Solving Potential Interoperability Problems; Troubleshooting Replication-Related Problems - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

• The server creates a minimalistic entry with the glue and extensibleObject object classes.
In such cases, modify the entry to turn it into a meaningful entry or delete it and all of its child entries.

8.18.3. Solving Potential Interoperability Problems

For reasons of interoperability with applications that rely on attribute uniqueness, such as a mail
server, it may be necessary to restrict access to the entries which contain the nsds5ReplConflict
attribute. If access is not restricted to these entries, then the applications requiring one attribute only
pick up both the original entry and the conflict resolution entry containing the nsds5ReplConflict,
and operations will fail.
To restrict access, modify the default ACI that grants anonymous read access:
ldapmodify -h hostname -D "cn=Directory Manager" -w password
> dn: dc=example,dc=com
> changetype: modify
> delete: aci
> aci: (target ="ldap:///dc=example,dc=com")(targetattr
!="userPassword")(version 3.0;acl "Anonymous read-search
access";allow (read, search, compare)(userdn = "ldap:///anyone");)
> -
> add: aci
> aci: (target="ldap:///dc=example,dc=com")(targetattr!="userPassword")
(targetfilter="(!(nsds5ReplConflict=*))")(version 3.0;acl
"Anonymous read-search access";allow (read, search, compare)
(userdn="ldap:///anyone");)
> -
The new ACI filters out all entries that contain the nsds5ReplConflict attribute from search results.
For more information on the ldapmodify command, see
Command-Line" and the Directory Server Configuration, Command, and File Reference.

8.19. Troubleshooting Replication-Related Problems

This section lists some error messages, explains possible causes, and offers remedies.
It is possible to get more debugging information for replication by setting the error log level to 8192,
which is replication debugging. See
To change the error log level to 8192, run the following ldapmodify command:
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
Because log level is additive, running the above command will result in excessive messages in the
error log. So, use it judiciously.
To turn off replication debugging log, set the same attribute to 0.
The cl-dump.pl script, which is explained in detail in the Directory Server Configuration, Command,
and File Reference can also help troubleshoot replication-related problems. Depending on the usage
options, the script can selectively dump a particular replica:
Section 2.2, "Managing Entries from the
Section 8.19, "Troubleshooting Replication-Related
Solving Potential Interoperability Problems
Problems".
301