On 10/30/2017 03:56 AM, Sergei Gerasenko via FreeIPA-users wrote:
Hi,
When searching for RUVs, agreements, etc, the following ldapsearch
command can be used:
ldapsearch -xLLL -h HOST -D "cn=directory manager" -W -b cn=config
cn=replica nsds50ruv -o ldif-wrap=no
That seems to work. The rep
On 11/14/2017 11:40 AM, Mike Johnson via FreeIPA-users wrote:
Hi
I've got a small environment which had until recently 2 IPA servers.
Both CentOS 7.4.1708
Version info:
id1:
Name: ipa-server
Version : 4.5.0
Release : 21.el7.centos.2.2
Kernel: 3.10.0-693.5.2.el7.x86_64
389-ds-b
slow. In
particular the httpd process running under the ipaapi user is sitting
at 100% load most of the time. I suspect timeouts may be occurring if
it's taking a long time for the master to respond to requests.
Grateful for any more guidance
Mike
On 14 November 2017 at 12:23, Ludwig K
ot;" "parentid>=1"
On 15 November 2017 at 15:17, Ludwig Krispenz via FreeIPA-users
wrote:
On 11/15/2017 07:40 AM, Mike Johnson via FreeIPA-users wrote:
I should add that I deleted/moved the large DB file as it was on the
single remaining master, with no replication agreements l
The crash looks very much like the one found in
https://pagure.io/389-ds-base/issue/48894
it is fixed and the code has also been generally improved with:
https://pagure.io/389-ds-base/issue/49401
As far as I can see these patches are not in 1.3.6.1-21, they are in
upstream 1.3.6.10.
If you c
you can see nscpentrywsi only as "cn=directory manager", and your mods
for ipacnfigstring were also done as directory manager, but you search
as another user. The attribute is probably there, but access control
prevents to see it.
On 11/30/2017 11:02 AM, skrawczenko--- via FreeIPA-users wrote
nscpentrywsi
On 12/01/2017 09:53 AM, skrawczenko--- via FreeIPA-users wrote:
I wish you were right but
ldapsearch -D "cn=directory manager" -W -b cn=,cn=replicas,cn=ipa,cn=etc,dc= ncpentrywsi
dn: cn=,cn=replicas,cn=ipa,cn=etc,dc=
# search result
search: 2
result: 0 Success
Please any sugg
On 01/11/2018 02:36 PM, Rob Crittenden via FreeIPA-users wrote:
lejeczek via FreeIPA-users wrote:
hi everyone
when I see this in replica install log:
..
2018-01-11T12:46:31Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-PRIVATE-xx.xx.PRIVATE-CAM-AC-UK/ -L -n
PRIVATE.xx.xx.PRIVATE.xx.xx.x
Hi Harri,
the suffix object maintains a list of referrals to be returned if the
server is in read only mode. It is updated based on the supplier ruv and
only uses the url. If a ruv contains the same url for different replica
ids these errors are logged. It should be fixed in 1.3.6 now, see:
h
On 02/09/2018 10:23 AM, Alex M via FreeIPA-users wrote:
Martin, thank you for the reply.
Does it support multiple modification lines at the same time?
yes, but you need to separate the mods, like:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace: nsslapd-db-locks
On 02/09/2018 10:50 AM, Alex M via FreeIPA-users wrote:
Ludwig, thank you for reply!
One more question, if the one of the ldap path differs, the structure of
update.ldif file is something like this:
yes, but depending on the version od DS you use, you may need to set
nsslapd-cache-autosize:
well, looks like someone or something is stopping your slapd process, it
does not shutdown by itself. Could it be a "watchdog", checking for
resource consumption on your machine and if memopry or cpu usage is too
high stopping it ?
If you just want to workaround, pipe the result of your ldasea
Hi,
to get rid of this ruv entry with replicaid 7 you could try to run the
cleanallruv task directly. On any server (and onöy on one) run
ldapmodify . -D "cn=directory manager"
|dn: cn=clean 7, cn=cleanallruv, cn=tasks, cn=config
changetype: add
objectclass: extensibleObject
replica-base-
On 03/13/2018 09:07 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Ludwig,
On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote:
Hi,
to get rid of this ruv entry with replicaid 7 you could try to run
the cleanallruv task directly. On any server (and onöy on one) run
ldapmodify
On 03/14/2018 09:10 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Ludwig,
On 03/13/18 14:47, Ludwig Krispenz via FreeIPA-users wrote:
On 03/13/2018 09:07 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Ludwig,
On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote:
Hi,
to get rid of
On 04/05/2018 11:28 PM, Gavin Williams via FreeIPA-users wrote:
Petr
Yeh, I was unable to see the suffixes and replication agreements via
the WebUI.
However searching using ldapsearch, they were still present. So I
tracked the issue down to my named user account not having enough
permissio
On 04/13/2018 08:25 AM, Sandor Juhasz via FreeIPA-users wrote:
Hello,
we are using freeipa in a 4way multi master replication setup.
Servers ipa14,ipa15 and ipa34,ipa35 on
CentOS Linux release 7.3.1611 (Core) with version
ipa-server-common-4.4.0-14.el7.centos.7.noarch.
We have an issue where o
, Budapest, Hungary, H-1031
Cell: +36704258964
On Fri, Apr 13, 2018 at 10:51 AM, Ludwig Krispenz via FreeIPA-users
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
On 04/13/2018 08:25 AM, Sandor Juhasz via FreeIPA-users wrote:
Hello,
we are using freeipa in a 4way mu
On 04/15/2018 09:26 PM, TomK via FreeIPA-users wrote:
Hey Guy's,
Not 'really' an issue but curious about the logic behind this scenario.
I get a message saying "Your password expires in 4 days." So I go to
change it for the admin user (I'm reusing the same pass) and type it
in but then get
On 05/09/2018 10:29 AM, Bart via FreeIPA-users wrote:
As described in this issue: https://pagure.io/389-ds-base/issue/49660 I updated
sssd and things started working again.
thanks for confirmation
___
FreeIPA-users mailing list -- freeipa-users@list
On 05/16/2018 04:08 PM, Kat via FreeIPA-users wrote:
Hi -
Have a replica I did not install CA on. Want to add it. I had lost the
Directory Manager password, so I followed procedure to change it by
editing dse.ldif and replacing the rootpw, but no matter what I do I
keep getting:
[root@ipa-
On 07/17/2018 01:15 PM, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 17 heinä 2018, Kees Bakker wrote:
On 17-07-18 11:48, Alexander Bokovoy wrote:
On ti, 17 heinä 2018, Kees Bakker wrote:
To modify you'd rather use ipa-ldap-updater tool which manages
automatically this for you when an up
On 08/29/2018 08:56 AM, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 29 elo 2018, Quan Zhou via FreeIPA-users wrote:
I have a similar question, should the audit logs be enabled on the
master
or replicas? If it's only enabled on replicas would the date be
consistent
with the actual date o
looks like you have a one directional topology segment on each server,
they are created from existing replication agreements when raising the
domain lvel, they should be replicated and merged to one bi-directional
segment - so it looks like replication was not working already back then.
to inv
replication uses CSNs(change sequence numbers) to synchronize data
across the topology, and it requires the times to be in sync and that
time never goes backward, otherwise a new change would get an older csn
and probably be ignored after repliciation.
Since it is not guaranteed that system time
If the problem occurs during the new installation of DS, you need to get
a modification of the IPA install script, setting this parameter befor
setting up replication.
Otherwise there is a hack to modify the configuration template:
/usr/share/dirsrv/data/template-dse.ldif
and add the
nsslapd-m
Hi,
unfortunately replication conflicts for managed entries have additional
difficulties. The origin and managed entries reference the
"non-conflict" entry and teh managed entry plugin prevents the deletion
of a managed entry via ldapmodify.
To procede in cleanup you could try to remove the "m
On 06/20/2017 02:31 PM, john.bowman--- via FreeIPA-users wrote:
These steps wouldn't be documented somewhere would they?
no, I am not aware of
I did find this older thread:
https://www.redhat.com/archives/freeipa-users/2016-August/msg00035.html
Something similar to those steps?
this thread
On 06/27/2017 07:36 PM, Devin Acosta via FreeIPA-users wrote:
I am running the latest CentOS 7.3 / FreeIPA release and it appears
that my replication got broke.
[27/Jun/2017:17:28:58.705411461 +] NSMMReplicationPlugin -
agmt="cn=meTolasdc-lmfpa-002.lxi.m451.tech" (lasdc-lmfpa-002:389):
On 07/11/2017 03:24 PM, Jan Karásek via FreeIPA-users wrote:
Hi,
thank you. We have 34 entries in directory with nsuniqueid in DN:
dn: cn=Kerberos Service Password
Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn:
cn=cosTemplates+nsuni
looks like you lost your configuration files dse.ldif and its backup as well
could you check what you have in /etc/dirsrv/slapd-
you can try to copy one of the *dse.ldif* to dse.ldif and try to
restart, but that file maybe up to date.
Ludwig
On 07/14/2017 04:22 PM, email--- via FreeIPA-users
On 07/27/2017 07:49 PM, email--- via FreeIPA-users wrote:
This is a new one, any ideas on how to get this to sync?
ldapsearch -x -D "cn=directory manager" -W -b
"dc=ipa,dc=example,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with s
On 07/28/2017 03:25 PM, email--- via FreeIPA-users wrote:
I have no idea what that means, cn=servers has child objects that do
exist on both servers. Is there a way to force replicate from another
node and overwrite all local conflicts.
the conflicts arise by replication as I tried to explain.
On 07/28/2017 07:56 PM, Jake via FreeIPA-users wrote:
All I see are responses like yours, how about a link or add it to the
documentation since it's such a problem?!
if the ruvs cannot be decoded, the ipa command line utility does not
work, you have to execute a plain cleanallruv task, an exam
I did answer your same question on June,2nd
On 07/29/2017 05:09 PM, pgb205 via FreeIPA-users wrote:
we are affected by the CSN time skew bug discussed in this wiki
http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html#so-how-does-the-time-skew-grow-at-all
and
h
On 07/31/2017 10:45 PM, pgb 205 via FreeIPA-users wrote:
Ludwig,
what about this 'fix'
https://bugzilla.redhat.com/show_bug.cgi?id=1009122
won't the setting of nsslapd -ignore-time-skew==on effectively solve the issue?
IE on the down server edit the value in /etc/dirsrv/slapd-DOMAIN/dse.ldif
On 08/01/2017 04:42 PM, pgb 205 via FreeIPA-users wrote:
ok thats great news! But I just want to make sure even if the server IS ALREADY
DOWN due to this bug we can still manually edit the database (dse.ldif) for
this value and then bring up the processes. Would that work?
yes, that should wo
On 08/16/2017 03:46 PM, Anthony Clark via FreeIPA-users wrote:
Hello All,
I was wondering if anyone has written a health check script for FreeIPA?
don't think soemthing IPA specific exists, but soemone can correct me
How do you all check replication (and IPA server health)?
There are two ap
This is issue: https://pagure.io/389-ds-base/issue/49334
On 08/30/2017 09:01 AM, Jochen Hein via FreeIPA-users wrote:
I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have
the following new messages during backup:
Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.2259321
On 09/07/2017 03:21 AM, Fraser Tweedale via FreeIPA-users wrote:
On Wed, Sep 06, 2017 at 02:05:56PM -0400, Anthony Clark via FreeIPA-users wrote:
It may possibly be related to this, but this is marked as fixed for 4.3:
https://pagure.io/freeipa/issue/5456
I'm on 4.4.0-14.el7.centos.7
A user h
would be nice to include the problem description again, but if you are
referring to:
[26/Aug/2017:21:39:32.891818412 +] NSMMReplicationPlugin - changelog
program - agmt="cn=meTo**.com" (**:389): CSN
597276fb0005000a not found, we aren't as up to date, or we purged
[26/Aug/2017:
41 matches
Mail list logo