Fedora directory users - Feb 2009 - Updating Consumer replica fails referral to the master from the console.

Hello List,

We have a consumer read only replica at a remote site. We have a Master
read/write replica in our data center. 
We have an issue with our referrals or updates failing when we submit
updates to the read only replica from the command line. From the console
if we update the read only replica, it properly refers the update to the
master and the master replicates it back down.
>From the command line however these updates fail and the log shows
err=10. 
I see another post regarding this but no resolution was posted. It
mentions spaces as being an issue??
The referrals field on the read only replica shows as...
Ldap://mastersvr.example.com:389/o%3DEXAMPLE.COM

The replication agreement is set using SSL/simple or SSL with a binddn
as opposed to SSL certificate based authentication. I mention this
because I am unsure if it impacts the situation or not.

Is there something I am missing? Not sure why the console refers updates
but the command line does not.

Thank you
James

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.

Chavez, James R. wrote:
> Hello List,
>
> We have a consumer read only replica at a remote site. We have a Master
> read/write replica in our data center. 
> We have an issue with our referrals or updates failing when we submit
> updates to the read only replica from the command line. From the console
> if we update the read only replica, it properly refers the update to the
> master and the master replicates it back down.
>
> >From the command line however these updates fail and the log shows
> err=10. 
>   
You''ll see the same thing with the console too, except that the console
knows how to follow the referral.

This is a problem in general with some older clients that do not know 
how to properly follow LDAPv3 referrals (err=10 is a referral).

What is the client?  The ldapsearch command line?
> I see another post regarding this but no resolution was posted. It
> mentions spaces as being an issue??
> The referrals field on the read only replica shows as...
> Ldap://mastersvr.example.com:389/o%3DEXAMPLE.COM
>
> The replication agreement is set using SSL/simple or SSL with a binddn
> as opposed to SSL certificate based authentication. I mention this
> because I am unsure if it impacts the situation or not.
>
> Is there something I am missing? Not sure why the console refers updates
> but the command line does not.
>
> Thank you
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use
by the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or copying
of this e-mail message, and any attachments thereto, is strictly prohibited.  If
you have received this e-mail message in error, please immediately notify the
sender and permanently delete the original and any copies of this email and any
prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Thank you for the response,
I see.. err=10 is simply stating that a referral has taken place. 

The command line I am using is ..
ldapmodify -x -h readonly.example.com  -D "cn=Directory Manager" -w
password -f jamesmod.ldif

Contents of jamesmod.ldif are....

dn: ou=ldapou,ou=Users,o=EXAMPLE
ou: ldapou
objectClass: organizationalUnit
objectClass: Top

The ouput is...

ldap_add: Referral (10)
        matched DN: o=EXAMPLE
        referrals:
                ldap://mastersvr.example.com:389

Client utilities I am using are.....

 rpm -ql openldap-clients-2.4.8-3.fc9.i386
/usr/bin/ldapadd
/usr/bin/ldapcompare
/usr/bin/ldapdelete
/usr/bin/ldapexop
/usr/bin/ldapmodify
/usr/bin/ldapmodrdn
/usr/bin/ldappasswd
/usr/bin/ldapsearch
/usr/bin/ldapwhoami

# which ldapmodify
/usr/bin/ldapmodify
rpm -qi openldap-clients-2.4.8-3.fc9.i386
Name        : openldap-clients             Relocations: (not
relocatable)
Version     : 2.4.8                             Vendor: Fedora Project
Release     : 3.fc9                         Build Date: Wed 05 Mar 2008
06:04:24 AM MST
Install Date: Tue 07 Oct 2008 01:41:56 AM MST      Build Host:
hammer2.fedora.redhat.com
Group       : Applications/Internet         Source RPM:
openldap-2.4.8-3.fc9.src.rpm
Size        : 509475                           License: OpenLDAP
Signature   : DSA/SHA1, Thu 10 Apr 2008 07:29:06 PM MST, Key ID
b44269d04f2a6fd2
Packager    : Fedora Project
URL         : http://www.openldap.org/
Summary     : Client programs for OpenLDAP

Thank you
James



CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.

Hi Rich,
Thank you for your previous response..The answer was actually embedded
within your statement I believe.

"This is a problem in general with some older clients that do not know
how to properly follow LDAPv3 referrals"

I used the mozldap ldapmodify tool and it worked to update entries that
I point at the consumer.  I would have never guessed the openldap tool
would not follow LDAPv3 referrals. Maybe a switch I missed or something.
Thanks again for your suggestion.

James

-----Original Message-----
From: fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich
Megginson
Sent: Monday, February 02, 2009 12:14 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Updating Consumer replica fails
referralto the master from the console.

Chavez, James R. wrote:
> Hello List,
>
> We have a consumer read only replica at a remote site. We have a 
> Master read/write replica in our data center.
> We have an issue with our referrals or updates failing when we submit 
> updates to the read only replica from the command line. From the 
> console if we update the read only replica, it properly refers the 
> update to the master and the master replicates it back down.
>
> >From the command line however these updates fail and the log shows
> err=10. 
>   
You''ll see the same thing with the console too, except that the console
knows how to follow the referral.

This is a problem in general with some older clients that do not know
how to properly follow LDAPv3 referrals (err=10 is a referral).

What is the client?  The ldapsearch command line?
> I see another post regarding this but no resolution was posted. It 
> mentions spaces as being an issue??
> The referrals field on the read only replica shows as...
> Ldap://mastersvr.example.com:389/o%3DEXAMPLE.COM
>
> The replication agreement is set using SSL/simple or SSL with a binddn
> as opposed to SSL certificate based authentication. I mention this 
> because I am unsure if it impacts the situation or not.
>
> Is there something I am missing? Not sure why the console refers 
> updates but the command line does not.
>
> Thank you
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail message, you are hereby notified that any dissemination,
distribution or copying of this e-mail message, and any attachments
thereto, is strictly prohibited.  If you have received this e-mail
message in error, please immediately notify the sender and permanently
delete the original and any copies of this email and any prints
thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the
Uniform Electronic Transactions Act or the applicability of any other
law of similar substance and effect, absent an express statement to the
contrary hereinabove, this e-mail message its contents, and any
attachments hereto are not intended to represent an offer or acceptance
to enter into a contract and are not otherwise intended to bind the
sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail message, you
are hereby notified that any dissemination, distribution or copying of this
e-mail message, and any attachments thereto, is strictly prohibited.  If you
have received this e-mail message in error, please immediately notify the sender
and permanently delete the original and any copies of this email and any prints
thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING.  Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any
other person or entity.