[Fedora-directory-users] Chain on Update Problem
James B Newby
jnewby at highergear.com
Fri Sep 1 22:54:36 UTC 2006
I found the MOD line in the consumer's access log. I saw no entry in
the master's access log regarding that entry. It seems as if the
request doesn't make it to the master. I can telnet into the ldap port
on the master from the consumer.
I installed Fedora Directory Server from
fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three machines
are Intel/CentOS 4.3.
-James
In the consumer's access log:
[01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH
base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole
nsRoleDN objectClass nsAccountLock"
[01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 nentries=1
etime=0
[01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0
filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix"
[01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 nentries=1
etime=0
[01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm database,
cn=plugins, cn=config" scope=2 filter="(objectClass=nsBackendInstance)"
attrs="nsslapd-suffix nsBackendSuffix"
[01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101
nentries=2 etime=0
[01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0
filter="(objectClass=*)" attrs="nsBackendSuffix"
[01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101
nentries=1 etime=0
[01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC uid=jhines
ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database,
cn=plugins, cn=config" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn"
[01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101
nentries=0 etime=0
[01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH
base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))"
attrs="numSubordinates nscpEntryDN subschemaSubentry nsYIMStatusGraphic
modifiersName parentid nsICQStatusGraphic nsAIMStatusText
passwordExpirationTime nsBackendSuffix hasSubordinates nsRole nsRoleDN
accountUnlockTime passwordExpWarned nsYIMStatusText copiedFrom
nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit
passwordHistory retryCountResetTime passwordAllowChangeTime aci entryid
nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict
modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId
nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry ldapSyntaxes
createTimestamp nsLookThroughLimit *"
[01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101
nentries=1 etime=0
[01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH
base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
filter="(objectClass=*)" attrs="*"
[01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101
nentries=1 etime=0
[01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH
base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL
[01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101
nentries=1 etime=0
[01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD
dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com"
[01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103
nentries=0 etime=0
[01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH
base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass
numSubordinates ref aci"
[01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1)
[01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101
nentries=1 etime=0 notes=U
Richard Megginson wrote:
> James B Newby wrote:
>> Hello all,
>>
>> I'm having a problem with my consumer's chain on update. I have a
>> setup with two masters and one consumer. Multi-master replication is
>> working properly. Changes made on either master propagate to the
>> other master and to the consumer.
>>
>> Before setting up chaining, changes made on the consumer from the
>> directory console would be denied. After setting up chaining per the
>> wiki entry:
>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate ,
>> changes could be made on the consumer through the directory console,
>> but would not propagate to the master.
> How are you testing/verifying the change doesn't get through? Note
> that if you make the change in the console, the console will not
> automatically refresh. I would first check the access log on the
> consumer to find the ADD or MOD request, then see if that request made
> it to a master, then see if the master rejected it and why.
>>
>> I saw an e-mail with a similar problem in the December 2005 archive,
>> but didn't see any info in the replies that would help me. I've
>> tried setting this up from scratch a couple times, but without
>> success. The responses to ILoveJython's email in December suggested
>> that certain entries be pasted in, so I've included them below.
>>
>> The following acl is included in dc=hg,dc=com:
>> (targetattr = "*")(version 3.0; acl "Proxied authorization for
>> database links";allow (proxy) (userdn = "ldap:///cn=Replication
>> Manager, cn=config");)
>> Since multi-master replication is set up, this entry is present on
>> all three servers.
>>
>> Any help would be appreciated! Thanks!
>>
>> -James
>>
>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> objectClass: nsMappingTree
>> nsslapd-state: backend
>> cn: "dc=hg,dc=com"
>> cn: dc=hg,dc=com
>> nsslapd-backend: userRoot
>> nsslapd-backend: chainbe1
>> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
>> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
>> nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so
>> nsslapd-distribution-funct: repl_chain_on_update
>>
>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config
>> objectClass: nsDS5Replica
>> objectClass: top
>> nsDS5ReplicaRoot: dc=hg,dc=com
>> nsDS5ReplicaType: 2
>> nsDS5Flags: 0
>> nsds5ReplicaPurgeDelay: 604800
>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
>> cn: replica
>> nsDS5ReplicaId: 65535
>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA=
>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000
>> nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com
>> nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com
>> nsds5ReplicaChangeCount: 0
>> nsds5replicareapactive: 0
>>
>> dn: cn=config,cn=chaining database,cn=plugins,cn=config
>> cn: config
>> objectClass: top
>> objectClass: extensibleObject
>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2
>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9
>> nstransmittedcontrols: 1.2.840.113556.1.4.473
>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12
>> nspossiblechainingcomponents: cn=resource limits,cn=components,cn=config
>> nspossiblechainingcomponents: cn=certificate-based
>> authentication,cn=component
>> s,cn=config
>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config
>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config
>> nspossiblechainingcomponents: cn=referential integrity
>> postoperation,cn=plugin
>> s,cn=config
>> nspossiblechainingcomponents: cn=attribute
>> uniqueness,cn=plugins,cn=config
>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> objectClass: nsBackendInstance
>> cn: chainbe1
>> nsslapd-suffix: dc=hg,dc=com
>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389
>> ldap2.mw1.highergear.com
>> :1389/
>> nsmultiplexorbinddn: cn=Replication Manager, cn=config
>> nsmultiplexorcredentials: {DES}<PASSWORD ERASED>
>> nsbindconnectionslimit: 3
>> nsoperationconnectionslimit: 20
>> nsabandonedsearchcheckinterval: 1
>> nsconcurrentbindlimit: 10
>> nsconcurrentoperationslimit: 2
>> nsproxiedauthorization: on
>> nsconnectionlife: 0
>> nsbindtimeout: 15
>> nsreferralonscopedsearch: off
>> nschecklocalaci: on
>> nsbindretrylimit: 3
>> nsslapd-sizelimit: 2000
>> nsslapd-timelimit: 3600
>> nshoplimit: 10
>> nsmaxresponsedelay: 60
>> nsmaxtestresponsedelay: 15
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
More information about the 389-users
mailing list