<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 03/05/2012 03:55 PM, Jim Finn wrote:
<blockquote
cite="mid:CAHx81c-x3Dn1wVfQGMRGx4kXOhuvMx1r8rPeXhrpgno6iQcg2g@mail.gmail.com"
type="cite">
<p class="p1">Note: I have searched through years past in
389-users and have found a few others experiencing the same
problem, yet I could not find any resolution.</p>
<p class="p1"><br>
</p>
<p class="p3"><span class="s1">I am attempting to setup chain on
update per <a moz-do-not-send="true"
href="http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate"><span
class="s2">http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate</span></a></span></p>
<p class="p2"><br>
</p>
<p class="p1">The packages installed are:</p>
<p class="p1">389-admin-console-1.1.8-1.el6.noarch</p>
<p class="p1">389-ds-1.2.2-1.el6.noarch</p>
<p class="p1">389-ds-base-1.2.9.14-1.el6_2.2.x86_64</p>
<p class="p1">389-console-1.1.7-1.el6.noarch</p>
<p class="p1">389-admin-console-doc-1.1.8-1.el6.noarch</p>
<p class="p1">389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64</p>
<p class="p1">389-dsgw-1.1.7-2.el6.x86_64</p>
<p class="p1">389-ds-console-1.2.6-1.el6.noarch</p>
<p class="p1">389-ds-console-doc-1.2.6-1.el6.noarch</p>
<p class="p1">389-adminutil-1.1.14-2.el6.x86_64</p>
<p class="p1">389-admin-1.1.25-1.el6.x86_64</p>
<p class="p2"><br>
</p>
<p class="p1">The justification for use of chain_on_update is that
our clients are “dumb” and unable to follow referrals. </p>
<p class="p2"><br>
</p>
<p class="p1">As a POC, I am testing with two servers: <a
moz-do-not-send="true" href="http://be1.foo.com">be1.foo.com</a>
(Master) and <a moz-do-not-send="true"
href="http://be2.foo.com">be2.foo.com</a> (Consumer)</p>
<p class="p2"><br>
</p>
<p class="p1">Prior to following the instructions in the
Howto:ChainOnUpdate (linked above) the environment operated as
follows:</p>
<p class="p2"><br>
</p>
<p class="p1">Scenario A)</p>
<p class="p1"><a moz-do-not-send="true"
href="http://Client.foo.com">Client.foo.com</a> attempts to
modify <a moz-do-not-send="true" href="http://be1.foo.com">be1.foo.com</a>
-> Allowed</p>
<p class="p1">Change made by <a moz-do-not-send="true"
href="http://client.foo.com">client.foo.com</a> to <a
moz-do-not-send="true" href="http://be1.foo.com">be1.foo.com</a>
is replicated to <a moz-do-not-send="true"
href="http://be2.foo.com">be2.foo.com</a></p>
<p class="p1">Ldapsearch of both searvers shows the item was
properly replicated, value is the same on be1 and be2</p>
<p class="p1">-----</p>
<p class="p1">Scenario B)</p>
<p class="p1"><a moz-do-not-send="true"
href="http://Client.foo.com">Client.foo.com</a> attempts to
modify <a moz-do-not-send="true" href="http://be2.foo.com">be2.foo.com</a>
-> Not allowed, given referral</p>
<p class="p2"><br>
</p>
<p class="p1">Upon following the instructions in the
aforementioned howto the environment operates as follows:</p>
<p class="p2"><br>
</p>
<p class="p1">Scenario A)</p>
<p class="p1"><a moz-do-not-send="true"
href="http://Client.foo.com">Client.foo.com</a> attempts to
modify <a moz-do-not-send="true" href="http://be1.foo.com">be1.foo.com</a>
-> Allowed</p>
<p class="p1">Change made by <a moz-do-not-send="true"
href="http://client.foo.com">client.foo.com</a> to <a
moz-do-not-send="true" href="http://be1.foo.com">be1.foo.com</a>
is replicated to <a moz-do-not-send="true"
href="http://be2.foo.com">be2.foo.com</a></p>
<p class="p1">Ldapsearch of both searvers shows the item was
properly replicated, value is the same on be1 and be2</p>
<p class="p1">-----</p>
<p class="p1">Scenario B)</p>
<p class="p1"><a moz-do-not-send="true"
href="http://Client.foo.com">Client.foo.com</a> attempts to
modify <a moz-do-not-send="true" href="http://be2.foo.com">be2.foo.com</a>
-> Allowed</p>
</blockquote>
What credentials did you use? Note that cn=directory manager is not
chained because the directory manager credentials are local to each
server.<br>
<blockquote
cite="mid:CAHx81c-x3Dn1wVfQGMRGx4kXOhuvMx1r8rPeXhrpgno6iQcg2g@mail.gmail.com"
type="cite">
<p class="p1">Change made by <a moz-do-not-send="true"
href="http://client.foo.com">client.foo.com</a> *<b>SHOULD</b>*
have been handled by the chaining backend and modified on be1</p>
<p class="p1">Ldapsearch of both servers shows the item was
modified on be2 but not be1 (be1 still has the old value)</p>
<p class="p2"><br>
</p>
<p class="p1">It seems the writes from <a moz-do-not-send="true"
href="http://client.foo.com">client.foo.com</a> to <a
moz-do-not-send="true" href="http://be2.foo.com">be2.foo.com</a>
are being committed to be local database (userRoot) instead of
being handled by the chaining backend (chainbe1). </p>
<p class="p2"><br>
</p>
<p class="p1">As the howto suggests, I am using the replication
manager for the proxy auth. I have confirmed the credentials on
all servers.</p>
<p class="p2"><br>
</p>
<p class="p1">dn: cn=dc\3Dfoo\2Cdc\3Dcom,cn=mapping tree,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">objectClass: nsMappingTree</p>
<p class="p1">cn: "dc=foo,dc=com"</p>
<p class="p1">nsslapd-state: backend</p>
<p class="p1">nsslapd-backend: userRoot</p>
<p class="p1">nsslapd-backend: chainbe1</p>
<p class="p1">nsslapd-distribution-plugin:
libreplication-plugin.so</p>
<p class="p1">nsslapd-distribution-funct: repl_chain_on_update</p>
<p class="p2"><br>
</p>
<p class="p1">dn: cn=userRoot,cn=ldbm
database,cn=plugins,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">objectClass: nsBackendInstance</p>
<p class="p1">cn: userRoot</p>
<p class="p1">numSubordinates: 7</p>
<p class="p1">nsslapd-suffix: dc=foo,dc=com</p>
<p class="p1">nsslapd-cachesize: -1</p>
<p class="p1">nsslapd-cachememsize: 10485760</p>
<p class="p1">nsslapd-readonly: off</p>
<p class="p1">nsslapd-require-index: off</p>
<p class="p1">nsslapd-directory:
/var/lib/dirsrv/slapd-be2/db/userRoot</p>
<p class="p1">nsslapd-dncachememsize: 10485760</p>
<p class="p2"><br>
</p>
<p class="p1">dn: cn=replica,cn=dc\3Dfoo\2Cdc\3Dcom,cn=mapping
tree,cn=config</p>
<p class="p1">objectClass: nsDS5Replica</p>
<p class="p1">objectClass: top</p>
<p class="p1">nsDS5ReplicaRoot: dc=foo,dc=com</p>
<p class="p1">nsDS5ReplicaType: 2</p>
<p class="p1">nsDS5Flags: 0</p>
<p class="p1">nsds5ReplicaPurgeDelay: 604800</p>
<p class="p1">nsDS5ReplicaBindDN: cn=replication
manager,cn=replication,cn=config</p>
<p class="p1">cn: replica</p>
<p class="p1">nsDS5ReplicaId: 6553</p>
<p class="p1">nsDS5ReplicaName: ((REDACTED FOR EMAIL THREAD))</p>
<p class="p2"><br>
</p>
<p class="p1">dn: cn=chainbe1,cn=chaining
database,cn=plugins,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">objectClass: nsBackendInstance</p>
<p class="p1">cn: chainbe1</p>
<p class="p1">nsslapd-suffix: "dc=foo,dc=com"</p>
<p class="p1">nsfarmserverurl: <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true"
href="http://be1.foo.com/">be1.foo.com/</a></p>
<p class="p1">nsmultiplexorbinddn: cn=replication
manager,cn=replication,cn=config</p>
<p class="p1">nschecklocalaci: off</p>
<p class="p1">nsusestarttls: on</p>
<p class="p1">nsbindmethod:</p>
<p class="p1">nsmultiplexorcredentials: {DES}((REDACTED FOR EMAIL
THREAD))</p>
<p class="p2"><br>
</p>
<p class="p1">dn: cn=config,cn=chaining
database,cn=plugins,cn=config</p>
<p class="p1">objectClass: top</p>
<p class="p1">objectClass: extensibleObject</p>
<p class="p1">cn: config</p>
<p class="p1">nstransmittedcontrols: 2.16.840.1.113730.3.4.2</p>
<p class="p1">nstransmittedcontrols: 2.16.840.1.113730.3.4.9</p>
<p class="p1">nstransmittedcontrols: 1.2.840.113556.1.4.473</p>
<p class="p1">nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12</p>
<p class="p1">nspossiblechainingcomponents: cn=resource
limits,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=certificate-based
authentication,cn=component</p>
<p class="p1">s,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=password
policy,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents:
cn=sasl,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents:
cn=roles,cn=components,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=ACL
Plugin,cn=plugins,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=old
plugin,cn=plugins,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=referential
integrity postoperation,cn=plugin</p>
<p class="p1">s,cn=config</p>
<p class="p1">nspossiblechainingcomponents: cn=attribute
uniqueness,cn=plugins,cn=config</p>
<p class="p2"><br>
</p>
<p class="p2"><br>
</p>
<p class="p1">Any help in getting ChainOnUpdate to work with my
389 servers would be greatly appreciated. </p>
<p class="p2"><br>
</p>
<p class="p1">Thanks in advance!</p>
<p class="p2"><br>
</p>
<p class="p1">Jim Finn</p>
<p class="p2"><br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>
<a class="moz-txt-link-freetext" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>