Hi Jaehwan,
Why the nb of established connections (to the server) is a concern ?
The vast majority of the connections are client connections. Replication
connections, especially in ring topology, would account for a small
fraction of them. The added hosts generates a replication traffic, over
On 8/9/23 21:13, Harry G Coin wrote:
On 8/9/23 12:05, Thierry Bordaz wrote:
On 8/9/23 18:55, Harry G Coin wrote:
Theirry asked for a recap summary below, so forgive the 'top post'.
Here it is:
4.9.10 default install on two systems call them primary (with
kasp.db) and secondary but
On 8/9/23 18:55, Harry G Coin wrote:
Theirry asked for a recap summary below, so forgive the 'top post'.
Here it is:
4.9.10 default install on two systems call them primary (with kasp.db)
and secondary but otherwise multi-master, 1g link between them,
modest/old cpu, drives, 5Gmemory, with
On 8/9/23 17:15, Harry G Coin wrote:
On 8/9/23 01:00, Alexander Bokovoy wrote:
On Аўт, 08 жні 2023, Harry G Coin wrote:
Thanks for your help. Details below. The problem 'moved' in I hope
a diagnositcally useful way, but the system remains broken.
On 8/8/23 08:54, Alexander Bokovoy wrote:
Hi Kathy,
The procedure to diagnose hang looks nice. My understanding is that it
assumes that in deadlock situation the more we have threads waiting on a
resource, the more probable we have a hang/deadlock. Now because of the
dynamic of the server itself, on the configuration, on the type of
Hi Edward,
thank you so much diving up to the RC. I opened
https://github.com/389ds/389-ds-base/issues/5158 to track that issue
regards
thierry
On 2/9/22 1:29 AM, Edward Valley via FreeIPA-users wrote:
Hi,
Finally, I made a bash script that:
1. Receives as arguments a 'base' and a
On 2/1/22 6:50 AM, Edward Valley via FreeIPA-users wrote:
Hi Thierry,
Do you want the output of:
ldapsearch -LLL -h localhost -x -D "cn=Directory Manager" -w "..." \
-b "cn=users,cn=accounts,dc=..." '(uid=user1)' '*'
Or are you talking about something else?
Hi,
yes that is this exact
Hi Edward,
It is looking the fixup task stop upon the first error. I do not know if
it is intentional or a bug. The error is possibly related to schema
checking, could you send the ldif format of entry 'uid=user1,
cn=users,...' ?
regards
thierry
On 1/29/22 11:36 PM, Edward Valley via
Hi Edward,
I think you may try to create the task manually
ldapmodify -D "cn=directory manager" -w ... -a <,cn=entryuuid task,cn=tasks,cn=config
objectClass: top
objectClass: extensibleObject
basedn:
cn: entryuuid_fixup_
!
If you want to fixup only specific entries you many add the following
Hi Edward,
would you run 'dsconf localhost config get nsslapd-ignore-virtual-attrs'
and check its value. It should be 'on'.
Would you retry the same search after setting it to 'off' ?
thanks
thierry
On 1/24/22 10:16 PM, Edward Valley via FreeIPA-users wrote:
This is the version
Hi Kees,
Indeed this problem may have raised because in intermediate centos
builds (without #4872 fix) we delivered a wrong attribute definition.
ATM we need to get the 'entryuuid' definition on Centos7.
I guess it is not present there. You may check with 'ldapsearch -D "DM"
-b "cn=schema"
Hi Kees,
The missing fix #4872 is pretty small [1]. Initial definition of
entryuuid required a syntax/MR that was not available with previous
versions, so it broke schema replication in mixed topology.
A easy workaround is to stop 1.4.3.23 instance, edit
Hi Lejeczek,
It is looking like https://bugzilla.redhat.com/show_bug.cgi?id=2023056.
You may workaround that issue with
https://bugzilla.redhat.com/show_bug.cgi?id=2023056#c3. Still looking
the proper way to fix it.
regards
thierry
On 11/17/21 2:16 PM, lejeczek via FreeIPA-users wrote:
Hi
On 9/17/21 12:26 AM, Kathy Zhu via FreeIPA-users wrote:
Hi Mark,
If it helps, this is the same ipa server which I posted in subject
"ipa_check_consistency alerts and ERR - slapd_poll - Timed out"
yesterday.
Hi Kathy,
The slapd_poll message is likely not related to the DB_PANIC. Slap_poll
Hi,
The client application did a search request with a filter testing
'objectclass' attribute. The connection was unbound, so the server was
looking for an aci granting anonymous access (userdn = "ldap:///anyone;)
to 'objectclass' on entry cn=oradev1. As it does not exist such aci
the
Hello Alfred,
If it is IPA deployment I doubt that you hit [1] because it only applies
on read-only replica (hub/consumer). Also this bug is fixed in the
version you are running.
The consumer (redactedauth0003.redacted.com
On 5/12/21 8:41 PM, Kees Bakker wrote:
On 12-05-2021 19:44, Thierry Bordaz wrote:
On 5/12/21 4:55 PM, Kees Bakker wrote:
Hi Thierry,
Just to be clear, changelogmaxage was changed to -1 by me after the
upgrade and I've
confirmed it is now set to -1.
The reason for me to change the value was
On 5/12/21 4:55 PM, Kees Bakker wrote:
Hi Thierry,
Just to be clear, changelogmaxage was changed to -1 by me after the
upgrade and I've
confirmed it is now set to -1.
The reason for me to change the value was because of the deadlock.
Apparently, it did not make much of a difference. It
Hi Kees,
Is changelogmaxage=-1 after the upgrade ?
would you send a full pstack when it hangs ? If pthread_rwlock_wrlock is
trim_changelog then you may hit another flavor of [1] (without known
reason).
regards
thierry
On 5/12/21 2:40 PM, Kees Bakker wrote:
Sorry to revive an old thread.
the First Master and install another
replica in the new cluster.
Thanks, bye.
Morgan
Il giorno mer 22 apr 2020 alle ore 11:33 thierry bordaz via
FreeIPA-users <mailto:freeipa-users@lists.fedorahosted.org>> ha scritto:
Hi,
CSN generator time skew is a pending issue still under inve
Hi,
CSN generator time skew is a pending issue still under investigation.
At the moment the way your csn generator is messed up looks not fatal.
You can allow replication to continue with the setting of
nsslapd-ignore-time-skew on all servers.
(https://access.redhat.com/solutions/1162703)
On 4/20/20 3:35 PM, Kees Bakker wrote:
On 20-04-2020 15:16, thierry bordaz wrote:
On 4/20/20 3:02 PM, Kees Bakker wrote:
On 20-04-2020 14:51, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
On 20-04-2020 09:58, Kees Bakker via FreeIPA-users wrote:
On 20-04-2020 09:09, Florence
On 4/20/20 3:02 PM, Kees Bakker wrote:
On 20-04-2020 14:51, Rob Crittenden wrote:
*** EXTERNAL E-MAIL ***
Kees Bakker via FreeIPA-users wrote:
On 20-04-2020 09:58, Kees Bakker via FreeIPA-users wrote:
On 20-04-2020 09:09, Florence Blanc-Renaud wrote:
On 4/20/20 8:28 AM, Kees Bakker via
Best regards,
Ender
On 17 Mar 2020, at 09:49, thierry bordaz via FreeIPA-users
wrote:
Hi,
At startup DS creates a connection table with a fixed size.
The message "setup_pr_read_pds - Not listening for new connections - too many fds
open" means that the number of established c
Hi,
At startup DS creates a connection table with a fixed size.
The message "setup_pr_read_pds - Not listening for new connections - too
many fds open" means that the number of established connections
exhausted the table limit.
What are the values of nsslapd-conntablesize and
Hi Lays,
Unfortunately the fix 1751295 may be incomplete. It prevents deadlock
in a condition (for be_write callbacks) but not for betxn_write callbacks.
I will look deeper at it to confirm this.
At the moment I can only recommend the workaround
Hello,
The deadlock you hit is a known issues
(https://bugzilla.redhat.com/show_bug.cgi?id=1751295) fixed in slapi-nis
0.56.4. What version of fedora and slapi-nis package are you running ?
Note that it exists a workaround
https://bugzilla.redhat.com/show_bug.cgi?id=1751295#c5. changelog
On 11/18/19 11:24 PM, Rob Crittenden wrote:
Auerbach, Steven via FreeIPA-users wrote:
Executed ipa-replica-prepare on an RHEL 6.9 server running ipa-server
3.0.0.1_51 (name : ipa01)
Yum installed ipa-server, ipa-server-dns, bind-dyndb-ldap on the target
Linux 7.6 server (name: ipa04)
Hi Giulio,
During the new IPA server installation (idc01) the server idc02 sends
all its entries (total update), one after the other.
The entries are sent idc02->idc01 over a sasl encrypted connection. I
suspect that one of the entry sent by idc02 is large (a static group ?)
and its encrypted
On 4/10/19 4:59 PM, Rob Crittenden wrote:
Giulio Casella via FreeIPA-users wrote:
Hi,
I managed to fix it!
The solution was to increase a couple of parameters in ldap config. I
passed "--dirsrv-config-file=custom.ldif" to ipa-replica-install, with
custom.ldif containing:
dn: cn=config
Hi,
The IPA message are from Jan 28th (failing ipa backup ) while the
restart failure is from Feb 2nd. Nothing in the ds error logs from Jan28th ?
The first message "Detected Disorderly Shutdown" means that DS stopped
abruptly (crash, assert,..).
So at restart it runs a recovery of the
it broke the index and that is really unexpected (even after a
db_deadlock). It worth to try to reproduce.
thanks for your help
best regards
thierry
On 06/20/2018 08:14 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Thierry,
On 6/20/18 6:02 PM, thierry bordaz via FreeIPA-users wrote:
Hi Haral
in the
index (and findable via search)
But this does not explain how RDN and entry itself was changed.
Could you provide the access logs (ipa1) around that time ?
best regards
thierry
On 06/20/2018 04:34 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Thierry,
On 6/20/18 3:31 PM, thierry bordaz via
Hi Harald,
anything noticeable in the error logs when the problem occurred ?
(DB_DEADLOCK)
best regards
thierry
On 06/20/2018 02:56 PM, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
something got corrupted in my ldap database (again). After running
% ipa user-mod --rename=bobk
On 05/16/2018 10:03 PM, Jonathan Vaughn wrote:
I've been just using the packages from Fedora. I can build it
potentially but I don't have a cross build environment set up at the
moment. From experience I'd want to do that first because building
anything on the Pi usually takes ages.
I'd
Hi Jonathan,
This problem looks new to me and has something specific to your environment.
I think the best approach is to continue to debug on your system if you
have the possibility to do so.
From strace we can see that DS started smoothly (created its pid file
then notified systemd it was
Hi Jonathan,
This is weird as the crashing thread stack looks truncated (did you
copy/paste all of it ?)
Thread 1 (Thread 0x9e13c280 (LWP 17245)):
#0 0xb67bbf2e in strlen () at /lib/libc.so.6
#1 0xb6a06b40 in dosprintf () at /lib/libnspr4.so
#2 0x in None ()
Did you install
Hi Soler,
Thanks for the information.
So indexing is hanging because SC cache_init is running, the SC
cache_init is hanging because SSSD is not started, SSSD is not started
possibly because indexing prevents to get read access to the backend
("Backend is offline" TBC).
An option would be to
On 05/03/2018 10:38 AM, SOLER SANGUESA Miguel wrote:
hello,
Yesterday my ssh console closed the connection, so I had to start again the
"ipa-server-upgrade", but the result is more or less the same:
# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping
Hi,
During indexing task we should see in the task status the periodic
progression of the indexing.
May be the indexing is hanging somewhere. When the problem occurs could
you provide a pstack of the dirsrv server ?
best regards
thierry
On 05/02/2018 10:27 PM, Rob Crittenden wrote:
SOLER
Hi Harald,
What version of DS are you running ?
We have a reproducer (not systematic) for versions before
https://bugzilla.redhat.com/show_bug.cgi?id=1516309 but we have not
reproduced it since then, you may need to upgrade.
best regards
thierry
On 03/12/2018 05:10 PM, Ludwig Krispenz
On 11/29/2017 10:53 PM, Rob Crittenden wrote:
skrawczenko--- via FreeIPA-users wrote:
i'm checking with
ldapsearch -Y GSSAPI -b cn=,cn=replicas,cn=ipa,cn=etc,dc=
and there's just
dn: ...
cn:
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top
right after ldapmodify
On 08/09/2017 09:30 PM, Ian Harding via FreeIPA-users wrote:
On 8/9/17 3:05 AM, thierry bordaz wrote:
Hi Ian,
Thanks for having gather those data.
#
# So pkidbuser entries have a same (old) userCertificate likely
generated during install
# But only freeipa-sea has a new
On 08/07/2017 09:22 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 08/04/2017 11:02 PM, Ian Harding via FreeIPA-users wrote:
On 8/4/17 2:16 AM, Florence Blanc-Renaud wrote:
On 08/03/2017 11:13 PM, Ian Harding via FreeIPA-users wrote:
On 08/03/2017 12:28 AM, Florence Blanc-Renaud
Hi,
Just for recording, this issue of slow user-del will be track with
https://pagure.io/389-ds-base/issue/49286
regards
thierry
On 05/31/2017 03:45 PM, thierry bordaz via FreeIPA-users wrote:
On 05/31/2017 03:30 PM, Rob Crittenden wrote:
thierry bordaz via FreeIPA-users wrote:
Hi Adrian
Hello Zak,
In fact 'dc' is IAString (e.g. ascii) (1.3.6.1.4.1.1466.115.121.1.26)
and so can be match with caseIgnoreIA5Match and
caseIgnoreIA5SubstringsMatch matching rules.
Directory string (e.g. UTF-8) (1.3.6.1.4.1.1466.115.121.1.15) can not.
It should however work if the 'dc' only
46 matches
Mail list logo
