Re: Chain on Update Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Try using a different bind DN for chaining than your "cn=Replication Manger, cn=config" user. It could be that replication is getting confused when chaining updates are being performed by that user since it will assume that updates by that user were sent via a replication agreement. I would create a chaining specific user such as "cn=Chaining Manager, cn=config" and configure chaining to use that user. 

-NGK

James B Newby wrote:

Example 1:

Adding an entry to the consumer:

[root@ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389
Enter bind password:
dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
objectClass: hgperson
telephonenumber: 555-555-5555
sn: Body
cn: Some Body
givenName: Some
mail: sbody@xxxxxxxxxxxxxx
uid: sbody
adding new entry uid=sbody,ou=people,o=thgg,dc=hg,dc=com

[root@ldap1 bin]#

Searching for entry on consumer:
[root@ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID 
Enter bind password:
version: 1
dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: objectClass: hgperson
nscpEntryWsi: objectClass: inetOrgPerson
nscpEntryWsi: objectClass: organizationalPerson
nscpEntryWsi: objectClass: person
nscpEntryWsi: objectClass: top
nscpEntryWsi: telephoneNumber: 555-555-5555
nscpEntryWsi: sn: Body
nscpEntryWsi: cn: Some Body
nscpEntryWsi: givenName: Some
nscpEntryWsi: mail: sbody@xxxxxxxxxxxxxx
nscpEntryWsi: uid: sbody
nscpEntryWsi: creatorsName: cn=manager
nscpEntryWsi: modifiersName: cn=manager
nscpEntryWsi: createTimestamp: 20060905232428Z
nscpEntryWsi: modifyTimestamp: 20060905232428Z
nscpEntryWsi: nsUniqueId: 8e72a281-1dd211b2-8091a7e3-5afe0000
nscpEntryWsi: parentid: 11
nscpEntryWsi: entryid: 19720
nscpEntryWsi: entrydn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com
nsUniqueID: 8e72a281-1dd211b2-8091a7e3-5afe0000
[root@ldap1 bin]#

Search for entry on Master 1:
[root@ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID 
Enter bind password:
[root@ldap1-mw1 bin]#

Search for entry on Master 2:
[root@ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID 
Enter bind password:
[root@ldap2-mw1 bin]#

-------------------------------------------------------

Example 2:

Create an entry on Master 1:
[root@ldap1-mw1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389 
Enter bind password:
dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
telephoneNumber: 800-555-5555
userPassword: <PASSWORD_ERASED>
cn: Some Employee
sn: Employee
objectClass: hgperson
givenName: Some
uid: semployee
mail: semployee@xxxxxxxxxxxxxx

adding new entry uid=semployee,ou=people,o=thgg,dc=hg,dc=com

[root@ldap1-mw1 bin]#

Search for entry on Master 1:
[root@ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID 
Enter bind password:
version: 1
dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555
nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee
nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: organizationalPerson 
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top
nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some
nscpEntryWsi: uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl 
oyee
nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee@xxxxxxxxxxxxxx
nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: {SSHA}<PASSWORD_ERASED> 
nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager
nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager
nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000
nscpEntryWsi: parentid: 11
nscpEntryWsi: entryid: 19718
nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000
[root@ldap1-mw1 bin]#

Search for Entry on Master 2:
[root@ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID 
Enter bind password:
version: 1
dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555
nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee
nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: organizationalPerson 
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top
nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some
nscpEntryWsi: uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl 
oyee
nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee@xxxxxxxxxxxxxx
nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: {SSHA}<PASSWORD_ERASED> 
nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager
nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager
nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000
nscpEntryWsi: parentid: 11
nscpEntryWsi: entryid: 19718
nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000
[root@ldap2-mw1 bin]#

Search for entry on consumer:
[root@ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID 
Enter bind password:
version: 1
dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555
nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee
nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: organizationalPerson 
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person
nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top
nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some
nscpEntryWsi: uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl 
oyee
nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee@xxxxxxxxxxxxxx
nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: {SSHA}<PASSWORD_ERASED> 
nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager
nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager
nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z
nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000
nscpEntryWsi: parentid: 11
nscpEntryWsi: entryid: 19719
nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com
nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000
[root@ldap1 bin]#




Richard Megginson wrote:

James B Newby wrote:
Yes, it is a read-only consumer, set up as per instructions in the administration guide. My multi-master replication scheme works fine. When chaining is not set up, write operations to the read-only consumer fail. When chaining is set up, writes can be made to the read-only consumer but they do not propagate to the master.
But the entry is successfully added and can be successfully searched. So it must exist on a master somewhere? Try this - do a search for the entry after adding it - in addition to the usual attributes, request the replication state information - ask for the attribute nscpEntryWsi, and also the nsUniqueID attribute. With this information, we can determine on which master (replica ID) the entry was added on and at what time.
Are there any other queries I should make to the server in order to give you more information? 

Richard Megginson wrote:

James B Newby wrote:
Yes. I can add or modify entries on the consumer with update chaining set up, but those changes do not propagate to the master. If I search on the master for the entry created on the consumer :
[root@ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=nbody 
Enter bind password:
[root@ldap1-mw1 bin]$
It's not there. As I said in an earlier message, I've followed the instructions in the Chain on Update HOWTO, but I can't get it to work. I've reviewed the Administrator Guide as well as searching the Internet for an answer but no luck.
So, is this is a read only consumer? If so, you should not be able to write to it. That's what is confusing me. If this is a read-only consumer, you should get an err=10 back from a write operation if chaining is not set up. 

Richard Megginson wrote:

James B Newby wrote:
Well actually the entry was already there; I just made a small change to one of the attributes on the consumer through the directory console. 

I added a new entry on the consumer from the command line:
[root@ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389 
Enter bind password:
dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com
telephoneNumber: 800-555-5555
userPassword: <erased>
cn: No Body
sn: Body
objectClass: hgperson
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
givenName: No
uid: nbody
mail: nbody@xxxxxxxxxxxxxx
adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com

[root@ldap1 bin]#

Then I searched for that user on the consumer's command line:
[root@ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w - -h localhost -p 1389 uid=nbody 
Enter bind password:
version: 1
dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com
telephoneNumber: 800-555-5555
cn: No Body
sn: Body
objectClass: hgperson
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
givenName: No
uid: nbody
mail: nbody@xxxxxxxxxxxxxx
userPassword: {SSHA}<erased>
[root@ldap1 bin]#

Here is what resulted in the access log of the consumer:
[01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from 127.0.0.1 to 127.0.0.1 [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" method=128 version=3 [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=manager" [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 nentries=0 etime=0 
[01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND
[01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1
[01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from 127.0.0.1 to 127.0.0.1 [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" method=128 version=3 [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=manager" [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" scope=2 filter="(uid=nbody)" attrs=ALL [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 nentries=1 etime=0 
[01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND
[01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1

So it appears to be working?
I then searched for that new entry in the Directory Console and the following log entries resulted: [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH base="ou=people,o=thgg,dc=hg,dc=com" scope=1 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci" [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou sn (196) [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 nentries=196 etime=0 notes=U [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole nsRoleDN objectClass nsAccountLock" [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm database, cn=plugins, cn=config" scope=2 filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 nentries=2 etime=0 [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsBackendSuffix" [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, cn=plugins, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 nentries=0 etime=0 [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="numSubordinates nscpEntryDN subschemaSubentry nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory retryCountResetTime passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(objectClass=*)" attrs="*" [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL 
This appears to be working also?


-James

Richard Megginson wrote:

James B Newby wrote:
I found the MOD line in the consumer's access log. I saw no entry in the master's access log regarding that entry. It seems as if the request doesn't make it to the master. I can telnet into the ldap port on the master from the consumer.
I installed Fedora Directory Server from fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three machines are Intel/CentOS 4.3. 

-James

In the consumer's access log:
[01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole nsRoleDN objectClass nsAccountLock" [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm database, cn=plugins, cn=config" scope=2 filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 nentries=2 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, cn=plugins, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 nentries=0 etime=0 [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="numSubordinates nscpEntryDN subschemaSubentry nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory retryCountResetTime passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(objectClass=*)" attrs="*" [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 nentries=0 etime=0 [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci" [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1) [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
Weird. It looks as though you added the entry to the local server, and were able to search for it right away. e.g. you search for uid=jhines, and the server replies with err=0 and nentries=1. Can you try the same search from the ldapsearch command line? 


Richard Megginson wrote:

James B Newby wrote:

Hello all,
I'm having a problem with my consumer's chain on update. I have a setup with two masters and one consumer. Multi-master replication is working properly. Changes made on either master propagate to the other master and to the consumer.
Before setting up chaining, changes made on the consumer from the directory console would be denied. After setting up chaining per the wiki entry: 
http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate ,
changes could be made on the consumer through the directory console, but would not propagate to the master.
How are you testing/verifying the change doesn't get through? Note that if you make the change in the console, the console will not automatically refresh. I would first check the access log on the consumer to find the ADD or MOD request, then see if that request made it to a master, then see if the master rejected it and why.
I saw an e-mail with a similar problem in the December 2005 archive, but didn't see any info in the replies that would help me. I've tried setting this up from scratch a couple times, but without success. The responses to ILoveJython's email in December suggested that certain entries be pasted in, so I've included them below. 

The following acl is included in dc=hg,dc=com:
(targetattr = "*")(version 3.0; acl "Proxied authorization for database links";allow (proxy) (userdn = "ldap:///cn=Replication Manager, cn=config");) Since multi-master replication is set up, this entry is present on all three servers. 

Any help would be appreciated!  Thanks!

-James

dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
nsslapd-state: backend
cn: "dc=hg,dc=com"
cn: dc=hg,dc=com
nsslapd-backend: userRoot
nsslapd-backend: chainbe1
nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so 
nsslapd-distribution-funct: repl_chain_on_update

dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: dc=hg,dc=com
nsDS5ReplicaType: 2
nsDS5Flags: 0
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
cn: replica
nsDS5ReplicaId: 65535
nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA=
nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000
nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com 
nsds5ReplicaChangeCount: 0
nsds5replicareapactive: 0

dn: cn=config,cn=chaining database,cn=plugins,cn=config
cn: config
objectClass: top
objectClass: extensibleObject
nstransmittedcontrols: 2.16.840.1.113730.3.4.2
nstransmittedcontrols: 2.16.840.1.113730.3.4.9
nstransmittedcontrols: 1.2.840.113556.1.4.473
nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12
nspossiblechainingcomponents: cn=resource limits,cn=components,cn=config nspossiblechainingcomponents: cn=certificate-based authentication,cn=component 
s,cn=config
nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config nspossiblechainingcomponents: cn=referential integrity postoperation,cn=plugin 
s,cn=config
nspossiblechainingcomponents: cn=attribute uniqueness,cn=plugins,cn=config 
dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainbe1
nsslapd-suffix: dc=hg,dc=com
nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 ldap2.mw1.highergear.com 
:1389/
nsmultiplexorbinddn: cn=Replication Manager, cn=config
nsmultiplexorcredentials: {DES}<PASSWORD ERASED>
nsbindconnectionslimit: 3
nsoperationconnectionslimit: 20
nsabandonedsearchcheckinterval: 1
nsconcurrentbindlimit: 10
nsconcurrentoperationslimit: 2
nsproxiedauthorization: on
nsconnectionlife: 0
nsbindtimeout: 15
nsreferralonscopedsearch: off
nschecklocalaci: on
nsbindretrylimit: 3
nsslapd-sizelimit: 2000
nsslapd-timelimit: 3600
nshoplimit: 10
nsmaxresponsedelay: 60
nsmaxtestresponsedelay: 15

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------------------------------------------------ 

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux