On Mon, 2016-01-18 at 12:53 +0530, Prashant Bapat wrote:
> Hi,
>
> There close to a dozen 389-DS as part of our FreeIPA infra. On one of
> these
> servers, I'm encountering a strange problem.
>
> We monitor the state of replication among the 389 servers using a
> python-ldap based script. This works on all servers except 1.
>
> What I'm doing is fairly basic. Something along lines of ;
>
> ldapsearch -x -b cn=config '(objectclass=nsds5replicationagreement)'
> nsds5replicaLastUpdateStatus -LLL -o ldif-wrap=no
>
> Corresponding python code is below;
>
> conn.search_s("cn=config" ,ldap.SCOPE_SUBTREE,
> '(objectclass=nsds5replicationagreement)', ["nsDS5ReplicaHost",
> "nsds5replicaLastUpdateStatus", "nsds5replicaLastUpdateStart",
> "nsds5replicaLastUpdateEnd"])
>
> Now for the strange issue.
>
> The above commands return the status of replication on all servers
> except 1
> which returns an empty response. This happens only for the python and
> the
> example perl script here
> <http://directory.fedoraproject.org/docs/389ds/howto/howto-replicatio
> nmonitoring.html>.
> The ldapsearch command works fine!!!
>
> Below is the log from a server where this runs fine.
>
> [18/Jan/2016:07:09:19 +0000] conn=420951 fd=564 slot=564 connection
> from
> ::1 to ::1
> [18/Jan/2016:07:09:19 +0000] conn=420951 op=0 BIND dn="" method=128
> version=3
> [18/Jan/2016:07:09:19 +0000] conn=420951 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [18/Jan/2016:07:09:19 +0000] conn=420951 op=1 SRCH base="cn=config"
> scope=2
> filter="(objectClass=nsds5replicationagreement)"
> attrs="nsDS5ReplicaHost
> nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart
> nsds5replicaLastUpdateEnd"
> [18/Jan/2016:07:09:19 +0000] conn=420951 op=1 RESULT err=0 tag=101
> nentries=3 etime=0
> [18/Jan/2016:07:09:19 +0000] conn=420951 op=2 UNBIND
> [18/Jan/2016:07:09:19 +0000] conn=420951 op=2 fd=564 closed - U1
>
> Below is the log from the 1 server where this fails.
>
> [18/Jan/2016:07:05:20 +0000] conn=226 fd=80 slot=80 connection from
> ::1 to
> ::1
> [18/Jan/2016:07:05:20 +0000] conn=226 op=0 BIND dn="" method=128
> version=3
> [18/Jan/2016:07:05:20 +0000] conn=226 op=0 RESULT err=0 tag=97
> nentries=0
> etime=0 dn=""
> [18/Jan/2016:07:05:20 +0000] conn=226 op=1 SRCH base="cn=config"
> scope=2
> filter="(objectClass=nsds5replicationagreement)"
> attrs="nsDS5ReplicaHost
> nsds5replicaLastUpdateStatus nsds5replicaLastUpdateStart
> nsds5replicaLastUpdateEnd"
> [18/Jan/2016:07:05:20 +0000] conn=226 op=1 RESULT err=0 tag=101
> nentries=0
> etime=0
> [18/Jan/2016:07:05:20 +0000] conn=226 op=2 UNBIND
> [18/Jan/2016:07:05:20 +0000] conn=226 op=2 fd=80 closed - U1
>
> I have an ACI which allows anonymous access to the replication info.
>
> Version is : 389-ds-base-1.3.3.13-1.fc21.x86_64
>
> Any help would be appreciated.
>
> Thanks.
> --Prashant
> --
> 389 users mailing list
> 389-users@%(host_name)s
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproj
> ect.org
The obvious first check is, does the server actually have a valid
replication agreement? You can check this by looking at
/etc/dirsrv/slapd-INSTANCE_NAME/dse.ldif.
Second, check the aci on the server.
Hope this helps.
--
Sincerely,
William Brown
Software Engineer
Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
