[Freeipa-users] Replication error

Petr Vobornik pvoborni at redhat.com
Mon May 2 17:40:36 UTC 2016 

On 04/29/2016 09:54 AM, Anton Rubets wrote:
> Hi
> Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) gone 
> But still i have 
> attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain389/o%3Dipaca) failed.
> Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd etc 
> Best Regards
> Anton Rubets

There is probably still some dangling RUV left in dirsrv o=ipaca suffix.
I'll repeat the procedure for future linking.

1. Get list of replicas with CA:
 # ipa-csreplica-manage list

2. For *each* replica(here ipa1.example.test) get list of RUVs and its
replica ID:
 # ldapsearch -ZZ -h ipa1.example.test -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"
| grep "nsds50ruv\|nsDS5ReplicaId"


replica id looks like:
  nsDS5ReplicaId: 6

ruv looks like:
  nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e7

note that it is wrapped and grepped, unwrapped RUV is e.g.:
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e284000000060000
57278b7e000000060000


You can see that RUV contains a replica ID (8 in the example).
"nsds50ruv: {replicageneration} 56f3e283000000060000" can be ignored.

3. Find all RUVs which doesn't have existing replica ID. Hint: If
replica wasn't reinstalled then hostname will also differ which is a
nice indicator of a dangling RUV.

4. Run clearuv task for each dangling RUV identified in step 3, here the
RUV is 13.

# ldapmodify -ZZ -D "cn=directory manager" -W -a
dn: cn=clean 13, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: o=ipaca
replica-id: 13
cn: clean 13


So if you have e.g. 3 replicas with CA with IDs 8, 12, 10 (note that
versions prior FreeIPA 4.3 have higher number for CA suffix) and
nsds50ruv shows only these IDs then you don't need to clean anything.

Full example:

# ipa-csreplica-manage list
Directory Manager password:

ipa1.example.test: master
ipa2.example.test: master
ipa3.example.test: master

# ldapsearch -ZZ -h ipa1.example.test ...
nsDS5ReplicaId: 6
nsds50ruv: {replicageneration} 56f3e283000000060000
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2
nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2
nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7

# ldapsearch -ZZ -h ipa2.example.test ...
nsDS5ReplicaId: 5
nsds50ruv: {replicageneration} 56f3e283000000060000
nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2
nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7
nsds50ruv: {replica 3 ldap://ipa4.example.test:389} 56f3e1
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2

# ldapsearch -ZZ -h ipa3.example.test ...
nsDS5ReplicaId: 8
nsds50ruv: {replicageneration} 56f3e283000000060000
nsds50ruv: {replica 8 ldap://ipa3.example.test:389} 56f3e7
nsds50ruv: {replica 5 ldap://ipa2.example.test:389} 56f3e2
nsds50ruv: {replica 9 ldap://ipa2.example.test:389} 56f3d2
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2

Here the correct replica IDs are 8,5,5.

Dangling are 3,9. So the cleanall ruv task would be run for 3,9,


> ________________________________________
> From: Petr Vobornik <pvoborni at redhat.com>
> Sent: Thursday, April 28, 2016 1:49 PM
> To: Anton Rubets; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Replication error
> 
> On 04/26/2016 02:02 PM, Anton Rubets wrote:
>> Hhi all
>>
>> I have issues with replication between to FreeIPA server
>>
>> In maters log
>>
>> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral,
>> ldap://ldap2.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral,
>> ldap://ldap2.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:10:38:12 +0200] attrlist_replace - attr_replace (nsslapd-referral,
>> ldap://ldap2.domain389/o%3Dipaca) failed.
>> [26/Apr/2016:10:39:35 +0200] slapi_ldap_bind - Error: could not send startTLS
>> request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory)
>>
>>
>> On replica server
>>
>>
>> [26/Apr/2016:08:38:12 +0000] attrlist_replace - attr_replace (nsslapd-referral,
>> ldap://ldap1.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral,
>> ldap://ldap1domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral,
>> ldap://ldap1.domain:389/o%3Dipaca) failed.
>> [26/Apr/2016:08:43:13 +0000] attrlist_replace - attr_replace (nsslapd-referral,
>> ldap://ldap1.domain:389/o%3Dipaca) failed.
> 
> This is a symptom of dangling RUVs (replica update vector) of previously
> removed replicas.
> 
> It happens when replica is removed using:
>   # ipa-replica-manage del $replica
>   # ipa-server-install --uninstall (on replica)
> 
> without running:
>   # ipa-csreplica-manage del $replica
> first
> 
> resolution is to clear the RUVs manually using clean ruv DS task becase
> ipa-csreplica-manage doesn't have support for it. FreeIPA 4.4 will
> receive a new command which will handle bot suffixes automatically - #5411.
> 
> The instructions can found on the list:
> * https://www.redhat.com/archives/freeipa-users/2015-June/msg00386.html
> * https://www.redhat.com/archives/freeipa-users/2015-June/msg00416.html
> 
> and
> * http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html
> * or general procedure for future feature:
> https://fedorahosted.org/freeipa/ticket/5411#comment:7
> 
> 
> Important: Be very careful not to remove RUVs of existing replicas.
> 
> 
>>
>>
>> And  i can't find source of this problem. I have checked permission and etc. As
>> i see replica is working but this message disturb my email every few minutes and
>> i wanna somehow fix this. Also I  just migrate from 3.0 to 4.2.
>> Info:
>> Master :
>>   rpm -qa | grep ipa
>> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.x86_64
>> ipa-admintools-4.2.0-15.0.1.el7.centos.6.x86_64
>> sssd-ipa-1.13.0-40.el7_2.2.x86_64
>> ipa-client-4.2.0-15.0.1.el7.centos.6.x86_64
>> libipa_hbac-1.13.0-40.el7_2.2.x86_64
>> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
>> python-iniparse-0.4-9.el7.noarch
>> ipa-python-4.2.0-15.0.1.el7.centos.6.x86_64
>> ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64​
>>
>> Replica:
>> rpm -qa | grep ipa
>> sssd-ipa-1.13.0-40.el7_2.2.x86_64
>> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64
>> libipa_hbac-1.13.0-40.el7_2.2.x86_64
>> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64
>> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64
>> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
>> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
>> python-iniparse-0.4-9.el7.noarch
>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64​
>>
>>
>> Best Regards
>> Anton Rubets
> --
> Petr Vobornik
> 


-- 
Petr Vobornik

More information about the Freeipa-users mailing list