ldap master/slave failure

[jjm1982]

I'm trying to activate a slave, when I try to enable users and groups I receive the problem below. The slave appears on the master but the master con not sync.

A really nasty bug has occurred
Exception
Failed to enable: Replication failed
Trace
Failed to enable: Replication failed at /usr/share/perl5/EBox/CGI/ServiceModule/ConfigureModuleController.pm line 74
EBox::CGI::ServiceModule::ConfigureModuleController::_process('EBox::CGI::ServiceModule::ConfigureModuleController=HASH(0xc1...') called at /usr/share/perl5/EBox/CGI/Base.pm line 262
EBox::CGI::Base::run('EBox::CGI::ServiceModule::ConfigureModuleController=HASH(0xc1...') called at /usr/share/perl5/EBox/CGI/Run.pm line 120
EBox::CGI::Run::run('EBox::CGI::Run', 'ServiceModule/ConfigureModuleController', 'EBox') called at /usr/share/ebox/cgi/ebox.cgi line 19
ModPerl::ROOT::ModPerl::Registry::usr_share_ebox_cgi_ebox_2ecgi::handler('Apache2::RequestRec=SCALAR(0xc00a28c)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
eval {...} called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
ModPerl::RegistryCooker::run('ModPerl::Registry=HASH(0xc10283c)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 170
ModPerl::RegistryCooker::default_handler('ModPerl::Registry=HASH(0xc10283c)') called at /usr/lib/perl5/ModPerl/Registry.pm line 31
ModPerl::Registry::handler('ModPerl::Registry', 'Apache2::RequestRec=SCALAR(0xc00a28c)') called at -e line 0
eval {...} called at -e line 0

[jjm1982]

Here's an update to my problem here. I've included the last few lines of the ebox log file. I also noticed on the master server that the port is 443. Wouldn't this conflict with the web interface of the administration page. Is there a way to change the port that ldap is using?

2010/02/07 12:16:20 DEBUG> UsersAndGroups.pm:2673 EBox::UsersAndGroups::waitSync - Master groups: 12
2010/02/07 12:16:20 DEBUG> UsersAndGroups.pm:2674 EBox::UsersAndGroups::waitSync - Replica groups: 1
2010/02/07 12:16:23 DEBUG> UsersAndGroups.pm:2671 EBox::UsersAndGroups::waitSync - Master users: 7
2010/02/07 12:16:23 DEBUG> UsersAndGroups.pm:2672 EBox::UsersAndGroups::waitSync - Replica users: 0
2010/02/07 12:16:23 DEBUG> UsersAndGroups.pm:2673 EBox::UsersAndGroups::waitSync - Master groups: 12
2010/02/07 12:16:23 DEBUG> UsersAndGroups.pm:2674 EBox::UsersAndGroups::waitSync - Replica groups: 1
2010/02/07 12:16:26 DEBUG> UsersAndGroups.pm:2671 EBox::UsersAndGroups::waitSync - Master users: 7
2010/02/07 12:16:26 DEBUG> UsersAndGroups.pm:2672 EBox::UsersAndGroups::waitSync - Replica users: 0
2010/02/07 12:16:26 DEBUG> UsersAndGroups.pm:2673 EBox::UsersAndGroups::waitSync - Master groups: 12
2010/02/07 12:16:26 DEBUG> UsersAndGroups.pm:2674 EBox::UsersAndGroups::waitSync - Replica groups: 1
2010/02/07 12:16:29 DEBUG> UsersAndGroups.pm:2671 EBox::UsersAndGroups::waitSync - Master users: 7
2010/02/07 12:16:29 DEBUG> UsersAndGroups.pm:2672 EBox::UsersAndGroups::waitSync - Replica users: 0
2010/02/07 12:16:29 DEBUG> UsersAndGroups.pm:2673 EBox::UsersAndGroups::waitSync - Master groups: 12
2010/02/07 12:16:29 DEBUG> UsersAndGroups.pm:2674 EBox::UsersAndGroups::waitSync - Replica groups: 1
2010/02/07 12:16:32 DEBUG> UsersAndGroups.pm:2671 EBox::UsersAndGroups::waitSync - Master users: 7
2010/02/07 12:16:32 DEBUG> UsersAndGroups.pm:2672 EBox::UsersAndGroups::waitSync - Replica users: 0
2010/02/07 12:16:32 DEBUG> UsersAndGroups.pm:2673 EBox::UsersAndGroups::waitSync - Master groups: 12
2010/02/07 12:16:32 DEBUG> UsersAndGroups.pm:2674 EBox::UsersAndGroups::waitSync - Replica groups: 1
2010/02/07 12:16:32 ERROR> UsersAndGroups.pm:2681 EBox::UsersAndGroups::waitSync - Replication failed
2010/02/07 12:16:32 ERROR> ConfigureModuleController.pm:74 EBox::CGI::ServiceModule::ConfigureModuleController::__ANON__ - Failed to enable: Replication failed

[isaac]

The port is used to make SOAP calls via apache, don't worry about that.

Can you do the following? In the slave, edit /etc/event.d/ebox.slapd-replica and make it look like this:

Code: [Select]

exec /usr/sbin/slapd -d 16640 -h ldap://127.0.0.1:1389/ -u openldap -g openldap -F /etc/ldap/slapd-replica.d 2> /tmp/replica.log

then run:

Code: [Select]

sudo stop ebox.slapd-replica
sudo start ebox.slapd-replica
and then paste the contents of the file /tmp/replica.log.

Thanks

[jjm1982]

Here are the last 20 lines listed in the /tmp/replica.log

do_syncrepl: rid=110 rc 21 retrying (4 retries left)
syncrepl_entry: rid=110 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
dn_callback : entries have identical CSN ou=Users,dc=proteus,dc=us,dc=nss,dc=net 20100205200850.605535Z#000000#000#000000
syncrepl_entry: rid=110 be_search (0)
syncrepl_entry: rid=110 ou=Users,dc=proteus,dc=us,dc=nss,dc=net
syncrepl_entry: rid=110 entry unchanged, ignored (ou=Users,dc=proteus,dc=us,dc=nss,dc=net)
syncrepl_message_to_entry: rid=110 mods check (objectClass: value #3 invalid per syntax)
do_syncrepl: rid=110 rc 21 retrying (4 retries left)
syncrepl_entry: rid=111 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
dn_callback : entries have identical CSN ou=Groups,dc=proteus,dc=us,dc=nss,dc=net 20100205200850.606540Z#000000#000#000000
syncrepl_entry: rid=111 be_search (0)
syncrepl_entry: rid=111 ou=Groups,dc=proteus,dc=us,dc=nss,dc=net
syncrepl_entry: rid=111 entry unchanged, ignored (ou=Groups,dc=proteus,dc=us,dc=nss,dc=net)
syncrepl_entry: rid=111 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
dn_callback : entries have identical CSN cn=__USERS__,ou=Groups,dc=proteus,dc=us,dc=nss,dc=net 20100205200850.700944Z#000000#000#000000
syncrepl_entry: rid=111 be_search (0)
syncrepl_entry: rid=111 cn=__USERS__,ou=Groups,dc=proteus,dc=us,dc=nss,dc=net
syncrepl_entry: rid=111 entry unchanged, ignored (cn=__USERS__,ou=Groups,dc=proteus,dc=us,dc=nss,dc=net)
syncrepl_message_to_entry: rid=111 mods check (objectClass: value #1 invalid per syntax)
do_syncrepl: rid=111 rc 21 retrying (4 retries left)

[isaac]

I fear you installed samba or mail or asterisk in the master. Right now, with the current master/slave architecture, you are not supposed to install any of these modules in the master.

The master can have modules not depending on users and groups, such as firewall, dns or dhcp, but not modules that require users and groups such as samba, mail or jabber ...

We have plans to remove this limitation, but not in the immediate future.

Cheers!

[jjm1982]

Thanks for that info. I'll just revert back to where i had it initially configured. It's good to know what the issue is.

[isaac]

It's already written in the new documentation but that's not uploaded yet. I'll update the howto to reflect this limitation.

[jjm1982]

Now since I've decided to keep this a master I now receive this error. I changed the mode and enabled the master setting. I try to enable users and groups and receive the below error.

A really nasty bug has occurred
Exception
Failed to enable: root command ldapadd -H 'ldapi://' -Y EXTERNAL -c -f /var/lib/ebox/tmp/slapd-master.ldif failed. Error output: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_modify: Insufficient access (50) ldap_modify: Insufficient access (50) ldap_add: Insufficient access (50) ldap_add: Insufficient access (50) ldap_add: Insufficient access (50) ldap_add: Insufficient access (50) ldap_add: Insufficient access (50) ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax ldap_modify: Insufficient access (50) Command output: modifying entry "cn=config" modifying entry "olcDatabase={-1}frontend,cn=config" adding new entry "cn=module{0},cn=config" adding new entry "cn=cosine,cn=schema,cn=config" adding new entry "cn=nis,cn=schema,cn=config" adding new entry "cn=inetorgperson,cn=schema,cn=config" adding new entry "olcDatabase={1}hdb,cn=config" adding new entry "olcOverlay=syncprov,olcDatabase={1}hdb,cn=config" modifying entry "olcDatabase={0}config,cn=config" . Exit value: 50
Trace
Failed to enable: root command ldapadd -H 'ldapi://' -Y EXTERNAL -c -f /var/lib/ebox/tmp/slapd-master.ldif failed.
Error output: SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_modify: Insufficient access (50)
ldap_modify: Insufficient access (50)
ldap_add: Insufficient access (50)
ldap_add: Insufficient access (50)
ldap_add: Insufficient access (50)
ldap_add: Insufficient access (50)
ldap_add: Insufficient access (50)
ldap_add: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
ldap_modify: Insufficient access (50)

Command output: modifying entry "cn=config"

modifying entry "olcDatabase={-1}frontend,cn=config"

adding new entry "cn=module{0},cn=config"

adding new entry "cn=cosine,cn=schema,cn=config"

adding new entry "cn=nis,cn=schema,cn=config"

adding new entry "cn=inetorgperson,cn=schema,cn=config"

adding new entry "olcDatabase={1}hdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={1}hdb,cn=config"

modifying entry "olcDatabase={0}config,cn=config"

.
Exit value: 50 at /usr/share/perl5/EBox/CGI/ServiceModule/ConfigureModuleController.pm line 74
EBox::CGI::ServiceModule::ConfigureModuleController::_process('EBox::CGI::ServiceModule::ConfigureModuleController=HASH(0x95...') called at /usr/share/perl5/EBox/CGI/Base.pm line 262
EBox::CGI::Base::run('EBox::CGI::ServiceModule::ConfigureModuleController=HASH(0x95...') called at /usr/share/perl5/EBox/CGI/Run.pm line 120
EBox::CGI::Run::run('EBox::CGI::Run', 'ServiceModule/ConfigureModuleController', 'EBox') called at /usr/share/ebox/cgi/ebox.cgi line 19
ModPerl::ROOT::ModPerl::Registry::usr_share_ebox_cgi_ebox_2ecgi::handler('Apache2::RequestRec=SCALAR(0x8fe77cc)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
eval {...} called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 204
ModPerl::RegistryCooker::run('ModPerl::Registry=HASH(0x8fe78e0)') called at /usr/lib/perl5/ModPerl/RegistryCooker.pm line 170
ModPerl::RegistryCooker::default_handler('ModPerl::Registry=HASH(0x8fe78e0)') called at /usr/lib/perl5/ModPerl/Registry.pm line 31
ModPerl::Registry::handler('ModPerl::Registry', 'Apache2::RequestRec=SCALAR(0x8fe77cc)') called at -e line 0
eval {...} called at -e line 0

[isaac]

You can't really change the mode once it's installed.

You need to run:

Code: [Select]

sudo /usr/share/ebox-usersandgroups/ebox-usersandgroups-reinstall

That will remove the ebox-usersandgroups module and reinstall it, deleting all the current users on the way. That's the only way to change the mode now.

[jjm1982]

Thanks, it helped a lot.