On 11/05/2013 09:25 PM, Rich Megginson wrote: > On 11/05/2013 01:03 PM, Tamas Papp wrote: >> On 11/05/2013 03:58 PM, Rich Megginson wrote: >>> On 11/05/2013 07:53 AM, Tamas Papp wrote: >>>> On 11/05/2013 03:17 PM, Rich Megginson wrote: >>>>> https://fedorahosted.org/389/ticket/47516 >>>>> >>>>> This has been fixed upstream and in some releases - to allow >>>>> replication to proceed despite excessive clock skew - what is your >>>>> 389-ds-base version and platform? >>>> What is the clock skewed? The date and time is the same on both >>>> machines. >>> VMs are notorious for having the clocks get out of sync - even >>> temporarily. >> What do you mean by this? >> I definitely see the same time on the machines. >> Also I can see in the log, that the replication is resumed. There is no >> messages about the broken replication after the resume message. >> >>>> freeipa-admintools-3.3.2-1.fc19.x86_64 >>>> freeipa-client-3.3.2-1.fc19.x86_64 >>>> freeipa-python-3.3.2-1.fc19.x86_64 >>>> freeipa-server-3.3.2-1.fc19.x86_64 >>>> libipa_hbac-1.11.1-4.fc19.x86_64 >>>> libipa_hbac-python-1.11.1-4.fc19.x86_64 >>>> sssd-ipa-1.11.1-4.fc19.x86_64 >>>> 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 >>>> 389-ds-base-1.3.1.12-1.fc19.x86_64 >>>> >>>> Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 >>>> 14:09:09 UTC >>>> 2013 x86_64 x86_64 x86_64 GNU/Linux >>>> Fedora 19. >>>> >>>> >>>> How can I fix it? >>> ldapmodify -x -D "cn=directory manager" -W <<EOF >>> dn: cn=config >>> changetype: modify >>> replace: nsslapd-ignore-time-skew >>> nsslapd-ignore-time-skew: on >>> EOF >>> >>> Do this on all of your servers. >> I tried this, but no joy. Still not good:/ > > Can you describe the exact steps you took, on all replicas?
I created ldif files: # cat replication_ignore-time-skew.ldif dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on Then: $ ldapmodify -x -D "cn=directory manager" -W -f replication_ignore-time-skew.ldif But I don't see the changes: # ldapsearch -x|grep -i ignore # Probably you realized, I'm not an ldap expert:) But I assume it's because it doesn't exist right now, therefore it should be add ot modify? I don't wan't to try it now, because currently it's working. Maybe when it gets fail again. Thanks, tamas _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users