Bryan Pearson wrote:
> Am I mistaken in your example:
> "You can find the master it is trying to talk to here:
> $ ldapsearch -x -D 'cn=Directory Manager' -W -b
> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com"
> Mine:
> $ ldapsearch -x -D 'cn=Directory Manager' -W -b
> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan

You're not sharing enough information. A list of DNA hosts tells us
nothing when we don't know which host you're having a problem on, if a
host is down or has been replaced, etc.

I'd poke around the DNA plugin configuration in cn=config on each master
to see what the actual DNA configuration is. You have one with the
default max 1000, next 1001 expired configuration pointing at a host
that is either down or has no ranges.

Or easier, if you are running IPA 3.3+ then ipa-replica-manage has some
DNA commands which makes this easier to figure out and fix.

You don't want to set overlapping ranges.


> Bryan
> On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden <> wrote:
>> Bryan Pearson wrote:
>>> I believe that my master dna server isnt currently being used, so I did 
>>> this.
>>> ldapsearch -x -D 'cn=Directory Manager' -W -b
>>> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan
>>> Enter LDAP Password:
>> That's not the right location to search for the DNA configuration. See
>> rob

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to