[Issue 9772] cn=config replication of olcDbCheckpoint is broken

https://bugs.openldap.org/show_bug.cgi?id=9772

--- Comment #15 from stefan@kania-online.de --- Here the content of "dn: olcDatabase={2}mdb,cn=config" from ldap01 the server where I made the changes: ----------- dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/symas/openldap-data olcSuffix: dc=example,dc=net olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage by dn.exact="gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth" manage by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=ne t" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by dn.ex act="uid=sssd-user,cn=gssapi,cn=auth" read by dn.exact="krbPrincipalName=K/M@ EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by dn.exact=" uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="uid=kadmin,ou=k erberos-adm,dc=example,dc=net" write by * read olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unlimi ted size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcSizeLimit: unlimited olcSyncrepl: {0}rid=101 provider=ldap://ldap01.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {1}rid=102 provider=ldap://ldap02.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {2}rid=103 provider=ldap://ldap03.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {3}rid=104 provider=ldap://ldap04.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcTimeLimit: unlimited olcMultiProvider: TRUE olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920 -----------

And here the content of "dn: olcDatabase={2}mdb,cn=config" from one of the other ldap-server: ----------- dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/symas/openldap-data olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net w rite by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unlimi ted size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcSizeLimit: unlimited olcSyncrepl: {0}rid=101 provider=ldap://ldap01.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {1}rid=102 provider=ldap://ldap02.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {2}rid=103 provider=ldap://ldap03.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {3}rid=104 provider=ldap://ldap04.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcTimeLimit: unlimited olcMultiProvider: TRUE olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920 ----------- I made a diff on both and only the changed ACL is listed: ----------------- diff config-ldap01.txt config-ldap02.txt

 ✔  4468  17:19:53 7,14c7,10 < olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa < l,cn=auth" manage by dn.exact="gidNumber=1111+uidNumber=1111,cn=peercred,cn=e < xternal,cn=auth" manage by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=ne < t" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by dn.ex < act="uid=sssd-user,cn=gssapi,cn=auth" read by dn.exact="krbPrincipalName=K/M@ < EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by dn.exact=" < uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="uid=kadmin,ou=k < erberos-adm,dc=example,dc=net" write by * read ---

olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net w rite by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break

-----------------

Again I'm setting up my four ldap-server via Ansible.

The first step, after installing the symas-packages (on debian11), is adding the config from file "config.ldif" (see attachment).

The next step is configuring the certificates for TLS via Ansible-tasks with the Ansible module "ldap_attr".

Then create the initial objects on the first ldap-server (ldap01), via Ansible-module ldap_entry.

Then configuring the delta-syncrepl of the main DB via Ansible with "main-db-repl.ldif (see attachment) on all four servers.

Then configuring the replication of cn=config on all four server with "repl_config.ldif" (see attachment)

And that's how I setup the all servers with my Ansible-role