MMR Replication issues
by Louis Bohm
I used the following docs to setup MMR on my CentOS 6.5 server:
http://trialanderrorlinux.wordpress.com/2013/06/22/ldap-directory-server-...
http://linuxrackers.com/doku.php?id=389_directory_server_setup_using_cent...
http://directory.fedoraproject.org/docs/389ds/howto/howto-walkthroughmult...
http://admintweets.com/389-ds-directory-services-multi-master-replication...
I am not doing TLS between the master just between the clients and servers. Now i am looking at the error logs and I am seeing an error in the log:
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: wait_for_changes -> wait_for_changes
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: wait_for_changes -> start
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): No linger to cancel on the connection
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): Disconnected from the consumer
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: start -> ready_to_acquire_replica
[27/Jan/2015:13:31:25 -0500] NSMMReplicationPlugin - agmt="cn=ldap01.userRoot" (ldap02:389): State: ready_to_acquire_replica -> wait_for_changes
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 Acquired consumer connection extension
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 repl="dc=us1,dc=site,dc=com": Begin incremental protocol
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 replica="dc=us1,dc=site,dc=com": Unable to acquire replica: error: permission denied
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 repl="dc=us1,dc= site,dc=com": StartNSDS90ReplicationRequest: response=3 rc=0
[27/Jan/2015:13:32:02 -0500] NSMMReplicationPlugin - conn=2347 op=3 Relinquishing consumer connection extension
Any idea what it could be? When I first set this up I did remember to init the replica.
Louis
9 years, 2 months
Questions on Version - 1.2.11.X
by Jordan, Phillip
First late me state that I have been tasked to fix and upgrade the directory due to recent issues. I have vast experience in most other directories but not in 389 Directory space. So I have a few questions that will help in getting the directory upgraded with the most sound configuration. If someone can take the time to answer these brief questions it would be appreciated.
1. Issues with replication Groups and normal replication, the most active issue is that groups are not syncing but often even the regular replication fails.
I have read about issues with sync of groups and member\memberof attributes but this seems to be more with just replication of groups. I looked in the error log and never found any errors but restarting the service fixes the issue but sometimes it requires a manual fix to get the member\memberof set on the affected servers.
This Example just shows a quick failure of basic replication: (this is a short example but has been minutes or have to restart the service to get replication working)
[XX/Jan/20XX:16:37:50 -0500] NSMMReplicationPlugin - agmt="cn=abc123" (abc123:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later.
[XX/Jan/20XX:16:37:54 -0500] NSMMReplicationPlugin - agmt="cn=abc123" (abc123:389): Replication bind with SIMPLE auth resumed
2. Issues with changelog size is too large
The current changelog is 1.1 gig and this seems very large considering the DB is only about 40 meg. How can this be pruned to a decent size.
3. Cause of the DIRSRV stopping a lot recently after Yun OS update
I would assume this is due to a very outdated version and would expect that the upgrade should help with the stability. I might add that the failures started recently after a OS Yum update. I think it could be a compatibility issue and upgrading should aid in this.
4. Review configuration files that are manually done. I have read and am good to export the directory before the upgrade but what other files would you backup? IE DSE.LDIF? Stop the service and backup the DB files? etc
5. Issues with upgrading from 1.2.11.X to 1.3.3.5, gotchas or upgrade to 1.3 then patch to 1.3.3.5?
6. Other observations that users have experienced that may aid in a successful upgrade?
Phillip Jordan
Lead Engineer, Web Hosting
555 W. Adams
Chicago, IL 60661
transunion.com <http://www.transunion.com/>
This email including, without limitation, the attachments, if any, accompanying this email, may contain information which is confidential or privileged and exempt from disclosure under applicable law. The information is for the use of the intended recipient. If you are not the intended recipient, be aware that any disclosure, copying, distribution, review or use of the contents of this email, and/or its attachments, is without authorization and is prohibited. If you have received this email in error, please notify us by reply email immediately and destroy all copies of this email and its attachments.
9 years, 3 months
Windows Console
by Oates, Robert
Hello all,
I have configured and setup a 389 test service which works perfectly when I use the console on the server running 389-ds but when I try to use the windows console to administer the service I come across a small issue. I have installed the console on a windows 7 PC and I'm able to log into the console but under server group I only have the administration server option listed and not the directory server option.
Has anyone else come across this issue?
Mysetup
two centos 6.6 servers
389-DS version 1.2.11.15
SSL enabled for the DS
MMR enabled
Regards
Rob
________________________________
This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system.
________________________________
9 years, 3 months
Unhashed Passwords in Retro Changelog
by Dustin Rice
Howdy folks, question about the unhashed#user#password attr showing up in
the retro changelog. I've seen some mentions of it (and bug reports). I'm
running 389ds 1.2.11.15. I am not syncing to windows/AD, is there any way
to disable that from ending up in the changelog?
Thanks.
9 years, 3 months
restoring multi-master server DB
by xian
I read in RHDS docs that I must "stop all replication processes before
attempting to *restore* a database". Release notes of v9.1 writes about a
new feature:
In previous versions of Directory Server there was no explicit way to
disable a replication agreement. The only methods to suspend replication
were to change the schedule or to delete the agreement entirely.
Q1: So if I want to restore a 9.0 multi-master config, better to delete the
replication agreement before restoring the DB, right?
Another interesting difference I found between docs of v8.x and 9.x
regarding restore is, that v8.2 docs write:
"After the database is restored, any consumers, hubs, or multi-master peers
must be reinitialized."
This statement is missing from v9 docs.
Q2: Is this no longer needed? I would think I still have to reinitialize
the multi-master peer even on v9...
Thanks!
9 years, 3 months
Fwd: patching master-master replicated servers
by xian
Hi Team,
I have 2 Red Hat Directory Server instances on level 9.0 and would like to
patch both to 9.1. They are operating in a master-master 2 way replication
mode.
How am I supposed to do that? I don't see much info in the official docs,
only how to patch 8.x and earlier versions. Would be nice to have at least
one of them online while patching...
Thanks!
9 years, 3 months
Permanently Disable SSLv3
by John Trump
Is there a way to permanently disable SSLv3 in directory server? If I
modify the dse.ldif file and set nssSSL3 to off this works until an admin
goes through the gui and makes a change to the encryption cert and saves
config. Once this happens SSLv3 is enabled again.
9 years, 3 months
unknown object class error
by Nick Bright
Greetings,
I've used the 389-console to define a few custom attributeType values,
and placed those values into a custom objectClass which has a parent of
inetOrgPerson.
I followed the documentation at
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9....
while creating my objectClass and attributeType configuration values.
When I attempt to include my custom object class "x-serviceRecord" in an
ldapadd command, the server gives me an error:
Entry "x500uniqueidentifier=*****,dc=mydc,dc=local" has unknown object class "x-serviceRecord"
I suspect I am missing some step or configuration parameter that isn't
obvious from the documentation.
Any suggestions as to how to resolve the issue would be appreciated.
--
-----------------------------------------------
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
-----------------------------------------------
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information& 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------
9 years, 3 months
389 DS in Amazon EC2 Environment
by Paul Whitney
Has anyone had any success with hosting directory servers in the AWS environment?
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
Cell: 410.493.9448
Sent from my browser.
9 years, 3 months
