Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
On 04/19/2017 12:31 PM, Martin Bašti wrote:
On 17.04.2017 19:42, David Goudet wrote:
Hi,
Nobody has response about my questions?
The main question is: Is it possible to configure SSSD to update DNS
(option dyndns_update) with only IP address "primary" in ip addr list
or which is used to FreeIPA server communication (-IP1- used on TCP
binding)?
Thank you for your help.
Best regards,
On 03/27/2017 09:40 PM, Jakub Hrozek wrote:
On Mon, Mar 27, 2017 at 06:34:24PM +0200, David Goudet wrote:
Hi,
Thanks to dyndns_update=True parameter, SSSD service on client machine
updating host DNS entry in FreeIPA.
Everything is fine on machines which have only one IP adress on network
interface.
I have problem with machines which have more that one IP address on
network interface: if machine have two IP address, SSSD update host DNS entry
with these two IP address.
To reproduce the problem:
Host have -IP1- and i add -IP2-
ip addr add -IP2-/26 dev em1
ip addr list:
em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen
1000
link/ether
inet -IP1-/26 brd scope global em1
inet -IP2-/26 scope global secondary em1
valid_lft forever preferred_lft forever
DNS resolution (dig) before restarting sssd returns only -IP1-. After
restarting sssd returns -IP1- & -IP2-
In dyndns_update manpage, we have "The IP address of the IPA LDAP connection
is used for the updates", what does it means? Is it IP address of the DNS server
(used to update the DNS entry)? or is it IP address on client machine used during LDAP
TCP bind (-IP1- in my case)?
dyndns_update (boolean)
Optional. This option tells SSSD to automatically update
the DNS server built into FreeIPA v2 with the IP address of this client.
The update is secured using GSS-TSIG. The IP address of
the IPA LDAP connection is used for the updates, if it is not otherwise
specified by using the “dyndns_iface” option.
Is it normal behaviour that SSSD add in host DNS entry every IPs
enabled on client machine?
IIRC we added this to support multiple interfaces (user can choose
which one to use) and to update both IPv6 () and IPv4 (A)
records. IPA/SSSD cannot reliably determine which IP address to use,
it is all or none from interface. With the previous behavior users
want to use different/more addresses than the one which has been
detected from LDAP connection and it was not possible previously.
Do you have set dyndns_iface in sssd.conf?
Martin
Looks like this was a deliberate change:
https://pagure.io/SSSD/sssd/issue/2558
but to be honest, I forgot why exactly we did this. Martin, do you know?
Is it possible to configure SSSD to update DNS with only IP address
"primary" in ip addr list or which is used to FreeIPA server communication
(-IP1- used on TCP binding)?
Only if the IP addresses are of different families (v4/v6), then it's
possible to restrict one of the families.
I asked question here
https://www.redhat.com/archives/freeipa-users/2017-March/msg00360.html
Hi,
Thank you for your response.
In sssd.conf parameter dyndns_iface is not defined, we are in case:
Default: Use the IP addresses of the interface which is used for IPA
LDAP connection
This point (dyndns_iface) is ok, every IPs of this interface and only
this interface is updated on IPA host DNS entry.
I use only IPv4, so it is not possible to filter on only one IP
("primary") it is "none" or "all" on one interface.
In my case i see two solutions:
- Split IP "primary" on one interface (bond0 for exemple) and other
virtual IPs on one other interface (bond0.1 or bond1 for exemple)
- Disable dyndns_update functionality on this machine
You confirm, i have no other solutions?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SSSD dyndns_update on machine with multiple IP address
Hi, Nobody has response about my questions? The main question is: Is it possible to configure SSSD to update DNS (option dyndns_update) with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? Thank you for your help. Best regards, On 03/27/2017 06:34 PM, David Goudet wrote: Hi, Thanks to dyndns_update=True parameter, SSSD service on client machine updating host DNS entry in FreeIPA. Everything is fine on machines which have only one IP adress on network interface. I have problem with machines which have more that one IP address on network interface: if machine have two IP address, SSSD update host DNS entry with these two IP address. To reproduce the problem: Host have -IP1- and i add -IP2- ip addr add -IP2-/26 dev em1 ip addr list: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1496 qdisc mq state UP qlen 1000 link/ether inet -IP1-/26 brd scope global em1 inet -IP2-/26 scope global secondary em1 valid_lft forever preferred_lft forever DNS resolution (dig) before restarting sssd returns only -IP1-. After restarting sssd returns -IP1- & -IP2- In dyndns_update manpage, we have "The IP address of the IPA LDAP connection is used for the updates", what does it means? Is it IP address of the DNS server (used to update the DNS entry)? or is it IP address on client machine used during LDAP TCP bind (-IP1- in my case)? dyndns_update (boolean) Optional. This option tells SSSD to automatically update the DNS server built into FreeIPA v2 with the IP address of this client. The update is secured using GSS-TSIG. The IP address of the IPA LDAP connection is used for the updates, if it is not otherwise specified by using the “dyndns_iface” option. Is it normal behaviour that SSSD add in host DNS entry every IPs enabled on client machine? Is it possible to configure SSSD to update DNS with only IP address "primary" in ip addr list or which is used to FreeIPA server communication (-IP1- used on TCP binding)? My environment is: Client: Centos 7.2 sssd-common-1.13.0-40.el7_2.12.x86_64 sssd-ipa-1.13.0-40.el7_2.12.x86_64 sssd-1.13.0-40.el7_2.12.x86_64 sssd-client-1.13.0-40.el7_2.12.x86_64 FreeIPA server: Centos 6.7 ipa-server-3.0.0-47.el6.centos.2.x86_64 bind-9.8.2-0.30.rc1.el6_6.3.x86_64 bind-utils-9.8.2-0.37.rc1.el6_7.7.x86_64 bind-libs-9.8.2-0.37.rc1.el6_7.7.x86_64 rpcbind-0.2.0-11.el6_7.x86_64 bind-libs-9.8.2-0.30.rc1.el6_6.3.x86_64 rpcbind-0.2.0-11.el6.x86_64 bind-dyndb-ldap-2.3-8.el6.x86_64 bind-9.8.2-0.37.rc1.el6_7.7.x86_64 SSSD configuration on client: [domain/] debug_level=18 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ds01., ds01. dns_discovery_domain = Named FreeIPA logs: --- Mar 27 17:03:57 ds01. named[6607]: client -IP1-#36331: updating zone '/IN': deleting rrset at '' A Mar 27 17:03:57 ds01. named[6607]: update_record (psearch) failed, dn 'idnsName=2,idnsname=.in-addr.arpa.,cn=dns,dc=yyy,dc=xxx' change type 0x4. Records can be outdated, run `rndc reload`: not found Mar 27 17:03:57 ds01. named[6607]: zone /IN: sending notifies (serial 1490615011) Mar 27 17:03:57 ds01. named[6607]: client -IP1-#46187: updating zone '/IN': deleting rrset at '.' Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: client -IP1-#54691: updating zone '/IN': adding an RR at '.' A Mar 27 17:03:57 ds01. named[6607]: zone .in-addr.arpa/IN: sending notifies (serial 1490627037) Mar 27 17:04:02 ds01. named[6607]: zone /IN: sending notifies (serial 1490627038) SSSD trace log on client during sssd restart: --- (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [ipa_dyndns_update_send] (0x0400): Performing update (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_is_address] (0x4000): [.] does not look like an IP address (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of '.' in DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_parse]
[Freeipa-users] SSSD dyndns_update on machine with multiple IP address
on Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve record of '.' in DNS (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_dyndns_addrs_diff] (0x1000): Address on localhost only: -IP2- (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [sdap_dyndns_dns_addrs_done] (0x0400): Detected IP addresses change, will perform an update (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [nsupdate_msg_create_common] (0x0200): Creating update message for realm []. (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- realm update delete .. in A send update delete .. in send update add .. 1200 in A -IP2- update add .. 1200 in A -IP1- send -- End nsupdate message -- .. (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [nsupdate_msg_create_common] (0x0200): Creating update message for server [ds01.] and realm []. (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- server ds01. realm update delete .. in A send update delete .. in send update add .. 1200 in A -IP2- update add .. 1200 in A -IP1- send -- End nsupdate message -- (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [20631] (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [child_handler_setup] (0x2000): Signal handler set up for pid [20631] (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete (Mon Mar 27 17:03:56 2017) [sssd[be[]]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG setup_system() Thank you for your help! -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file
Hi, After more investigation i found a solution to fix my problem. Hereafter some details. I think i had two linked problems: Problem 1: In /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 there was some old entry about ~five months old, it was probably some Tombstone entry. (Replication state between two dirvsrv master/master was good and stable). Problem 2: purge attribute "nsslapd-changelogmaxage" had default value 30 day but the volume of data stored in db4 database was greater than ~4 Go which is space available on /var/lib/ partition. So partition was filled with entry which are prior to 30 days. Problem 1 was solved by removing db4 database (be carreful of impacts, dirsrv replication should work and db well synchronised before do this): service dirsrv stop && mv /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4-old && service dirsrv start Problem 2 was solved by decreasing purge attribute "nsslapd-changelogmaxage" from 30d to 10d (i don't need more data and want to increase partition space). To know: purge seems to be run every five minutes, so freeing entry is not instantaneous, it occurs after ~6 minutes. I agree, you are right: > Also trimming removes changelog records and frees space internally ro the db4 > file to be reused, but it will not shrink the file size I think it is not mandatory but i set default value of following purge parameters: nsDS5ReplicaPurgeDelay: 604800 nsDS5ReplicaTombstonePurgeInterval: 86400 I follwed the good documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html Thanks for your help! David - Original Message - From: "Ludwig Krispenz" <lkris...@redhat.com> To: "freeipa-users" <freeipa-users@redhat.com> Sent: Tuesday, December 22, 2015 1:55:06 PM Subject: Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file Hi, On 12/22/2015 11:43 AM, David Goudet wrote: > Hi, > > I have multimaster replication environment. On each replica, folder > /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in > /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old: > > sudo dbscan -f > /var/lib/dirsrv/slapd-/cldb/ef155b03-dda611e2-a156db20-90xxx06_51c9aed900xx000.db4 > | less > dbid: 56239e5e0004 > replgen: 1445174777 Sun Oct 18 15:26:17 2015 > csn: 56239e5e0004 > uniqueid: e55d5e01-26f211e4-9b60db20-90c3b706 > dn: > operation: modify > krbLastSuccessfulAuth: 20151018132617Z > modifiersname: cn=Directory Manager > modifytimestamp: 20151018132617Z > entryusn: 68030946 > > My questions are: > > a) How to purge old entries in file /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4? > (what is the procedure) > b) What is the right configuration to limit increase of this file? setting changelog maxage should be sufficient to trim changes, but the age is not the only condition deciding if a recored in the changelog can be deleted. - for each replicaID the last record will never be deleted, independent of its age, so if you have replicas in your topology which are not (or not frequently) updated directly there will be old changes in the changelog - if the replica where the trimming is run and if it has replication agreements to other replicas, changes which were not yet replicated to the other replica will not be purged. So, if you have some stale agreements to other replicas this could prevent trimming as well. Also trimming removes changelog records and frees space internally ro th edb4 file to be reused, but it will not shrink the file size > > > > This topic has been already talk on > https://www.redhat.com/archives/freeipa-users/2013-February/msg00433.html or > https://www.redhat.com/archives/freeipa-users/2015-April/msg00573.html but no > response work for me. > Response here seems to be not applicable > https://bugzilla.redhat.com/show_bug.cgi?id=1181341 (Centos 7, Fixed In > Version: 389-ds-base-1.3.4.0-1.el7) > > I used some attributes from the docuementation: > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnchangelog5-nsslapd_changelogdir. > Old entries are not purged and file increase even after restart service > (service dirvsrv start and service dirvsrv stop). > > (This test environment values) > dn: cn=changelog5,cn=config > objectClass: top > objectClass: extensibleobject > cn: changelog5 > ... > nsslapd-changelogmaxentries: 100 > nsslapd-changelogmaxage: 4m > > dn: cn=replica,c
Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file
Hi, > Hi, On 12/22/2015 11:43 AM, David Goudet wrote: >>Hi, >>I have multimaster replication environment. On each replica, folder >> /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in >> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old: >>sudo dbscan -f >> /var/lib/dirsrv/slapd-/cldb/ef155b03-dda611e2-a156db20-90xxx06_51c9aed900xx000.db4 >> | less dbid: 56239e5e0004 replgen: 1445174777 Sun Oct 18 15:26:17 2015 csn: 56239e5e0004 uniqueid: e55d5e01-26f211e4-9b60db20-90c3b706 dn: operation: modify krbLastSuccessfulAuth: 20151018132617Z modifiersname: cn=Directory Manager modifytimestamp: 20151018132617Z entryusn: 68030946 >>My questions are: >>a) How to purge old entries in file >> /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4? (what is the procedure) >>b) What is the right configuration to limit increase of this file? > setting changelog maxage should be sufficient to trim changes, but the age is > not the only condition deciding if a recored in the changelog can be deleted. > - for each replicaID the last record will never be deleted, independent of > its age, so if you have replicas in your topology which are not (or not > frequently) updated directly there will be old changes in the changelog - if > the replica where the trimming is run and if it has replication agreements to > other replicas, changes which were not yet replicated to the other replica > will not be purged. So, if you have some stale agreements to other replicas > this could prevent trimming as well. > Also trimming removes changelog records and frees space internally ro th edb4 > file to be reused, but it will not shrink the file size Thank you for your response. I agree with you, to identify where the problem is i enabled the errors logs: nsslapd-errorlog-level: 8192 And i found these errors: [23/Dec/2015:09:46:40 +0100] agmt="cn=meTo" (ds01:389) - load=1 rec=69 csn=567a5a4300010004 [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Sending modify operation ( dn="fqdn=xxx.xxx.xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" csn=567a5a4300010004) [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: modifys operation (dn="fqd n=pad01.xxx.xxx.xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" csn=567a5a4300010004) not sent - empty [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Consumer successfully sent operation with csn 567a5a4300010004 [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): Skipping update operation with no message_id (uniqueid 25791707-b72211e2-a156db20-90c3b706, CSN 567a5a4300010004): ... 23/Dec/2015:09:46:40 +0100] agmt="cn=meTo" (ds01:389) - load=1 rec=72 csn=567a5a440004 [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Sending modify operation (dn="fqdn=xxx x.xxx.xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" csn=567a5a440004) [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: modifys operation (dn="fqdn= xxx,cn=computers,cn=accounts,dc=xxx,dc=xxx" csn=567a5a440004) not sent - empty [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): replay_update: Consumer successfully sent operation with csn 567a5a440004 [23/Dec/2015:09:46:40 +0100] NSMMReplicationPlugin - agmt="cn=meTo" (ds01:389): Skipping update operation with no message_id (uniqueid 7cfafb01-7fc711e4-974fdb20-90c3b706, CSN 567a5a440004): Replication between the two master/master IPA server seems to work well, but we can see many skipped requests: repl-monitor -r -c xxx -w Enter password for (:): Time Lag Legend: within 5 min within 60 min over 60 min server n/a Master: ldap://:389/;>:389 Replica ID:3 Replica Root:dc=,dc=xxx Max CSN:56a8ad1400020003 (01/27/2016 12:42:12 2 0) Receiver Time Lag Max CSN Last Modify Time Supplier Sent/Skipped Update Status Update Started Update Ended Schedule SSL? tr class=bgColor13> ldap://:389/;>xxx:389Type: master - 0:44:30 56a8a2a600010003(01/27/2016 11:57:42 1 0) 1/27/2016 11:56:01 :389 3429 / 4188985195 0 Replica acqu
[Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file
Hi, I have multimaster replication environment. On each replica, folder /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old: sudo dbscan -f /var/lib/dirsrv/slapd-/cldb/ef155b03-dda611e2-a156db20-90xxx06_51c9aed900xx000.db4 | less dbid: 56239e5e0004 replgen: 1445174777 Sun Oct 18 15:26:17 2015 csn: 56239e5e0004 uniqueid: e55d5e01-26f211e4-9b60db20-90c3b706 dn: operation: modify krbLastSuccessfulAuth: 20151018132617Z modifiersname: cn=Directory Manager modifytimestamp: 20151018132617Z entryusn: 68030946 My questions are: a) How to purge old entries in file /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4? (what is the procedure) b) What is the right configuration to limit increase of this file? This topic has been already talk on https://www.redhat.com/archives/freeipa-users/2013-February/msg00433.html or https://www.redhat.com/archives/freeipa-users/2015-April/msg00573.html but no response work for me. Response here seems to be not applicable https://bugzilla.redhat.com/show_bug.cgi?id=1181341 (Centos 7, Fixed In Version: 389-ds-base-1.3.4.0-1.el7) I used some attributes from the docuementation: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnchangelog5-nsslapd_changelogdir. Old entries are not purged and file increase even after restart service (service dirvsrv start and service dirvsrv stop). (This test environment values) dn: cn=changelog5,cn=config objectClass: top objectClass: extensibleobject cn: changelog5 ... nsslapd-changelogmaxentries: 100 nsslapd-changelogmaxage: 4m dn: cn=replica,cn=x,cn=mapping tree,cn=config cn: replica nsDS5Flags: 1 objectClass: top objectClass: nsds5replica objectClass: extensibleobject nsDS5ReplicaType: 3 nsDS5ReplicaRoot: dc=x nsds5ReplicaLegacyConsumer: off nsDS5ReplicaId: 6 nsDS5ReplicaBindDN: cn=replication manager,cn=config nsDS5ReplicaBindDN: krbprincipalname=ldap/xx .LYRA,cn=services,cn=accounts,dc=x nsState:: x nsDS5ReplicaName: d9663d08-a80f11e5-aa48d241-0b88f012 nsds5ReplicaTombstonePurgeInterval: 200 nsds5ReplicaPurgeDelay: 200 nsds5ReplicaChangeCount: 3091 nsds5replicareapactive: 0 Hereafter some informations about my environment: CentOS release 6.5 (Final) 389-ds-base-libs-1.2.11.15-65.el6_7.x86_64 389-ds-base-1.2.11.15-65.el6_7.x86_64 ipa-client-3.0.0-47.el6.centos.1.x86_64 ipa-server-3.0.0-47.el6.centos.1.x86_64 Thanks for your help! David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
