[389-users] GUI errors when viewing replication agreements

Wes Hardin wes.hardin at maxim-ic.com
Thu Aug 30 16:29:38 UTC 2012


On 08/29/2012 04:24 PM, Rich Megginson wrote:
> On 08/29/2012 03:11 PM, Wes Hardin wrote:
>> On 08/28/2012 03:43 PM, Rich Megginson wrote:
>>> On 08/28/2012 02:35 PM, Wes Hardin wrote:
>>>> On 08/28/2012 12:16 PM, Rich Megginson wrote:
>>>>> On 08/28/2012 09:23 AM, Wes Hardin wrote:
>>>>>> When viewing replication agreements in the 389-console (under the Configuration
>>>>>> tab, Replication, userRoot), the first time I select each replication agreement,
>>>>>> I am greeted by an error window titled "Insufficient Permissions" stating "The
>>>>>> user cn=root does not have the permission to perform this operation."
>>>>> That should have been fixed, although I can't seem to find the ticket.
>> attached console.log
>>
>> When I ran the 389-console in debug mode, I think I located the where the issue arises.  Starting at line 1778:
>>
>> DSEntrySet.getAttributes(): failed to get attribute nsslapd-referral in cn=config
>> ServerSettingsPanel.ReferralText.show:<>
>> DSEntrySet.show(): some of the attributes of cn=config could not be read.  Either they are not present in the entry or there is an ACI which prevents that attribute from being read. Try authenticating as a user with more access
>>
>> In a quick test, this only seems to occur on my single master.  The consumers I tested did not complain when selecting the "configuration" tab.
> 
> Hmm - this should have been fixed - https://fedorahosted.org/389/ticket/78
> Please add your information to that ticket and reopen
> 
>>
>>>>>> cn=root is my directory manager account.  I am not trying to make any changes, I
>>>>>> get this error simply by selecting the agreement so I can view it and check the
>>>>>> status.  I can click OK to acknowledge the error and then I am prompted to login
>>>>>> again.  I can hit cancel and continue navigating, but if I attempt to make any
>>>>>> change in this area, the "Save" button does not activate to let me do so.  I can
>>>>>> use the Directory tab and navigate down through cn=config tree and change the
>>>>>> agreement entries via the normal property editor window.  I can also delete the
>>>>>> agreement from the Configuration tab.
>>>>>>
>>>>>> I'm using 389-console 1.1.7-0ubuntu1 on Kubuntu 12.04, but I have colleagues who
>>>>>> run the 389-console from the server (389-console-1.1.7-3.el5.noarch) and see the
>>>>>> same error.
>>>>>>
>>>>>> These are the packages on the server, which is CentOS 5.7:
>>>>>> # rpm -qa 389-\*
>>>>>> 389-admin-1.1.29-1.el5.x86_64
>>>>>> 389-console-1.1.7-3.el5.noarch
>>>>>> 389-ds-base-libs-1.2.10.4-5.el5.x86_64
>>>>>> 389-admin-console-1.1.8-1.el5.noarch
>>>>>> 389-ds-base-devel-1.2.10.4-5.el5.x86_64
>>>>>> 389-ds-base-1.2.10.4-5.el5.x86_64
>>>>>> 389-ds-console-1.2.6-1.el5.noarch
>>>>>> 389-ds-console-doc-1.2.6-1.el5.noarch
>>>>>> 389-adminutil-1.1.15-1.el5.x86_64
>>>>>> 389-admin-console-doc-1.1.8-1.el5.noarch
>>>>>> 389-adminutil-devel-1.1.15-1.el5.x86_64
>>>>>>
>>>>>> While troubleshooting replication a while back, I lost all my replication
>>>>>> agreements and recreated them all from the CLI using some instructions I found
>>>>>> for RHDS.  I don't recall if this error occurred before that or not.  If I
>>>>>> delete and re-create the agreement through the GUI, I do not get this error when
>>>>>> selecting that same agreement, even after restarting the GUI.
>>>>> So if you create the agreements via the CLI, the console gives an error
>>>>> when you try to edit the agreements, but when you create the agreements
>>>>> via the console, the console will allow you to edit the agreements?
>>>> I cannot edit any replication agreements (except for the description field)
>>>> regardless of their origin from the "Configuration" tab.  I don't receive any
>>>> error, but if I make a change to the schedule for instance, the tab gets the
>>>> little red dot indicating a change occurred, but the "Save" button remains
>>>> grayed out and unclickable.
>>>>
>>> Ok.  I would like to see
>>> excerpts from the directory server and admin server access log and
>>> errors log from around the time of this console behavior
>>> /var/log/dirsrv/slapd-INSTANCE/errors and access
>>> /var/log/dirsrv/admin-serv/error and access
>>>
>>> run the console with 389-console -D 9 -f console.log - then reproduce
>>> the problem and post the console.log
>>>
>>> before you post any logs, be sure to scrub or obscure any sensitive data
>> Getting these logs will take a little bit longer.  But to make sure I provide useful logs, what debug logging options should I enable for access and error?
> Don't worry about it.  This looks like ticket 78.  I'm very confused as 
> to why this was not fixed for you.  Did you upgrade this 389 from an 
> earlier release?  If so, it is possible that there is an empty 
> nsslapd-referral attribute in your dse.ldif - try this:
> 
> shutdown dirsrv
> edit /etc/dirsrv/slapd-INST/dse.ldif - look for a line like
> nsslapd-referral:
> that is, there is nothing after the ":"
> delete this line
> then restart dirsrv

I don't know the full history of this server since I assumed management of it
from someone else.  I believe it began life as 1.2.2 (based on version shown on
the initial screen of 389-console; have not run setup-ds.pl -u due to bug #377),
was upgraded to 1.2.5rc2, then 1.2.10.{4,14}.  I believe it also started as a
consumer of a single master and then was promoted to be the new single master
pretty early on.

I reopened the bug as you suggested.  A quick grep of dse.ldif shows no instance
of 'nsslapd-referral:'.  The only reference to referral I find is this:

# grep -i referral dse.ldif
nsreferralonscopedsearch: off

-- 
/* Wes Hardin */
UNIX/Linux Systems Administrator, IT Engineering Support
Maxim Integrated Products | Innovation Delivered® | www.maxim-ic.com



More information about the 389-users mailing list