Here is the full output of ‘rpm -qi 389-ds-base’: Name : 389-ds-base Relocations: (not relocatable) Version : 1.2.10.12 Vendor: (none) Release : 1.el6 Build Date: Thu 28 Jun 2012 11:24:45 AM CDT Install Date: Mon 06 Aug 2012 04:01:03 PM CDT Build Host: vmhost Group : System Environment/Daemons Source RPM: 389-ds-base-1.2.10.12-1.el6.src.rpm Size : 4852149 License: GPLv2 with exceptions Signature : (none) URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. I have my purge delay set to 7 days on all replicas, and based on the date information on the oldest entries “vucsn-520c709e000000010000”, this doesn’t appear to be getting enforced. What’s the next step I should take in determining why? I’m not sure if it’s relevant, but I did notice a bad RUV entry while troubleshooting this: [root@ldap1 slapd-ldap1]# ldapsearch -xLLL -h localhost -D "cn=directory manager" -W -b dc=ds,dc=example,dc=com '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' | sed ':a;N;$!ba;s/\n //g' Enter LDAP Password: dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=ds,dc=west,dc=com objectClass: top objectClass: nsTombstone objectClass: extensibleobject nsds50ruv: {replicageneration} 501c4709000000020000 nsds50ruv: {replica 1 ldap://ldap1.ds.example.com:389} 5021267f000000010000 52260a24000100010000 nsds50ruv: {replica 5 ldap://ldap5.ds.example.com:389} nsds50ruv: {replica 2 ldap://ldap2.ds.example.com:389} 502505f1000000020000 522607ee000000020000 nsds50ruv: {replica 65535 ldap://lab-ldap1.ds.example.com:389} 5069a6bc0000ffff0000 5069a6bc0000ffff0000 nsds50ruv: {replica 4 ldap://ldap4.ds.example.com:389} 512b8650000000040000 515f081d000000040000 nsds50ruv: {replica 3 ldap://ldap3.ds.example.com:389} 512650e1000000030000 51c357e9000000030000 dc: ds nsruvReplicaLastModified: {replica 1 ldap://ldap1.ds.example.com:389} 52260a22 nsruvReplicaLastModified: {replica 5 ldap://ldap5.ds.example.com:389} 00000000 nsruvReplicaLastModified: {replica 2 ldap://ldap2.ds.example.com:389} 522607eb nsruvReplicaLastModified: {replica 65535 ldap://lab-ldap1.ds.example.com:389} 00000000 nsruvReplicaLastModified: {replica 4 ldap://ldap4.ds.example.com:389} 00000000 nsruvReplicaLastModified: {replica 3 ldap://ldap3.ds.example.com:389} 00000000 The replica “65535” was removed from the environment some time ago and the server is long gone, but evidently never purged from the directory. Per instructions on the 389-ds site, I attempted to run CLEANRUV with this LDIF: dn: cn=replica,cn=dc\3Dds\2Cdc\3Dwest\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV65535 And got this response: [root@ldap1 etc]# ldapmodify -h localhost -D "cn=directory manager" -W -f /etc/ruvclean Enter LDAP Password: modifying entry "cn=replica,cn=dc\3Dds\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config" ldap_modify: Operations error (1) additional info: Invalid replica id for task - CLEANRUV65535 It’s good to know that it’s safe to remove the vucsn entries from the import file, however I’m hoping to be able to use the option to directly initialize consumers from the supplier again, so it’s important that I get them cleaned up on the supplier side. Thanks for your help! -Samson- From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx] On 09/03/2013 09:30 AM, Wick, Samson wrote:
Is there a way to verify that these are being trimmed like they should?
Does this behavior have something to do with the replica’s “Purge Delay” value?
Is there a way to find date and time from the vucsn number?
Is there a way to manually purge these entries, or to shorten the interval between trimmings?
Thanks
From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx] On 09/03/2013 08:47 AM, Wick, Samson wrote:
Is there a good place I can go to educate myself on what a “vucsn” actually means, and possibly why I have hundreds of thousands of them for userPassword in my initialization files?
Thanks From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx] On 08/30/2013 01:24 PM, Wick, Samson wrote:
rpm -q 389-ds-base In attempting to stand up a new consumer in our environment, the process of allowing the supplier to initialize the consumer directly would corrupt the consumer irrevocably. I have ruled out firewalls, SSL issues etc. When attempting to initialize via an ldif, I get errors on three user accounts more or less identical to this: WARNING: skipping entry “uid=<etc…..>” ending line 296901 of file “<path to my ldif file>” REASON: entry too large (15503712 bytes) for the buffer size (8388608 bytes) When I examine the ldif file that the supplier created, the three user objects it’s complaining about all have +/- 100,000 entries like this: userPassword;vucsn-520b35cb000000010000;deleted: {SSHA256}5WJ9hosO3JO9VLa32nqxmGjn3XoShD1c1g+abekZDCFTX1MM187Bjg== Each line has a different hash. But most of the other user objects only have a couple of these lines. Clearly 100k+ password changes is a little excessive and it’s something I’ll need to look into, but in the meantime, can anyone help me figure out what has caused all of these to remain in the directory, and what can I do to clean them up? Thanks, Samson -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
