freeipa/freeipa/pull/3374 > > but the fix is WIP. > > > > In the meantime, can you edit ipalib/constants.py in your system? > > Around line 175 there should be: > > ('replication_wait_timeout', 300), > > > > It should be safe to replace 300 with 3600 at replica install time. > > > > If install succeeds then wait at least 1h then shut down services: > > # ipactl stop > > revert the above change, and restart IPA: > > # ipactl start > > > > Please let us know if this helped. > > > > Thanks for the suggestion. Unfortunately, that didn't help. The timeout > timer only starts after the last step (28/28), but the syncing already > happens before that, so the timeout doesn't affect that. I see the same > errors as before, just for a longer time. > > I could get one step further by modifying the tomcat config so it > wouldn't use the certificate, similar to what they did here: > https://www.redhat.com/archives/freeipa-users/2017-January/msg00216.html > > However, that's just a workaround. Also, I immediately get another > error: > testLDAPConnection: The specified user cn=Replication Manager > masterAgreement1-replica.fqdn-pki-tomcat,cn=config does not exist > CMSEngine: init(): password test execution failed for replicationdbwith > NO_SUCH_USER. This may not be a latest instance. Ignoring .. > > > Kind regards, > Till > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > -- > Thanks & Regards > Arpit Tolani > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
