hume-ol@bofh.ca wrote:
Full_Name: Brandon Hume Version: 2.4.28 OS: RHEL EL6.1, kernel 2.6.32-131.12.1.el6.x86_64 URL: http://den.bofh.ca/~hume/ol_v3_fail_syslog.txt Submission from: (NULL) (2001:410:a010:2:223:aeff:fe74:400e)
OpenLDAP 2.4.28 compiled with BerkeleyDB 5.2.36, attempting to configure for multi-master replication. Problems occurred with the second server complaining about operations errors while attempting to replicate the cn=config tree; I've been able to reproduce the problem from the command line using ldapsearch from the same compile.
The host is RHEL 6.1 running inside VMWare. Version of OpenLDAP is 2.4.28, compiled with BerkeleyDB 5.2.36 (no patches available from Oracle at the time I downloaded). Configuration options used are visible in http://den.bofh.ca/~hume/config_ol_sh.txt
The problem does *not* seem to be consistent, as *sometimes* it will work but most of the time not. I've run the example query once, had it fail, run it again immediately and had it succeed, and then again fail a dozen times in a row. Wireshark traces showed the connection was established using LDAPv3; putting the server in debug "Any" mode also confirms the same. The syslogs generated are viewable at http://den.bofh.ca/~hume/ol_v3_fail_syslog.txt
I've compiled 2.4.27 with the same options and it *seemed* to behave, though I may have merely gotten lucky.
Only two source files are changed between 2.4.27 and 2.4.28, and neither of the changes affect cn=config, syncrepl, or Bind operations. If you're seeing a difference in behavior here then I can only conclude that your build environment is corrupted.
Example ldapsearch invocation:
$ /appl/ldap/bin/ldapsearch -x -D 'cn=config' -h kil-ds-3.its.dal.ca -b cn=config -w bindpass -s sub -E sync=rp -e manageDSAit 'objectclass=*' # extended LDIF # # LDAPv3 # base<cn=config> with scope subtree # filter: objectclass=* # requesting: ALL # with manageDSAit control #
# search result search: 2 result: 2 Protocol error text: controls require LDAPv3
# numResponses: 1 ldap_result: Can't contact LDAP server (-1)
These servers are not yet in production and I have ~two weeks to play and tweak to generate more debugging information if you'd find it useful.