Hello,
I'm currently running into an issue when trying to do the ipa-replica-install. I did the ipa-replica-prepare command and copied the replica gpg file to the new replica server and run the following command to do the install
Ipa-replica-install -setup-ca -setup-dns -no-forwarders /var/lib/ipa/replica-info-server.domain.ca.gpg
I get the following error part way through the process;
DatabaseError: Server is unwilling to perform: modification of attribute nsds5replicaleasetimeout is not allowed in replica entry
I looked at the log and saw the following'
DEBUG The ipa-replica-install command failed, exception: DatabaseError: Server is unwilling to perform: Modification of attribute nsds5replicaleasetimeout is not allowed in replica entry ERROR Server is unwilling to perform: modification of attribute nsds5replicaleasetimeout is not allowed in replica entry
I did a search and could not find the nsds5replicaleasetimeoute entry in LDAP. Is this something I can add myself? Or is there something else that needs to be done? I don't see much information on this error when searching.
I had a replica before and removed it so I'm not quite sure what is going on with this. The only difference I can see between the 2 replica's is this new one is running a slightly newer version of RHEL, IPA and 389.
Master Server information: RHEL 7.1 IPA version 4.1.0-18 389-ds 1.3.3.1-13
Replica Server Information: RHEL 7.7 IPA Version 4.6.5-11 389-ds 1.3.9.1-18
Thanks,
Matt
On 10/18/19 2:44 PM, Joseph, Matthew via FreeIPA-users wrote:
Hello,
I’m currently running into an issue when trying to do the ipa-replica-install.
I did the ipa-replica-prepare command and copied the replica gpg file to the new replica server and run the following command to do the install
Ipa-replica-install –setup-ca –setup-dns –no-forwarders /var/lib/ipa/replica-info-server.domain.ca.gpg
I get the following error part way through the process;
DatabaseError: Server is unwilling to perform: modification of attribute nsds5replicaleasetimeout is not allowed in replica entry
I looked at the log and saw the following’
DEBUG The ipa-replica-install command failed, exception: DatabaseError: Server is unwilling to perform: Modification of attribute nsds5replicaleasetimeout is not allowed in replica entry
ERROR Server is unwilling to perform: modification of attribute nsds5replicaleasetimeout is not allowed in replica entry
I did a search and could not find the nsds5replicaleasetimeoute entry in LDAP.
Is this something I can add myself? Or is there something else that needs to be done? I don’t see much information on this error when searching.
Hi, your issue looks similar to https://pagure.io/freeipa/issue/7796.
I had a replica before and removed it so I’m not quite sure what is going on with this.
The only difference I can see between the 2 replica’s is this new one is running a slightly newer version of RHEL, IPA and 389.
Master Server information:
RHEL 7.1
IPA version 4.1.0-18
389-ds 1.3.3.1-13
Can you check first if the attribute nsds5replicaleasetimeout is properly defined on your master?
# ldapsearch -D "cn=directory manager" -W -x -b cn=schema attributetypes | grep -i nsds5ReplicaReleaseTimeout
This command should return the attribute type definition. If it's not the case, then you need to run copy-schema-to-ca.py on the master as described in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm..., then create the replica file. This will add the attribute definition to the schema on the server.
If the command returns the attr definition, please upload the full ipa-replica-install log (/var/log/ipa-replica-install..log) and the access log from the server (var/log/dirsrv/slapd-DOMAIN/access) as it will show which entry failed to be updated.
flo
Replica Server Information:
RHEL 7.7
IPA Version 4.6.5-11
389-ds 1.3.9.1-18
Thanks,
Matt
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org