https://bugs.openldap.org/show_bug.cgi?id=10173
Issue ID: 10173 Summary: Accesslog bootstrap doesn't populate minCSN internally Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: ondra@mistotebe.net Target Milestone: ---
When a new accesslog DB is being set up from zero but a main DB exists, the correct minCSN is pushed into the auditContainer entry but li_mincsn et al are not set up internally. Fix is coming.
https://bugs.openldap.org/show_bug.cgi?id=10173
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.18 Assignee|bugs@openldap.org |ondra@mistotebe.net Version|unspecified |2.5.17 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10173
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/685
https://bugs.openldap.org/show_bug.cgi?id=10173
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- head:
• af7575fa by Ondřej Kuzník at 2024-02-12T18:50:10+00:00 ITS#10173 Populate li_minCSN on conversion
RE26:
• 70e72e58 by Ondřej Kuzník at 2024-02-15T18:10:53+00:00 ITS#10173 Populate li_minCSN on conversion
RE25:
• b870fbff by Ondřej Kuzník at 2024-02-15T18:08:00+00:00 ITS#10173 Populate li_minCSN on conversion
https://bugs.openldap.org/show_bug.cgi?id=10173
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- Need to release note this bug with instructions on how to fix an accesslog DB that has the problem.
In general:
a) restart slapd with sync logging enabled. slapd will report the number of minCSN values found in the database. Example:
... accesslog_purge: updating minCSN with 4 values
In an environment where there are only 2 providers, this indicates the issue is present, as there should only be 2 minCSN values.
If affected:
b) stop slapd c) export the accesslog database via slapcat: slapcat ... -b <accesslog dn> -l <file>
Example: slapcat -b cn=accesslog -l al.ldif
NOTE: it may be worth preserving the al.ldif file in its original form in case a mistake is made in the next section, i.e., cp al.ldif al-orig.ldif
d) Edit the al.ldif file
e) In the first entry of the al.ldif file it will have the 4 minCSN values listed. Two of the values should match reqStart values of changes present in the accesslog db. The other two values will be for something not present in the accesslog db. Example:
minCSN: 20240506212840.635998Z#000000#001#000000 minCSN: 20240506210001.869022Z#000000#002#000000 minCSN: 20240423153217.123498Z#000000#001#000000 minCSN: 20240423150001.372841Z#000000#002#000000
The above means that the accesslog DB was initialized on April 23, 2024 and that minCSN value has been incorrectly preserved. The 20240506 minCSN values match up with the oldest current entries in the accesslog DB for the specific serverIDs they are for (SID 001, SID 002).
To fix, we delete the minCSN values for April 23, 2024 from the al.ldif file.
f) After deleting the invalid minCSN values: remove the current accesslog database MDB files.
Example, assuming the accesslog db is stored in /var/lib/ldap/accesslog:
rm -f /var/lib/ldap/accesslog/*.mdb
g) Load the fixed version of the database:
slapadd ... -b <accesslog database root> -l al.ldif
Example:
slapadd -b cn=accesslog -l al.ldif
h: Restart slapd. Log should show only the correct number of minCSN values now:
... accesslog_purge: updating minCSN with 2 values
NOTE: values reported will correspond with the number of actual serverIDs in use.
https://bugs.openldap.org/show_bug.cgi?id=10173
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org