[Fedora-directory-users] Chain on Update Problem
Nathan Kinder
nkinder at redhat.com
Tue Sep 5 23:42:50 UTC 2006
Try using a different bind DN for chaining than your "cn=Replication
Manger, cn=config" user. It could be that replication is getting
confused when chaining updates are being performed by that user since it
will assume that updates by that user were sent via a replication
agreement. I would create a chaining specific user such as "cn=Chaining
Manager, cn=config" and configure chaining to use that user.
-NGK
James B Newby wrote:
> Example 1:
>
> Adding an entry to the consumer:
>
> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389
> Enter bind password:
> dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
> objectClass: hgperson
> telephonenumber: 555-555-5555
> sn: Body
> cn: Some Body
> givenName: Some
> mail: sbody at highergear.com
> uid: sbody
> adding new entry uid=sbody,ou=people,o=thgg,dc=hg,dc=com
>
> [root at ldap1 bin]#
>
> Searching for entry on consumer:
>
> [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h
> localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID
> Enter bind password:
> version: 1
> dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: objectClass: hgperson
> nscpEntryWsi: objectClass: inetOrgPerson
> nscpEntryWsi: objectClass: organizationalPerson
> nscpEntryWsi: objectClass: person
> nscpEntryWsi: objectClass: top
> nscpEntryWsi: telephoneNumber: 555-555-5555
> nscpEntryWsi: sn: Body
> nscpEntryWsi: cn: Some Body
> nscpEntryWsi: givenName: Some
> nscpEntryWsi: mail: sbody at highergear.com
> nscpEntryWsi: uid: sbody
> nscpEntryWsi: creatorsName: cn=manager
> nscpEntryWsi: modifiersName: cn=manager
> nscpEntryWsi: createTimestamp: 20060905232428Z
> nscpEntryWsi: modifyTimestamp: 20060905232428Z
> nscpEntryWsi: nsUniqueId: 8e72a281-1dd211b2-8091a7e3-5afe0000
> nscpEntryWsi: parentid: 11
> nscpEntryWsi: entryid: 19720
> nscpEntryWsi: entrydn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
> nsUniqueID: 8e72a281-1dd211b2-8091a7e3-5afe0000
> [root at ldap1 bin]#
>
> Search for entry on Master 1:
>
> [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w -
> -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID
> Enter bind password:
> [root at ldap1-mw1 bin]#
>
> Search for entry on Master 2:
>
> [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w -
> -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID
> Enter bind password:
> [root at ldap2-mw1 bin]#
>
> -------------------------------------------------------
>
> Example 2:
>
> Create an entry on Master 1:
>
> [root at ldap1-mw1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost
> -p 1389
> Enter bind password:
> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> telephoneNumber: 800-555-5555
> userPassword: <PASSWORD_ERASED>
> cn: Some Employee
> sn: Employee
> objectClass: hgperson
> givenName: Some
> uid: semployee
> mail: semployee at highergear.com
>
> adding new entry uid=semployee,ou=people,o=thgg,dc=hg,dc=com
>
> [root at ldap1-mw1 bin]#
>
> Search for entry on Master 1:
> [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w -
> -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID
> Enter bind password:
> version: 1
> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555
> nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee
> nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000:
> organizationalPerson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top
> nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some
> nscpEntryWsi:
> uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl
> oyee
> nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com
> nscpEntryWsi: userPassword;vucsn-44fe0619000000010000:
> {SSHA}<PASSWORD_ERASED>
> nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager
> nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager
> nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
> nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
> nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000
> nscpEntryWsi: parentid: 11
> nscpEntryWsi: entryid: 19718
> nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000
> [root at ldap1-mw1 bin]#
>
> Search for Entry on Master 2:
> [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w -
> -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID
> Enter bind password:
> version: 1
> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555
> nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee
> nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000:
> organizationalPerson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top
> nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some
> nscpEntryWsi:
> uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl
> oyee
> nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com
> nscpEntryWsi: userPassword;vucsn-44fe0619000000010000:
> {SSHA}<PASSWORD_ERASED>
> nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager
> nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager
> nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
> nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
> nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000
> nscpEntryWsi: parentid: 11
> nscpEntryWsi: entryid: 19718
> nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000
> [root at ldap2-mw1 bin]#
>
> Search for entry on consumer:
> [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h
> localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID
> Enter bind password:
> version: 1
> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555
> nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee
> nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000:
> organizationalPerson
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person
> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top
> nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some
> nscpEntryWsi:
> uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl
> oyee
> nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com
> nscpEntryWsi: userPassword;vucsn-44fe0619000000010000:
> {SSHA}<PASSWORD_ERASED>
> nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager
> nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager
> nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
> nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
> nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000
> nscpEntryWsi: parentid: 11
> nscpEntryWsi: entryid: 19719
> nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
> nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000
> [root at ldap1 bin]#
>
>
>
>
> Richard Megginson wrote:
>> James B Newby wrote:
>>> Yes, it is a read-only consumer, set up as per instructions in the
>>> administration guide.
>>> My multi-master replication scheme works fine. When chaining is not
>>> set up, write operations to the read-only consumer fail. When
>>> chaining is set up, writes can be made to the read-only consumer but
>>> they do not propagate to the master.
>> But the entry is successfully added and can be successfully
>> searched. So it must exist on a master somewhere? Try this - do a
>> search for the entry after adding it - in addition to the usual
>> attributes, request the replication state information - ask for the
>> attribute nscpEntryWsi, and also the nsUniqueID attribute. With this
>> information, we can determine on which master (replica ID) the entry
>> was added on and at what time.
>>>
>>> Are there any other queries I should make to the server in order to
>>> give you more information?
>>>
>>> Richard Megginson wrote:
>>>> James B Newby wrote:
>>>>> Yes. I can add or modify entries on the consumer with update
>>>>> chaining set up, but those changes do not propagate to the
>>>>> master. If I search on the master for the entry created on the
>>>>> consumer :
>>>>>
>>>>> [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager
>>>>> -w - -h localhost -p 1389 uid=nbody
>>>>> Enter bind password:
>>>>> [root at ldap1-mw1 bin]$
>>>>>
>>>>> It's not there. As I said in an earlier message, I've followed
>>>>> the instructions in the Chain on Update HOWTO, but I can't get it
>>>>> to work. I've reviewed the Administrator Guide as well as
>>>>> searching the Internet for an answer but no luck.
>>>> So, is this is a read only consumer? If so, you should not be able
>>>> to write to it. That's what is confusing me. If this is a
>>>> read-only consumer, you should get an err=10 back from a write
>>>> operation if chaining is not set up.
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> James B Newby wrote:
>>>>>>> Well actually the entry was already there; I just made a small
>>>>>>> change to one of the attributes on the consumer through the
>>>>>>> directory console.
>>>>>>>
>>>>>>> I added a new entry on the consumer from the command line:
>>>>>>>
>>>>>>> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h
>>>>>>> localhost -p 1389
>>>>>>> Enter bind password:
>>>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com
>>>>>>> telephoneNumber: 800-555-5555
>>>>>>> userPassword: <erased>
>>>>>>> cn: No Body
>>>>>>> sn: Body
>>>>>>> objectClass: hgperson
>>>>>>> objectClass: inetorgperson
>>>>>>> objectClass: organizationalPerson
>>>>>>> objectClass: person
>>>>>>> objectClass: top
>>>>>>> givenName: No
>>>>>>> uid: nbody
>>>>>>> mail: nbody at highergear.com
>>>>>>> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com
>>>>>>>
>>>>>>> [root at ldap1 bin]#
>>>>>>>
>>>>>>> Then I searched for that user on the consumer's command line:
>>>>>>> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager
>>>>>>> -w - -h localhost -p 1389 uid=nbody
>>>>>>> Enter bind password:
>>>>>>> version: 1
>>>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com
>>>>>>> telephoneNumber: 800-555-5555
>>>>>>> cn: No Body
>>>>>>> sn: Body
>>>>>>> objectClass: hgperson
>>>>>>> objectClass: inetorgperson
>>>>>>> objectClass: organizationalPerson
>>>>>>> objectClass: person
>>>>>>> objectClass: top
>>>>>>> givenName: No
>>>>>>> uid: nbody
>>>>>>> mail: nbody at highergear.com
>>>>>>> userPassword: {SSHA}<erased>
>>>>>>> [root at ldap1 bin]#
>>>>>>>
>>>>>>> Here is what resulted in the access log of the consumer:
>>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection
>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager"
>>>>>>> method=128 version=3
>>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97
>>>>>>> nentries=0 etime=0 dn="cn=manager"
>>>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD
>>>>>>> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com"
>>>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105
>>>>>>> nentries=0 etime=0
>>>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND
>>>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1
>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection
>>>>>>> from 127.0.0.1 to 127.0.0.1
>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager"
>>>>>>> method=128 version=3
>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97
>>>>>>> nentries=0 etime=0 dn="cn=manager"
>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH
>>>>>>> base="dc=hg,dc=com" scope=2 filter="(uid=nbody)" attrs=ALL
>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101
>>>>>>> nentries=1 etime=0
>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND
>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1
>>>>>> So it appears to be working?
>>>>>>>
>>>>>>> I then searched for that new entry in the Directory Console and
>>>>>>> the following log entries resulted:
>>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH
>>>>>>> base="ou=people,o=thgg,dc=hg,dc=com" scope=1
>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>>>>>> attrs="objectClass numSubordinates ref aci"
>>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou
>>>>>>> sn (196)
>>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101
>>>>>>> nentries=196 etime=0 notes=U
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH
>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock"
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101
>>>>>>> nentries=1 etime=0
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0
>>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix"
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101
>>>>>>> nentries=1 etime=0
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm
>>>>>>> database, cn=plugins, cn=config" scope=2
>>>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix
>>>>>>> nsBackendSuffix"
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101
>>>>>>> nentries=2 etime=0
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0
>>>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix"
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101
>>>>>>> nentries=1 etime=0
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC
>>>>>>> uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm
>>>>>>> database, cn=plugins, cn=config" scope=0
>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn"
>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101
>>>>>>> nentries=0 etime=0
>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH
>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry
>>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic
>>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix
>>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime
>>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit
>>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit
>>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime aci
>>>>>>> entryid nsIdleTimeout entrydn copyingFrom nsAccountLock
>>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime
>>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName
>>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp
>>>>>>> nsLookThroughLimit *"
>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101
>>>>>>> nentries=1 etime=0
>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH
>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>> filter="(objectClass=*)" attrs="*"
>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101
>>>>>>> nentries=1 etime=0
>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH
>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
>>>>>> This appears to be working also?
>>>>>>>
>>>>>>> -James
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> James B Newby wrote:
>>>>>>>>> I found the MOD line in the consumer's access log. I saw no
>>>>>>>>> entry in the master's access log regarding that entry. It
>>>>>>>>> seems as if the request doesn't make it to the master. I can
>>>>>>>>> telnet into the ldap port on the master from the consumer.
>>>>>>>>>
>>>>>>>>> I installed Fedora Directory Server from
>>>>>>>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three
>>>>>>>>> machines are Intel/CentOS 4.3.
>>>>>>>>>
>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> In the consumer's access log:
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH
>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>>>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock"
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0
>>>>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix"
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm
>>>>>>>>> database, cn=plugins, cn=config" scope=2
>>>>>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix
>>>>>>>>> nsBackendSuffix"
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101
>>>>>>>>> nentries=2 etime=0
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0
>>>>>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix"
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC
>>>>>>>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm
>>>>>>>>> database, cn=plugins, cn=config" scope=0
>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn"
>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32
>>>>>>>>> tag=101 nentries=0 etime=0
>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH
>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>>>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry
>>>>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic
>>>>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix
>>>>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime
>>>>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit
>>>>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit
>>>>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime
>>>>>>>>> aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock
>>>>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime
>>>>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName
>>>>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp
>>>>>>>>> nsLookThroughLimit *"
>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH
>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>>>> filter="(objectClass=*)" attrs="*"
>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH
>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
>>>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0
>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD
>>>>>>>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com"
>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103
>>>>>>>>> nentries=0 etime=0
>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH
>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>>>>>>>>> attrs="objectClass numSubordinates ref aci"
>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o
>>>>>>>>> ou sn (1)
>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101
>>>>>>>>> nentries=1 etime=0 notes=U
>>>>>>>> Weird. It looks as though you added the entry to the local
>>>>>>>> server, and were able to search for it right away. e.g. you
>>>>>>>> search for uid=jhines, and the server replies with err=0 and
>>>>>>>> nentries=1. Can you try the same search from the ldapsearch
>>>>>>>> command line?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Richard Megginson wrote:
>>>>>>>>>> James B Newby wrote:
>>>>>>>>>>> Hello all,
>>>>>>>>>>>
>>>>>>>>>>> I'm having a problem with my consumer's chain on update. I
>>>>>>>>>>> have a setup with two masters and one consumer.
>>>>>>>>>>> Multi-master replication is working properly. Changes made
>>>>>>>>>>> on either master propagate to the other master and to the
>>>>>>>>>>> consumer.
>>>>>>>>>>>
>>>>>>>>>>> Before setting up chaining, changes made on the consumer
>>>>>>>>>>> from the directory console would be denied. After setting
>>>>>>>>>>> up chaining per the wiki entry:
>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate ,
>>>>>>>>>>> changes could be made on the consumer through the directory
>>>>>>>>>>> console, but would not propagate to the master.
>>>>>>>>>> How are you testing/verifying the change doesn't get
>>>>>>>>>> through? Note that if you make the change in the console,
>>>>>>>>>> the console will not automatically refresh. I would first
>>>>>>>>>> check the access log on the consumer to find the ADD or MOD
>>>>>>>>>> request, then see if that request made it to a master, then
>>>>>>>>>> see if the master rejected it and why.
>>>>>>>>>>>
>>>>>>>>>>> I saw an e-mail with a similar problem in the December 2005
>>>>>>>>>>> archive, but didn't see any info in the replies that would
>>>>>>>>>>> help me. I've tried setting this up from scratch a couple
>>>>>>>>>>> times, but without success. The responses to ILoveJython's
>>>>>>>>>>> email in December suggested that certain entries be pasted
>>>>>>>>>>> in, so I've included them below.
>>>>>>>>>>>
>>>>>>>>>>> The following acl is included in dc=hg,dc=com:
>>>>>>>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization
>>>>>>>>>>> for database links";allow (proxy) (userdn =
>>>>>>>>>>> "ldap:///cn=Replication Manager, cn=config");)
>>>>>>>>>>> Since multi-master replication is set up, this entry is
>>>>>>>>>>> present on all three servers.
>>>>>>>>>>>
>>>>>>>>>>> Any help would be appreciated! Thanks!
>>>>>>>>>>>
>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config
>>>>>>>>>>> objectClass: top
>>>>>>>>>>> objectClass: extensibleObject
>>>>>>>>>>> objectClass: nsMappingTree
>>>>>>>>>>> nsslapd-state: backend
>>>>>>>>>>> cn: "dc=hg,dc=com"
>>>>>>>>>>> cn: dc=hg,dc=com
>>>>>>>>>>> nsslapd-backend: userRoot
>>>>>>>>>>> nsslapd-backend: chainbe1
>>>>>>>>>>> nsslapd-referral:
>>>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
>>>>>>>>>>> nsslapd-referral:
>>>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
>>>>>>>>>>> nsslapd-distribution-plugin:
>>>>>>>>>>> /opt/fedora-ds/lib/replication-plugin.so
>>>>>>>>>>> nsslapd-distribution-funct: repl_chain_on_update
>>>>>>>>>>>
>>>>>>>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config
>>>>>>>>>>> objectClass: nsDS5Replica
>>>>>>>>>>> objectClass: top
>>>>>>>>>>> nsDS5ReplicaRoot: dc=hg,dc=com
>>>>>>>>>>> nsDS5ReplicaType: 2
>>>>>>>>>>> nsDS5Flags: 0
>>>>>>>>>>> nsds5ReplicaPurgeDelay: 604800
>>>>>>>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
>>>>>>>>>>> cn: replica
>>>>>>>>>>> nsDS5ReplicaId: 65535
>>>>>>>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA=
>>>>>>>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000
>>>>>>>>>>> nsDS5ReplicaReferral:
>>>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
>>>>>>>>>>> nsDS5ReplicaReferral:
>>>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
>>>>>>>>>>> nsds5ReplicaChangeCount: 0
>>>>>>>>>>> nsds5replicareapactive: 0
>>>>>>>>>>>
>>>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
>>>>>>>>>>> cn: config
>>>>>>>>>>> objectClass: top
>>>>>>>>>>> objectClass: extensibleObject
>>>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2
>>>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9
>>>>>>>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473
>>>>>>>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12
>>>>>>>>>>> nspossiblechainingcomponents: cn=resource
>>>>>>>>>>> limits,cn=components,cn=config
>>>>>>>>>>> nspossiblechainingcomponents: cn=certificate-based
>>>>>>>>>>> authentication,cn=component
>>>>>>>>>>> s,cn=config
>>>>>>>>>>> nspossiblechainingcomponents: cn=ACL
>>>>>>>>>>> Plugin,cn=plugins,cn=config
>>>>>>>>>>> nspossiblechainingcomponents: cn=old
>>>>>>>>>>> plugin,cn=plugins,cn=config
>>>>>>>>>>> nspossiblechainingcomponents: cn=referential integrity
>>>>>>>>>>> postoperation,cn=plugin
>>>>>>>>>>> s,cn=config
>>>>>>>>>>> nspossiblechainingcomponents: cn=attribute
>>>>>>>>>>> uniqueness,cn=plugins,cn=config
>>>>>>>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config
>>>>>>>>>>> objectClass: top
>>>>>>>>>>> objectClass: extensibleObject
>>>>>>>>>>> objectClass: nsBackendInstance
>>>>>>>>>>> cn: chainbe1
>>>>>>>>>>> nsslapd-suffix: dc=hg,dc=com
>>>>>>>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389
>>>>>>>>>>> ldap2.mw1.highergear.com
>>>>>>>>>>> :1389/
>>>>>>>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config
>>>>>>>>>>> nsmultiplexorcredentials: {DES}<PASSWORD ERASED>
>>>>>>>>>>> nsbindconnectionslimit: 3
>>>>>>>>>>> nsoperationconnectionslimit: 20
>>>>>>>>>>> nsabandonedsearchcheckinterval: 1
>>>>>>>>>>> nsconcurrentbindlimit: 10
>>>>>>>>>>> nsconcurrentoperationslimit: 2
>>>>>>>>>>> nsproxiedauthorization: on
>>>>>>>>>>> nsconnectionlife: 0
>>>>>>>>>>> nsbindtimeout: 15
>>>>>>>>>>> nsreferralonscopedsearch: off
>>>>>>>>>>> nschecklocalaci: on
>>>>>>>>>>> nsbindretrylimit: 3
>>>>>>>>>>> nsslapd-sizelimit: 2000
>>>>>>>>>>> nsslapd-timelimit: 3600
>>>>>>>>>>> nshoplimit: 10
>>>>>>>>>>> nsmaxresponsedelay: 60
>>>>>>>>>>> nsmaxtestresponsedelay: 15
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060905/ed62861c/attachment.bin>
More information about the Fedora-directory-users
mailing list