<p>Thank you Rich! </p>
<div class="gmail_quote">On Nov 15, 2012 9:27 AM, "Rich Megginson" <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
On 11/14/2012 09:18 PM, Derek Belcher wrote:
<blockquote type="cite">Rich, thank you so much for your help, where do I send
the beer?
<div><br>
</div>
<div>So here are the new steps that I am testing out and seem to
work in my test environment:</div>
<div><br>
</div>
<div>
<div>cd /usr/lib64/dirsrv/slapd-my-ldap/</div>
<div>./db2ldif -n userRoot -a /var/tmp/mydb.ldif</div>
<div>chmod 755 /var/tmp/mydb.ldif</div>
</div>
</blockquote>
This shouldn't be necessary as long as the file is owned by the
server user.<br>
<blockquote type="cite">
<div>
<div>./<a href="http://ldif2db.pl" target="_blank">ldif2db.pl</a>
-v -D "cn=directory manager" -w ****** -i /var/tmp/mydb.ldif
-s dc=company,dc=net</div>
<div>reinitialize consumers</div>
<div>reinitialize winsync</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Does this look right? Better to be paranoid then to do
something crazy in production. <br>
</div>
</blockquote>
Yes<br>
<blockquote type="cite">
<div class="gmail_extra">
<br>
<br>
<div class="gmail_quote">On Wed, Nov 14, 2012 at 9:15 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 11/14/2012 05:04 PM, Derek Belcher
wrote:
<blockquote type="cite">Rich,
<div><br>
</div>
<div>"<span style="font-family:arial,sans-serif;font-size:13px">Not
that I know of. What you will have to do is dump
your database to ldif and reload it, then
reinitialize all of your replicas and winsync
agreements."</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">Does
this mean that I do not have to stop replication? </span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">So
basically I would follow the following steps:</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div>
<div> <span style="font-family:arial,sans-serif;font-size:13px">cd
/usr/lib64/dirsrv/slapd-my-ldap/</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">./db2ldif
-n userRoot -a /var/tmp/mydb.ldif</span></div>
</blockquote>
</div>
Yes<br>
<blockquote type="cite">
<div><span style="font-family:arial,sans-serif;font-size:13px">service
dirsrv stop</span></div>
</blockquote>
Not required
<div><br>
<blockquote type="cite">
<div><span style="font-family:arial,sans-serif;font-size:13px">Delete
the database out of the GUI in the Configuration /
data / dc=company,dc=net</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">re-create
the database dc=company,dc=net (userRoot)</span></div>
</blockquote>
</div>
No
<div><br>
<blockquote type="cite">
<div>
<div><font face="arial, sans-serif">./ldif2db -n
userRoot -i /var/tmp/mydb.ldif</font></div>
</div>
</blockquote>
</div>
You can use <a href="http://ldif2db.pl" target="_blank">ldif2db.pl</a>
while the server is running<br>
<blockquote type="cite">
<div>
<div><span style="font-family:arial,sans-serif">service
dirsrv start</span><br>
</div>
</div>
</blockquote>
See above
<div><br>
<blockquote type="cite">
<div>
<div><span style="font-family:arial,sans-serif">Then
right click and reinitialize each sync agreement
for the multimasters and consumers</span><br>
</div>
</div>
</blockquote>
</div>
Yes
<div><br>
<blockquote type="cite">
<div>
<div> </div>
</div>
<div><span style="font-family:arial,sans-serif">Also
reinitialize the winsync agreement</span></div>
</blockquote>
</div>
Yes
<div><br>
<blockquote type="cite">
<div><span style="font-family:arial,sans-serif"><br>
</span></div>
<div><span style="font-family:arial,sans-serif"><br>
</span></div>
<div><font face="arial, sans-serif">Does this sound
right? Not sure if I need to delete the database
or not, from what i am reading it looks like
ldif2db will clobber the existing entries in the
database. Is this correct?</font></div>
</blockquote>
</div>
Yes.
<div>
<div><br>
<blockquote type="cite">
<div><font face="arial, sans-serif"><br>
</font></div>
<div><font face="arial, sans-serif">Thanks -Derek</font></div>
<div><span style="font-family:arial,sans-serif"> </span><br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote"> On Wed, Nov 14, 2012 at
1:59 PM, Derek Belcher <span dir="ltr"><<a href="mailto:jderekbelcher@gmail.com" target="_blank">jderekbelcher@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Thank you for all of
your help Rich. I have opened a ticket with <a href="http://fedorahosted.org/389" target="_blank">fedorahosted.org/389</a>
<div><br>
</div>
<div>Ticket # 521</div>
<span><font color="#888888">
<div> <br>
</div>
<div>--Derek</div>
</font></span>
<div>
<div>
<div class="gmail_extra"> <br>
<br>
<div class="gmail_quote">On Wed, Nov 14,
2012 at 10:16 AM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 11/14/2012 08:56 AM,
Derek Belcher wrote:
<blockquote type="cite">This
master is bi-directionally
syncing with my Active
Directory server. On the AD
server, I have created a
customer filtered view for the
time this started, 11/12/2014
between 1pm and 2pm, included
all possible windows log
sources and I am not seeing
any errors. I believe this is
due to 389ds, pulls and pushes
updates, and AD is not really
aware of 389ds.</blockquote>
<br>
</div>
Correct.
<div><br>
<br>
<blockquote type="cite">
<div> <br>
</div>
<div>So I am thinking that the
modrdn command is not able
to make the changes on the
AD side? But if 389ds is
pushing changes...</div>
</blockquote>
<br>
</div>
It should be, but AD is more
restrictive of the types of modrdn
and entry move operations it will
allow.
<div><br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div>What is also interesting
is that you can in AD "move"
a users to a different DN
and 389ds will replicate
that change to all of its
multi-masters and consumers.
Just does not seem to work
when you do DN changes on
the 389ds side and it pushes
to AD. <br>
</div>
</blockquote>
<br>
</div>
It should work - does this happen
with any modrdn entry move
operation?
<div><br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div>Is there a way to remove
this offending entry in the
change log?</div>
</blockquote>
<br>
</div>
Not that I know of. What you will
have to do is dump your database
to ldif and reload it, then
reinitialize all of your replicas
and winsync agreements.<br>
<br>
Please file a ticket at <a href="https://fedorahosted.org/389" target="_blank">https://fedorahosted.org/389</a>
- this is definitely a bug.
<div>
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On
Wed, Nov 14, 2012 at
9:22 AM, Rich Megginson
<span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 11/14/2012
08:18 AM, Derek
Belcher wrote:
<blockquote type="cite">Good
morning Rich,
<div><br>
</div>
<div>
<div># rpm -q
389-ds-base</div>
<div>389-ds-base-1.2.9.14-1.el6_2.2.x86_64</div>
</div>
</blockquote>
<br>
</div>
What does it say in
the consumer access
and errors log for
this change replay
attempt?<br>
<br>
Look in the consumer
access log for
50a150a4000000020000,
see what the
timestamp is, then
look in the errors
log at around that
timestamp.
<div>
<div><br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div>Thank you</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On
Wed, Nov 14,
2012 at 8:58
AM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On
11/13/2012
07:21 PM,
Derek Belcher
wrote:
<blockquote type="cite">Here
is the error
message that I
am receiving
in
/var/log/dirsrv/slap-xxxx/errors
:
<div><br>
</div>
<div>[13/Nov/2012:20:13:27
-0600]
NSMMReplicationPlugin
-
agmt="cn=sync001"
(<a href="http://AD1.company.net:636" target="_blank">AD1.company.net:636</a>):
Consumer
failed to
replay change
(uniqueid
754ce981-e4d411e1-b828c127-7d7e145e,
CSN
50a150a4000000020000):
Server is
unwilling to
perform. Will
retry later.<br>
</div>
<div><br>
</div>
<div>Thanks
again for your
time.</div>
</blockquote>
</div>
rpm -q
389-ds-base<br>
<blockquote type="cite">
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On
Tue, Nov 13,
2012 at 5:38
PM, Derek
Belcher <span dir="ltr"><<a href="mailto:jderekbelcher@gmail.com" target="_blank">jderekbelcher@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div>Good
evening, </div>
<div><br>
</div>
<div>I am
requesting
some help from
the community,
I have an
issue that I
can not seem
to resolve. </div>
<div><br>
</div>
<div>Yesterday
I committed a
change on a
users DN and
today I
noticed
replication
issues in my
logs. The logs
told me the
uniqueid # and
CSN #</div>
<div><br>
</div>
<div>So I used
cl-dump to
dump the
changelog into
a file. Here
are the
results of
what I grep'ed
out:</div>
<div><br>
</div>
<div><br>
</div>
<div>[root@ds]#
grep
"50a150a4000000020000"
-B2 -A13
/var/tmp/change.dump </div>
<div>changetype:
modrdn</div>
<div>replgen:
4ff8a4c0000000010000</div>
<div>csn:
50a150a4000000020000</div>
<div>nsuniqueid:
754ce981-e4d411e1-b828c127-7d7e145e</div>
<div>dn:
uid=auser,ou=threataa,ou=ops,ou=groups,dc=company,dc=net</div>
<div>newrdn:
uid=auser</div>
<div>deleteoldrdn:
false</div>
<div>newsuperiordn:
ou=threatbb,ou=ops,ou=groups,dc=company,dc=net</div>
<div>change::</div>
<div>replace:
modifiersname</div>
<div>modifiersname:
cn=directory
manager</div>
<div>-</div>
<div>replace:
modifytimestamp</div>
<div>modifytimestamp:
20121112194019Z</div>
<div>-</div>
<div><br>
</div>
<div>So now
that I know
what entry
NSMReplicationPlugin
is complaining
about, I don't
know what to
do in order to
fix it and get
replication
back on track.</div>
<div><br>
</div>
<div>I really
appreciate any
help on this
matter, Thank
you</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<span><font color="#888888">
<pre>--
389 users mailing list
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</font></span></blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote></div>