Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 788726

Summary: Schema replication update failed: Invalid syntax
Product: Red Hat Enterprise Linux 6 Reporter: Rich Megginson <rmeggins>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: jgalipea, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.10.0-1.el6 Doc Type: Bug Fix
Doc Text:
This is not a bug that could have been seen by a customer. We have included this bug for upstream tracking purposes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 07:13:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Megginson 2012-02-08 22:02:36 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/278

attempting to replicate schema gives the following error:
[01/Feb/2012:17:47:32 -0500] NSMMReplicationPlugin - agmt="cn=agreementname" (server:389): Schema replication update failed: Invalid syntax
Comment 1 Jenny Severance 2012-02-14 15:35:16 UTC 
steps to verify in upstream ticket
Comment 3 Jenny Severance 2012-04-30 18:48:21 UTC 
To reproduce:

    Install IPA server with dogtag CA
    Prepare replica: ipa-replica-prepare serverb.example.com
    Install on replica with CA: ipa-replica-install serverb.example.com --setup-ca 

dogtag handles creating the replication agreement. The dogtag DS instance can be found on both servers in /etc/dirsrv/slapd-PKI-IPA/

This repeats in the log on the initial master every 5 minutes:

[02/Feb/2012:16:04:02 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-doberman.greyoak.com-pki-ca" (doberman:7389): Schema replication update failed: Invalid syntax
[02/Feb/2012:16:04:02 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-doberman.greyoak.com-pki-ca" (doberman:7389): Warning: unable to replicate schema: rc=1

99user.ldif contains lots of custom schema (attached). If I copy this to the replica and restart it then dogtag appears to work fine.
Comment 4 Scott Poore 2012-05-03 18:08:49 UTC 
What log file were those errors seen in?  /var/log/dirsrv/slapd-PKI-IPA/errors?

What version of 389-ds-base was affected here?  I've tried reproducing with the following but have not seen that error in the log yet:

389-ds-base-1.2.9.14-1.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64

Could other command line options have affect whether or not the bug is seen?  

Outside or yum installs and some hostname/resolv.conf fixes, this is what I was doing when trying to reproduce:

### ON MASTER:

ipa-server-install --idstart=3000 --idmax=50000 --setup-dns --forwarder=$DNSFORWARD --hostname=$hostname_s.$DOMAIN -r $RELM -n $DOMAIN -p $ADMINPW -P $ADMINPW -a $ADMINPW -U

ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN

### ON REPLICA:

cd /dev/shm

sftp root@$MASTERIP:/var/lib/ipa/replica-info-$hostname_s.$DOMAIN.gpg

ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg
Comment 5 Rich Megginson 2012-05-03 20:19:16 UTC 
(un)fortunately it is impossible to reproduce unless you are using 389-ds-base-1.2.10.a5
that is, the bug was introduced in 389-ds-base-1.2.10.a5 and fixed in .rc1
so no RHEL version had the bug
it is enough to verify that schema replication works between RHEL 6.3 and RHEL 6.2 with no errors
Comment 6 Scott Poore 2012-05-03 23:18:44 UTC 
Ok, I setup a RHEL 6.3 IPA Master.   Then I tried to setup a RHEL 6.2 Replica but, the install fails.  However, during install, I do see some errors but, not the invalid syntax ones.   Could those be from multiple re-install attempts?

### On MASTER:
# ipa-replica-prepare -p $ADMINPW --ip-address=$SLAVEIP $hostname_s.$DOMAIN

### On REPLICA:
# ipa-replica-install -U --setup-dns --forwarder=$DNSFORWARD --setup-ca -w $ADMINPW -p $ADMINPW /dev/shm/replica-info-$hostname_s.$DOMAIN.gpg

...looked normal until the following error:

  [29/29]: configuring directory to start on boot
done configuring dirsrv.
creation of replica failed: [Errno 2] No such file or directory: '/tmp/tmp1O5dxFipa/realm_info/ldappwd'

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

### On Master in /var/log/dirsrv/slapd-PKI-IPA/errors:

[03/May/2012:18:07:05 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Unable to acquire replica: there is no replicated area "o=ipaca" on the consumer server. Replication is aborting.
[03/May/2012:18:07:05 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Incremental update failed and requires administrator action
[03/May/2012:18:07:22 -0500] NSMMReplicationPlugin - agmt_delete: begin
[03/May/2012:18:07:26 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:07:26 -0500] NSMMReplicationPlugin - Warning: unable to replicate schema to host spoore-dvm2.testrelm.com, port 7389. Continuing with total update session.
[03/May/2012:18:07:26 -0500] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)".
[03/May/2012:18:07:30 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)". Sent 97 entries.
[03/May/2012:18:07:31 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:07:31 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
[03/May/2012:18:07:32 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:18:07:32 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:07:32 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
[03/May/2012:18:07:34 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:18:07:35 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:07:35 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
[03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
[03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:07:37 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
[03/May/2012:18:07:39 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:18:07:40 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:07:40 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
[03/May/2012:18:10:49 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:10:49 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
[03/May/2012:18:10:49 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:18:15:51 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Schema replication update failed: Type or value exists
[03/May/2012:18:15:51 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Warning: unable to replicate schema: rc=1
Comment 7 Rich Megginson 2012-05-03 23:37:57 UTC 
(In reply to comment #6)
> Ok, I setup a RHEL 6.3 IPA Master.   Then I tried to setup a RHEL 6.2 Replica
> but, the install fails.  However, during install, I do see some errors but, not
> the invalid syntax ones.   Could those be from multiple re-install attempts?

Probably.  I don't think you can do a valid test for this bug unless you can do a master and replica setup with no errors.
Comment 8 Scott Poore 2012-05-04 00:22:41 UTC 
Doesn't matter which direction does it?   I'll try a 6.2 master and 6.3 replica and see if that works better.

On a side note, when I uninstall from replica and upgrade from 6.2 to 6..3 and do the prepare and install, I don't see those messages:

[03/May/2012:19:15:17 -0500] NSMMReplicationPlugin - agmt_delete: begin
[03/May/2012:19:15:22 -0500] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)".
[03/May/2012:19:15:26 -0500] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389)". Sent 115 entries.
[03/May/2012:19:15:28 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:19:15:30 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:19:15:33 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:19:15:35 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:19:16:18 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:19:16:18 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later.
[03/May/2012:19:16:20 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
[03/May/2012:19:16:21 -0500] NSMMReplicationPlugin - agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389): Replication bind with SIMPLE auth resumed
[03/May/2012:19:18:51 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica o=ipaca: 20
Comment 9 Rich Megginson 2012-05-04 00:31:53 UTC 
(In reply to comment #8)
> Doesn't matter which direction does it?   I'll try a 6.2 master and 6.3 replica
> and see if that works better.

It shouldn't matter.  Ideally we would test both ways.

> 
> On a side note, when I uninstall from replica and upgrade from 6.2 to 6..3 and
> do the prepare and install, I don't see those messages:
> 
> [03/May/2012:19:15:17 -0500] NSMMReplicationPlugin - agmt_delete: begin
> [03/May/2012:19:15:22 -0500] NSMMReplicationPlugin - Beginning total update of
> replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca"
> (spoore-dvm2:7389)".
> [03/May/2012:19:15:26 -0500] NSMMReplicationPlugin - Finished total update of
> replica "agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca"
> (spoore-dvm2:7389)". Sent 115 entries.
> [03/May/2012:19:15:28 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals:
> could not set referrals for replica o=ipaca: 20
> [03/May/2012:19:15:30 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals:
> could not set referrals for replica o=ipaca: 20
> [03/May/2012:19:15:33 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals:
> could not set referrals for replica o=ipaca: 20
> [03/May/2012:19:15:35 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals:
> could not set referrals for replica o=ipaca: 20
> [03/May/2012:19:16:18 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals:
> could not set referrals for replica o=ipaca: 20
> [03/May/2012:19:16:18 -0500] NSMMReplicationPlugin -
> agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389):
> Unable to receive the response for a startReplication extended operation to
> consumer (Can't contact LDAP server). Will retry later.
> [03/May/2012:19:16:20 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals:
> could not set referrals for replica o=ipaca: 20
> [03/May/2012:19:16:21 -0500] NSMMReplicationPlugin -
> agmt="cn=masterAgreement1-spoore-dvm2.testrelm.com-pki-ca" (spoore-dvm2:7389):
> Replication bind with SIMPLE auth resumed
> [03/May/2012:19:18:51 -0500] NSMMReplicationPlugin - repl_set_mtn_referrals:
> could not set referrals for replica o=ipaca: 20

These error code 20 messages indicate that you have deleted one or more replicas.  That's why I recommend starting over from scratch.
Comment 10 Scott Poore 2012-05-04 15:33:38 UTC 
Verified with sanity check.  

I had to Install Master/Replica on 6.2 and then upgrade though to get it to work.  There were problems with installing with on 6.2 and the other 6.3.  

Version ::  

ipa-server-2.2.0-12.el6.x86_64
389-ds-base-1.2.10.2-9.el6.x86_64

Manual Test Results ::

Master=6.3/Replica=6.2
-------------------------
1. Installed IPA Master on 6.2
2. Installed IPA Replica on 6.2 with --setup-ca 
3. Upgrade master to 6.3 with yum update 'ipa*'
4. Wait for ~15 minutes
5. Grep for error on master does not show error reported for this bug:

# egrep "NSMMReplicationPlugin.*Schema replication update failed: Invalid syntax" /var/log/dirsrv/slapd-PKI-IPA/errors
#

So, I don't see the errors from this bug, so this looks like it's fixed. 

If I need to sanity check it against a Master=6.2/Replica=6.3, we can move this back to ON_QA and do so.   It shouldn't matter though, right?
Comment 11 Rich Megginson 2012-05-24 23:26:01 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
This is not a bug that could have been seen by a customer.  We have included this bug for upstream tracking purposes.
Comment 12 errata-xmlrpc 2012-06-20 07:13:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html