logs archiveBotHelp.net / Freenode / #389 / 2015 / September / 25 / 1
kevev
Howdy all
I am experiencing the weirdest issue with 389.
I have 2 servers that are replicating databases.
On one of the servers I have a few groups of accounts that seem to be unlocking every night.
It used to happen maybe once a month and then accellerated the last few months.
The nsaccountlock attribute gets set from false to true on server 1 but not on server 2. I have re-initialized server 1 from server 2 many times but the issue returns.
There is nothing in any of the logs indicating a change is made that would cause this.
Very weird. Any ideas?
Actually on server 1 these accounts don't even have nsaccountlock attribute.
Could it be that nsaccountlock is not replicated?
CentOS-ds-8.2.0-2.el5.centos
centos-admin-console-8.2.0-2.el5.centos
We use 389 console in Windows to manage.
centos-ds-admin-8.2.1-1.el5.centos
centos-ds-base-8.2.8-2.el5.centos
centos-ds-console-8.2.0-4.el5.centos
I verified that nsaccountlock is not replicated.
How do I get this to replicate? Is it safe to do this? Any other attributes I should have replicating?
Anyone available to help?
bowhunter
Help with what?
kevev
bowhunter My savior!!!
bowhunter
heh
kevev
I have 2 389 servers replicating to each other.
nsaccountlock does not sync
bowhunter
one is a master, one is a consumer?
or two masters?
kevev
ya
I can enable and disable on only one host.
THe other one ignores me :(
I have to innitialize the host every few days because all accounts loose nsaccountlock attribute magically. NOthing in logs.
bowhunter
hm
ok, so to step back
master/master or master/consumer?
kevev
master/mastesr
bowhunter
ok
replicating over SSL/TLS or no?
kevev
I found some ppl having this issue via google but nobody has answer.
SSL
bowhunter
ok
kevev
TLS
bowhunter
and replication is configured in both directions, I presume?
kevev
Yes
bowhunter
and do the other portions of your replication subtree replicate correctly in both directions?
e.g. dc=website,dc=com
kevev
Yes
bowhunter
ok
kevev
It seems that only this attribute is not replicating.
bowhunter
and the nsaccountlock is indeed part of your replicated subtree? (and not part of cn=config, for example)
(since cn=config is not replicated)
kevev
I can check
bowhunter
I'd do that just to make sure, since I do not know offhand
kevev
remind me how to check...
bowhunter
I presume it is indeed part of your replicated subtree
is it s configuration item that is part of user accounts?
If so, it should be part of the replicated subtree
Also, have you tried deleting and recreating your replication agreements in both directions?
kevev
Haven't tried that.
bowhunter
One thing I would want to do if I were you is to delete and remake them
Then, when remaking them
Ensure that ALL attributes are replicated
Since you can pare down how many attributes are replicated in a replication agreement
and I suspect it might be that you are not replicating a few attributes
kevev
How do I check if nsaccountlock is in cn=config?
I looked through the tree and don't see anything refering to nsaccountlock.
bowhunter sry to drop this mess on a Friday.
I believe you have helped me before when setting this all up a few years ago. Much appreciated. :)
bowhunter
ok
well, the first thing then is to figure out where this missing attribute is located
and ensure that it is indeed set the way you want it to be on at least one server
kevev
OK
bowhunter
*then* if it does not replicate correctly, we diagnose in that direction
kevev
server 2 is the one that has been behaving lately. I just created backups also.
OK
bowhunter
if you complete the aforementioned, I would posit that the next logical step is to remake the replication agreements the way I previously mentioned
kevev
OK
bowhunter
I will be online all day working, and have a portion of one screen dedicated to IRC
so I should be fairly responsive
kevev
Thank You
SO I will remove the agreement and then re-create it first?
bowhunter
well
You can, if you would like
It would be the fastest way for you to see if there is a difference afterward
You can also do an ldapsearch on each server for "nsaccountlock" and see if there are instances of that attribute on either server
kevev
Issue is that I can initialize server 1 from server 2 and it behaves for a day or 2.
I just initialized server 1 and now the attribute exists and I can activate/inactivate from either server and the attribute is replicated properly now.
Not sure how we will troubleshoot this.
bowhunter
ok
In that case
I'd keep a close eye on the errors log on both servers
and wait for the attribute to fail replicating and see what shows up
kevev
OK
bowhunter I have other issues if you have time.
bowhunter
I'll do what I can :)
What's up?
kevev
:)
the new windows console 1.1.15 does not work in Windows 7 64bit. I tried the 32bit & 64bit console version.
Can't login.
bowhunter
Hm
Can't offer much there
kevev
Not sure who is in charge of that. 1.6 is latest that works.
1 2 3 next »