Wednesday, April 14, 2021

[389-users] dsctl healthcheck bug - or bad at least a bad resolution

Hi Guys!

I think I found a bug in dsctl, and wanted to give some background and
see what you guys thought.

I am setting up my ldaphub.. and I am getting an odd issue when running
the dsctl $instance healthcheck on it, but the dsctl $instance
get-nsstate shows that the missing part is right there. I have confirmed
this by looking directly at the dse.ldif file and finding the
"resolution" is already present.

Error and get-nsstate are below. It will be same the error 8 times in a

Hmm.. it seems to be related to maybe how I setup the replication
agreement and consumer, so I added that at the bottom as well.

I found something interesting, if i set the replication ID for the hub,
dsconf wont use the ID number I put in, dsconf puts in a number outside
a valid range 65535. Have you guys seen this ?

Thanks guys for everything!


Here is the error (8x):

Severity: MEDIUM
Check: backends:somesuffixroot:mappingtree
 -- somesuffixroot

This backend may be missing the correct mapping tree references. Mapping
Trees allow
the directory server to determine which backend an operation is routed
to in the
abscence of other information. This is extremely important for correct
of LDAP ADD for example.

A correct Mapping tree for this backend must contain the suffix name,
the database name
and be a backend type. IE:

cn=o3Dexample,cn=mapping tree,cn=config
cn: o=example
nsslapd-backend: userRoot
nsslapd-state: backend
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree

Either you need to create the mapping tree, or you need to repair the
mapping tree. You will need to do this by hand by editing cn=config, or
the instance and editing dse.ldif.

dsctl ldaphub get-nsstate

Replica DN:
Replica Suffix:       ou=somesuffix,o=caltech,c=us
Replica ID:           65535
Gen Time:             1618442292
Gen Time String:      Wed Apr 14 16:18:12 2021
Gen as CSN:           607778340002655350000
Local Offset:         0
Local Offset String:  0 seconds
Remote Offset:        7
Remote Offset String: 7 seconds
Time Skew:            7
Time Skew String:     7 seconds
Seq Num:              2
System Time:          Wed Apr 14 17:30:50 2021
Diff in Seconds:      4358
Diff in days/secs:    0:4358
Endian:               Little Endian

Dse.ldif section that already has the resolution present:

dn: cn=ou\3Dsomesuffix\2Co\3Dcaltech\2Cc\3Dus,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
nsslapd-state: referral on update
nsslapd-backend: somesuffixRoot
cn: ou=somesuffix,o=caltech,c=us
creatorsName: cn=directory manager
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20210415004818Z
modifyTimestamp: 20210415005939Z
numSubordinates: 1

How I set it set up the hub and the agreement: (note the same commands i
used to setup the suppliers and consumers worked great with only
variance is really the role)

# how i setup the consumer
dsconf -D "cn=Directory Manager" -w XXX ldap://$consumer replication
enable --suffix="ou=somesuffix,o=caltech,c=us" --role="hub"
--replica-id=6001 --bind-dn="cn=replication manager,cn=config"

# how i setup the agreement
dsconf -D "cn=Directory Manager" -w XXXX ldap://supplier repl-agmt
create --suffix="ou=somesuffix,o=caltech,c=us" --host=consumer --port=389 \
     --conn-protocol=StartTLS --bind-dn="cn=replication
manager,cn=config" \
     --bind-passwd=XXXX --bind-method=SIMPLE --init \
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:

No comments:

Post a Comment