> > On May 15, 2015, at 08:57, Ludwig Krispenz <lkris...@redhat.com> wrote: > > >> On 05/15/2015 02:45 PM, Janelle wrote: >>> On 5/15/15 3:30 AM, Ludwig Krispenz wrote: >>> >>>> On 05/13/2015 06:34 PM, Janelle wrote: >>>>> On 5/13/15 9:13 AM, Rich Megginson wrote: >>>>>> On 05/13/2015 10:04 AM, Janelle wrote: >>>>>>> On 5/13/15 8:49 AM, Rich Megginson wrote: >>>>>>>> On 05/13/2015 09:40 AM, Janelle wrote: >>>>>>>> Recently I started seeing these crop up across my servers: >>>>>>>> >>>>>>>> slapi_ldap_bind - Error: could not bind id [cn=Replication Manager >>>>>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config] >>>>>>>> authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 >>>>>>>> (Success) >>>>>>> >>>>>>> Does that entry exist? >>>>>>> >>>>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s base >>>>>>> -b "cn=Replication Manager >>>>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config" >>>>>>> >>>>>>> Does the parent exist? >>>>>>> >>>>>>> ldapsearch -xLLL -h consumer.host -D "cn=directory manager" -W -s base >>>>>>> -b "ou=csusers,cn=config" >>>>>> >>>>>> I am finding that there does seem to be a relation to the above error >>>>>> and a possible CSN issue: >>>>>> >>>>>> Can't locate CSN 555131e5000200190000 in the changelog (DB rc=-30988). >>>>>> If replication stops, the consumer may need to be reinitialized. >>>>>> >>>>>> I guess what concerns me is what could be causing this. We don't do a >>>>>> lot of changes all the time. >>>>>> >>>>>> And in answer to the question above - we seem to have last the agreement >>>>>> somehow: >>>>>> >>>>>> No such object (32) >>>>>> >>>>> >>>>> Is there a DEL operation in the access log for "cn=Replication Manager >>>>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config"? >>>>> >>>>> maybe something like >>>>> >>>>> # grep DEL /var/log/dirsrv/slapd-INST/access|grep -i "Replication Manager" >>>>> >>>> nope -- none of the servers have it. >>> your original message is very clear: >>> >>> could not bind id [cn=Replication Manager >>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config] >>> authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 >>> (Success) >>> >>> this means that you have replication agreement wth SIMPLE auth which uses a >>> nsDS5ReplicaBindDN: cn=Replication Manager >>> masterAgreement1-ipa01.example.com-pki-tomcat,ou=csusers,cn=config >>> >>> which does not exist on the target server of the agreement. Now you say it >>> was never deleted, so it was probably never added, but used in the >>> replication agreements. How do you manage and setup replication agreements ? >>> >> All replicas are configred simply: >> >> ipa-replica-prepare hostname... >> scp .. >> ipa-replica-install --no-ntp --setup-ca Replica-file >> >> That is it. NTP is not set because internal NTP servers are used. All >> replicas are CA replicas for safety (no certs are managed) > ok, I was a bit puzzled because ipa uses ldapprincipals and gssapi for the > main suffix replication. > But I just verified that after ipa-replica-install --setup-ca CA replication > is setup with users in ou=csusers,cn=config and uses it as replica binddn, I > have no idea why it would disappear. > > when Rich asked to search for a DEL, did you check this on the server that > logged the message or on the endpoint of the replication agreement (it should > be there), and you may have to check in the rotated access logs > access.<timestamp> as well
Checked it on ALL servers just to be sure. ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project