In an IPA environment, I'm seeing the DNA plugin fail to fetch a replication agreement. The DNA plugin is trying a replica where there is no replication agreement. This is causing ipa user-add to fail.
[root@ipaqa64vmd tmp.izaYf564ZD]# ipa user-add test --first=f --last=l ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
[root@ipaqa64vmd tmp.izaYf564ZD]# ldapsearch -xLLL -D "$ROOTDN" -w "$ROOTDNPWD" -b "cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config" dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Posix IDs dnaType: uidNumber dnaType: gidNumber dnaNextValue: 1101 dnaMaxValue: 1100 dnaMagicRegen: -1 dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaScope: dc=testrelm,dc=com dnaThreshold: 500 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=testrelm,dc=com
So, looking in the logs at the time of the failure:
[29/May/2013:10:03:14 -0400] dna-plugin - dna_get_replica_bind_creds: Failed to fetch replication agreement for range cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=testrelm,dc=com, server ipaqa64vmf.testrelm.com, port 389 [29/May/2013:10:03:14 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. ... [29/May/2013:10:03:14 -0400] dna-plugin - dna_get_replica_bind_creds: Failed to fetch replication agreement for range cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=testrelm,dc=com, server cloud-qe-15.testrelm.com, port 389 [29/May/2013:10:03:14 -0400] dna-plugin - dna_request_range: Unable to retrieve replica bind credentials. [29/May/2013:10:03:14 -0400] dna-plugin - dna_pre_op: no more values available!!
After some help from Dev, it was pointed out that my IPA replica is running the dna-plugin. The plugin fails to get the range from the master because it doesn't actually have a replication agreement with that master.
Topology is:
R1 - M - R2 - R3 - R4
Failure is occurring on R3. dna-plugin on R3 is attempting to contact M but, there is not replication agreement. M="master" and was the first IPA server setup in the environment.
Version-Release number of selected component (if applicable): 389-ds-base-1.3.0.6-1.fc18.x86_64
How reproducible: very
Steps to Reproduce: 1. Setup IPA environment with similar topology. 2. On R3 or R4, ipa user-add
Actual results: failure like above.
Expected results: dna-plugin accurately looks up the range.
If DNA does not find a replication agreement for the first range it selected for a transfer operation, it should cycle through the rest of the available ranges in the shared config (in descending order of available range size). This should continue until we perform a successful range transfer or run out of servers who have available range values.
attachment 0001-Ticket-47379-DNA-plugin-failed-to-fetch-replication-.patch
git merge ticket47379 Updating 9f73f01..3e2262e Fast-forward ldap/schema/10dna-plugin.ldif | 38 ++++++- ldap/servers/plugins/dna/dna.c | 263 ++++++++++++++++++++++++++++++++++++---- 2 files changed, 278 insertions(+), 23 deletions(-)
git push origin master Counting objects: 17, done. Delta compression using up to 4 threads. Compressing objects: 100% (9/9), done. Writing objects: 100% (9/9), 3.99 KiB, done. Total 9 (delta 7), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 9f73f01..3e2262e master -> master
commit 3e2262e Author: Mark Reynolds mreynolds@redhat.com Date: Fri Jun 14 11:05:46 2013 -0400
git patch file (master) -- fixing a schema syntax 0001-Ticket-47379-DNA-plugin-failed-to-fetch-replication-.2.patch
Pushed to 389-ds-base-1.3.1: 0df4c66..0b4d359 389-ds-base-1.3.1 -> 389-ds-base-1.3.1 commit 5010f50 commit 0b4d359
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.1.3
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/716
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.