Re: Chain on Update Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



James B Newby wrote:
I found the MOD line in the consumer's access log. I saw no entry in the master's access log regarding that entry. It seems as if the request doesn't make it to the master. I can telnet into the ldap port on the master from the consumer.

I installed Fedora Directory Server from fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three machines are Intel/CentOS 4.3.

-James

In the consumer's access log:
[01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole nsRoleDN objectClass nsAccountLock" [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm database, cn=plugins, cn=config" scope=2 filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 nentries=2 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, cn=plugins, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 nentries=0 etime=0 [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="numSubordinates nscpEntryDN subschemaSubentry nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory retryCountResetTime passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(objectClass=*)" attrs="*" [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 nentries=0 etime=0 [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
[01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1)
[01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
Weird. It looks as though you added the entry to the local server, and were able to search for it right away. e.g. you search for uid=jhines, and the server replies with err=0 and nentries=1. Can you try the same search from the ldapsearch command line?


Richard Megginson wrote:
James B Newby wrote:
Hello all,

I'm having a problem with my consumer's chain on update. I have a setup with two masters and one consumer. Multi-master replication is working properly. Changes made on either master propagate to the other master and to the consumer.

Before setting up chaining, changes made on the consumer from the directory console would be denied. After setting up chaining per the wiki entry:
http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate ,
changes could be made on the consumer through the directory console, but would not propagate to the master.
How are you testing/verifying the change doesn't get through? Note that if you make the change in the console, the console will not automatically refresh. I would first check the access log on the consumer to find the ADD or MOD request, then see if that request made it to a master, then see if the master rejected it and why.

I saw an e-mail with a similar problem in the December 2005 archive, but didn't see any info in the replies that would help me. I've tried setting this up from scratch a couple times, but without success. The responses to ILoveJython's email in December suggested that certain entries be pasted in, so I've included them below.

The following acl is included in dc=hg,dc=com:
(targetattr = "*")(version 3.0; acl "Proxied authorization for database links";allow (proxy) (userdn = "ldap:///cn=Replication Manager, cn=config");) Since multi-master replication is set up, this entry is present on all three servers.

Any help would be appreciated!  Thanks!

-James

dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
nsslapd-state: backend
cn: "dc=hg,dc=com"
cn: dc=hg,dc=com
nsslapd-backend: userRoot
nsslapd-backend: chainbe1
nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so
nsslapd-distribution-funct: repl_chain_on_update

dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: dc=hg,dc=com
nsDS5ReplicaType: 2
nsDS5Flags: 0
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
cn: replica
nsDS5ReplicaId: 65535
nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA=
nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000
nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
nsds5ReplicaChangeCount: 0
nsds5replicareapactive: 0

dn: cn=config,cn=chaining database,cn=plugins,cn=config
cn: config
objectClass: top
objectClass: extensibleObject
nstransmittedcontrols: 2.16.840.1.113730.3.4.2
nstransmittedcontrols: 2.16.840.1.113730.3.4.9
nstransmittedcontrols: 1.2.840.113556.1.4.473
nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12
nspossiblechainingcomponents: cn=resource limits,cn=components,cn=config nspossiblechainingcomponents: cn=certificate-based authentication,cn=component
s,cn=config
nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config
nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config
nspossiblechainingcomponents: cn=referential integrity postoperation,cn=plugin
s,cn=config
nspossiblechainingcomponents: cn=attribute uniqueness,cn=plugins,cn=config
dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainbe1
nsslapd-suffix: dc=hg,dc=com
nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 ldap2.mw1.highergear.com
:1389/
nsmultiplexorbinddn: cn=Replication Manager, cn=config
nsmultiplexorcredentials: {DES}<PASSWORD ERASED>
nsbindconnectionslimit: 3
nsoperationconnectionslimit: 20
nsabandonedsearchcheckinterval: 1
nsconcurrentbindlimit: 10
nsconcurrentoperationslimit: 2
nsproxiedauthorization: on
nsconnectionlife: 0
nsbindtimeout: 15
nsreferralonscopedsearch: off
nschecklocalaci: on
nsbindretrylimit: 3
nsslapd-sizelimit: 2000
nsslapd-timelimit: 3600
nshoplimit: 10
nsmaxresponsedelay: 60
nsmaxtestresponsedelay: 15

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux