Re: [Freeipa-users] Replication scheme problem
On 09/01/2016 06:13 AM, Andrey Rogovsky wrote:
> Hi!
> I have 2 servers - ldap1 is FreeIPA (master) and ldap2 is 389 DS (slave).
> One way replication ldap1 -> ldap2 is enabled but scheme is not
> replicated:
What version of 389-ds-base are you using?
rpm -qa | grep 389-ds-base
>
> Log file ldap1 have this line:
> [01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Warning: unable
> to replicate schema to host ldap2, port 389. Continuing with total
> update session.
Is there anything in ldap2's errors/access log from this time
(01/Sep/2016:07:04:53)?
>
> There is current status:
> filter: (objectclass=nsds5replicationagreement)
> requesting: All userApplication attributes
> # extended LDIF
> #
> # LDAPv3
> # base with scope subtree
> # filter: (objectclass=nsds5replicationagreement)
> # requesting: ALL
> #
>
> # ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
> dn:
> cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,
> cn=config
> objectClass: top
> objectClass: nsds5replicationagreement
> cn: ExampleAgreement
> nsDS5ReplicaHost: ldap2
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindMethod: SIMPLE
> nsDS5ReplicaRoot: dc=example,dc=com
> description: agreement between supplier1 and consumer1
> nsDS5ReplicaUpdateSchedule: -0500 1
> nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
> authorityRevocationLis
> t
> nsDS5ReplicaCredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
> RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
> 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQURJbjhNUWpLM1VqU1
> M1SGZEUTY0TA==}mwxKHUYWXjNeyo1AGRWe9A==
> nsds5replicareapactive: 0
> nsds5replicaLastUpdateStart: 1970010100Z
> nsds5replicaLastUpdateEnd: 1970010100Z
> nsds5replicaChangesSentSinceStartup:
> nsds5replicaLastUpdateStatus: 0 No replication sessions started since
> server s
> tartup
> nsds5replicaUpdateInProgress: FALSE
> nsds5replicaLastInitStart: 20160901070452Z
> nsds5replicaLastInitEnd: 20160901070455Z
> nsds5replicaLastInitStatus: 0 Total update succeeded
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> After execute schema-reload.pl on ldap2 I
> have this lines in log:
> Failed to add task entry "cn=schema_reload_2016_9_1_10_6_17, cn=schema
> reload task, cn=tasks, cn=config" error (49)
Error 49 = invalid credentials. You entered the wrong password - this
prevented the schema reload task from taking place. You can also
restart the directory server which will do the same thing as the schema
reload task. The schema reload task is just so you can reload new
schema files without having to restart the server.
> [01/Sep/2016:07:04:59 +] NSACLPlugin - Error: This ((targetattr =
> "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl
> "permission:System: Read system trust accounts";allow
> (compare,read,search) groupdn = "ldap:///cn=System: Read system trust
> accounts,cn=permissions,cn=pbac,dc=example,dc=com";)) ACL will not be
> considered for evaluation because of syntax errors.
> [01/Sep/2016:07:04:59 +] NSACLPlugin - __aclp__init_targetattr:
> targetattr "ipaanchoruuid" does not exist in schema. Please add
> attributeTypes "ipaanchoruuid" to schema if necessary.
> [01/Sep/2016:07:04:59 +] NSACLPlugin - ACL PARSE ERR(rv=-5):
> (targetattr = "cn
> [01/Sep/2016:07:04:59 +] NSACLPlugin - Error: This ((targetattr =
> "cn || createtimestamp || description || entryusn || gidnumber ||
> ipaanchoruuid || modifytimestamp || objectclass")(targetfilter =
> "(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System:
> Read Group ID Overrides";allow (compare,read,search) userdn =
> "ldap:///all";;)) ACL will not be considered for evaluation because of
> syntax errors.
> [01/Sep/2016:07:04:59 +] NSACLPlugin - __aclp__init_targetattr:
> targetattr "ipaanchoruuid" does not exist in schema. Please add
> attributeTypes "ipaanchoruuid" to schema if necessary.
> [01/Sep/2016:07:04:59 +] NSACLPlugin - ACL PARSE ERR(rv=-5):
> (targetattr = "createtimestamp
> [01/Sep/2016:07:04:59 +] NSACLPlugin - Error: This ((targetattr =
> "createtimestamp || description || entryusn || gecos || gidnumber ||
> homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey ||
> loginshell || modifytimestamp || objectclass || uid ||
> uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version
> 3.0;acl "permission:System: Read User ID Overrides";allow
> (compare,read,search) userdn = "ldap:///all";;)) ACL will not be
> considered for evaluation because of syntax errors.
> [01/Sep/2016:07:04:59 +] NSACLPlugin - __aclp__init_targetattr:
> targetattr "a6record" does not exist in schema. Please add
> attributeTypes "a6record" to schema if necessary.
> [01/Sep/2016:07:04:59 +] NSACLPlugin - ACL PARSE ERR(rv=-5):
> (targetattr = "a6rec
[Freeipa-users] Replication scheme problem
Hi!
I have 2 servers - ldap1 is FreeIPA (master) and ldap2 is 389 DS (slave).
One way replication ldap1 -> ldap2 is enabled but scheme is not replicated:
Log file ldap1 have this line:
[01/Sep/2016:07:04:53 +] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ldap2, port 389. Continuing with total update
session.
There is current status:
filter: (objectclass=nsds5replicationagreement)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=nsds5replicationagreement)
# requesting: ALL
#
# ExampleAgreement, replica, dc\3Dexample\2Cdc\3Dcom, mapping tree, config
dn: cn=ExampleAgreement,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,
cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: ExampleAgreement
nsDS5ReplicaHost: ldap2
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=example,dc=com
description: agreement between supplier1 and consumer1
nsDS5ReplicaUpdateSchedule: -0500 1
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE
authorityRevocationLis
t
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
RERBNEJDUmxPVFl4TlRsbU5DMWtaV0UyTXpZeA0KTVMxaU1UYzFaREF3Wmkwek5qRmxNalkxWkFBQ
0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQURJbjhNUWpLM1VqU1
M1SGZEUTY0TA==}mwxKHUYWXjNeyo1AGRWe9A==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 1970010100Z
nsds5replicaLastUpdateEnd: 1970010100Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 No replication sessions started since
server s
tartup
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20160901070452Z
nsds5replicaLastInitEnd: 20160901070455Z
nsds5replicaLastInitStatus: 0 Total update succeeded
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
After execute schema-reload.pl on ldap2 I have this lines in log:
Failed to add task entry "cn=schema_reload_2016_9_1_10_6_17, cn=schema
reload task, cn=tasks, cn=config" error (49)
[01/Sep/2016:07:04:59 +] NSACLPlugin - Error: This ((targetattr =
"gidnumber || krbprincipalname || uidnumber")(version 3.0;acl
"permission:System: Read system trust accounts";allow (compare,read,search)
groupdn = "ldap:///cn=System: Read system trust
accounts,cn=permissions,cn=pbac,dc=example,dc=com";)) ACL will not be
considered for evaluation because of syntax errors.
[01/Sep/2016:07:04:59 +] NSACLPlugin - __aclp__init_targetattr:
targetattr "ipaanchoruuid" does not exist in schema. Please add
attributeTypes "ipaanchoruuid" to schema if necessary.
[01/Sep/2016:07:04:59 +] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr = "cn
[01/Sep/2016:07:04:59 +] NSACLPlugin - Error: This ((targetattr = "cn
|| createtimestamp || description || entryusn || gidnumber || ipaanchoruuid
|| modifytimestamp || objectclass")(targetfilter =
"(objectclass=ipaGroupOverride)")(version 3.0;acl "permission:System: Read
Group ID Overrides";allow (compare,read,search) userdn = "ldap:///all";;))
ACL will not be considered for evaluation because of syntax errors.
[01/Sep/2016:07:04:59 +] NSACLPlugin - __aclp__init_targetattr:
targetattr "ipaanchoruuid" does not exist in schema. Please add
attributeTypes "ipaanchoruuid" to schema if necessary.
[01/Sep/2016:07:04:59 +] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr = "createtimestamp
[01/Sep/2016:07:04:59 +] NSACLPlugin - Error: This ((targetattr =
"createtimestamp || description || entryusn || gecos || gidnumber ||
homedirectory || ipaanchoruuid || ipaoriginaluid || ipasshpubkey ||
loginshell || modifytimestamp || objectclass || uid ||
uidnumber")(targetfilter = "(objectclass=ipaUserOverride)")(version 3.0;acl
"permission:System: Read User ID Overrides";allow (compare,read,search)
userdn = "ldap:///all";;)) ACL will not be considered for evaluation because
of syntax errors.
[01/Sep/2016:07:04:59 +] NSACLPlugin - __aclp__init_targetattr:
targetattr "a6record" does not exist in schema. Please add attributeTypes
"a6record" to schema if necessary.
[01/Sep/2016:07:04:59 +] NSACLPlugin - ACL PARSE ERR(rv=-5):
(targetattr = "a6record
[01/Sep/2016:07:04:59 +] NSACLPlugin - Error: This ((targetattr =
"a6record || record || afsdbrecord || aplrecord || arecord ||
certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord
|| dnsclass || dnsttl || dsrecord || hinforecord || hiprecord ||
idnsallowdynupdate || idnsallowquery || idnsallowsyncptr ||
idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname ||
idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname ||
idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial ||
idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord ||
kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord
|| nsecrecord || nsec3paramrecord || nsrecord || nxtrecord ||
