On Wed, 18 Feb 2015, Thomas Raehalme wrote:

On Mon, Feb 16, 2015 at 8:44 AM, Alexander Bokovoy <aboko...@redhat.com>

I suspect you've triggered https://fedorahosted.org/freeipa/ticket/4586
and https://fedorahosted.org/freeipa/ticket/4635 -- slapi-nis plugin
configuration does not limit itself to $SUFFIX and listens to changes in
cn=changelog too so it may deadlock with a replication traffic.

We fixed these partly by changing slapi-nis configuration, partly by
fixing bugs in 389-ds.

I wonder if amending your slapi-nis config to avoid triggering internal
searches on cn=changelog would be enough.

Is it possible to go around this issue by disabling replication? If so, is
ipa-replica-manage disconnect enough or should we use del instead?
I think you are solving wrong issue.

Changing slapi-nis configuration to ignore cn=changelog was the change
we did for FreeIPA 4.1. We ended up ignoring a bit more subtrees too:

You need to show backtraces of nsslapd when it doesn't respond on LDAP
queries to verify it is the same issue but I suspect it is very likely
the issue.
/ Alexander Bokovoy

Attachment: pgpDxHlnUTSpF.pgp
Description: PGP signature

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to