https://bugs.openldap.org/show_bug.cgi?id=9772
Issue ID: 9772 Summary: replication of cn=config for olcDatabase={2}mdb,cn=config not working Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: stefan@kania-online.de Target Milestone: ---
My setup is a mmr for cn=config. The configuration of all servers is: --------------- dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=1 provider=ldap://ldap01.example.net binddn="cn=admin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 20" timeout=1 starttls=yes tls_reqcert=allow olcSyncRepl: rid=2 provider=ldap://ldap02.example.net binddn="cn=admin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 20" timeout=1 starttls=yes tls_reqcert=allow olcSyncRepl: rid=3 provider=ldap://ldap03.example.net binddn="cn=admin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 20" timeout=1 starttls=yes tls_reqcert=allow olcSyncRepl: rid=4 provider=ldap://ldap04.example.net binddn="cn=admin,cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 20" timeout=1 starttls=yes tls_reqcert=allow - add: olcMultiprovider olcMultiprovider: TRUE ------------- Replication is working for dn: olcDatabase={-1}frontend,cn=config
but not for the configuration of the main DB dn: olcDatabase={2}mdb,cn=config When I do a change I got the following messages: ----------------- messages on provider
Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 fd=18 ACCEPT from IP=192.168.56.46:57844 (IP=0.0.0.0:389) Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=0 STARTTLS Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=0 RESULT oid= err=0 qtime=0.000023 etime=0.000176 text= Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=1 BIND dn="cn=admin,cn=config" method=128 Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=1 BIND dn="cn=admin,cn=config" mech=SIMPLE bind_ssf=0 ssf=256 Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=1 RESULT tag=97 err=0 qtime=0.000027 etime=0.020422 text= Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 SRCH base="cn=config" scope=2 deref=0 filter="(objectClass=*)" Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 SRCH attr=* + Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 syncprov_op_search: got a persistent search with a cookie=rid=004,sid=002,csn=20211215092402.061636Z#000000#002#000000 Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 syncprov_findbase: searching Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 syncprov_op_search: registered persistent search Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 syncprov_op_search: consumer cookie is missing a csn we track Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 syncprov_search_response: cookie=rid=004,sid=004,csn=20211215092401.968707Z#000000#001#000000;20211215092402.061636Z#000000#002#000000;20211215092402.073013Z#000000#003#000000;20211215092402.084067Z#000000#004#000000 Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 syncprov_sendinfo: refreshPresent cookie=rid=004,sid=004,csn=20211215092401.968707Z#000000#001#000000;20211215092402.061636Z#000000#002#000000;20211215092402.073013Z#000000#003#000000;20211215092402.084067Z#000000#004#000000 Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=2 syncprov_search_response: detaching op Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 op=3 UNBIND Dez 15 10:37:56 ldap04 slapd[6319]: conn=1013 fd=18 closed
messages on consumer
Dez 15 10:37:56 ldap02 slapd[6271]: do_syncrep1: rid=004 starting refresh (sending cookie=rid=004,sid=002,csn=20211215092402.061636Z#000000#002#000000) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn=config, UUID: 5d4870f0-f1d0-103b-92fc-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d4870f0-f1d0-103b-92fc-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn=config 20211215085439.318447Z#000000#004#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn=module{0},cn=config, UUID: 5d487b22-f1d0-103b-92fe-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d487b22-f1d0-103b-92fe-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn=module{0},cn=config 20211215085432.145148Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn=module{0},cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn=module{0},cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn=schema,cn=config, UUID: 5d4877bc-f1d0-103b-92fd-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d4877bc-f1d0-103b-92fd-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn=schema,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_add cn=schema,cn=config (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn={0}core,cn=schema,cn=config, UUID: 5d48abc4-f1d0-103b-92ff-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48abc4-f1d0-103b-92ff-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn={0}core,cn=schema,cn=config 20211215085432.146392Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn={0}core,cn=schema,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn={0}core,cn=schema,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn={1}cosine,cn=schema,cn=config, UUID: 5d48c23a-f1d0-103b-9300-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48c23a-f1d0-103b-9300-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn={1}cosine,cn=schema,cn=config 20211215085432.146967Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn={1}cosine,cn=schema,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn={1}cosine,cn=schema,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn={2}nis,cn=schema,cn=config, UUID: 5d48d1b2-f1d0-103b-9301-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48d1b2-f1d0-103b-9301-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn={2}nis,cn=schema,cn=config 20211215085432.147363Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn={2}nis,cn=schema,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn={2}nis,cn=schema,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn={3}inetorgperson,cn=schema,cn=config, UUID: 5d48dbc6-f1d0-103b-9302-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48dbc6-f1d0-103b-9302-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn={3}inetorgperson,cn=schema,cn=config 20211215085432.147621Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn={3}inetorgperson,cn=schema,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn={3}inetorgperson,cn=schema,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn={4}dyngroup,cn=schema,cn=config, UUID: 5d48e152-f1d0-103b-9303-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48e152-f1d0-103b-9303-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn={4}dyngroup,cn=schema,cn=config 20211215085432.147763Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn={4}dyngroup,cn=schema,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn={4}dyngroup,cn=schema,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: cn={5}kerberos,cn=schema,cn=config, UUID: 5d48e79c-f1d0-103b-9304-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48e79c-f1d0-103b-9304-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN cn={5}kerberos,cn=schema,cn=config 20211215085432.147924Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 cn={5}kerberos,cn=schema,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (cn={5}kerberos,cn=schema,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: olcDatabase={-1}frontend,cn=config, UUID: 5d48f458-f1d0-103b-9305-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48f458-f1d0-103b-9305-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN olcDatabase={-1}frontend,cn=config 20211215085432.148251Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 olcDatabase={-1}frontend,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (olcDatabase={-1}frontend,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: olcDatabase={0}config,cn=config, UUID: 5d48f7aa-f1d0-103b-9306-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48f7aa-f1d0-103b-9306-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN olcDatabase={0}config,cn=config 20211215092402.084067Z#000000#004#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 olcDatabase={0}config,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (olcDatabase={0}config,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config, UUID: 7c3fa65a-f1d4-103b-983d-81584f1425b7 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 7c3fa65a-f1d4-103b-983d-81584f1425b7 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN olcOverlay={0}syncprov,olcDatabase={0}config,cn=config 20211215092402.083542Z#000000#004#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 olcOverlay={0}syncprov,olcDatabase={0}config,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (olcOverlay={0}syncprov,olcDatabase={0}config,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: olcDatabase={1}monitor,cn=config, UUID: 5d48fa48-f1d0-103b-9307-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48fa48-f1d0-103b-9307-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: dn_callback : entries have identical CSN olcDatabase={1}monitor,cn=config 20211215085432.148402Z#000000#000#000000 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 olcDatabase={1}monitor,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 entry unchanged, ignored (olcDatabase={1}monitor,cn=config) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_message_to_entry: rid=004 DN: olcDatabase={2}mdb,cn=config, UUID: 5d48fd0e-f1d0-103b-9308-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f0589699700 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 inserted UUID 5d48fd0e-f1d0-103b-9308-1b7679847168 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_search (0) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 olcDatabase={2}mdb,cn=config Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_add olcDatabase={2}mdb,cn=config (68) Dez 15 10:37:56 ldap02 slapd[6271]: conn=-1 op=0 syncprov_matchops: recording uuid for dn=olcDatabase={2}mdb,cn=config on opc=0x7ef1740062c0 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_null_callback : error code 0x35 Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_modify olcDatabase={2}mdb,cn=config (53) Dez 15 10:37:56 ldap02 slapd[6271]: syncrepl_entry: rid=004 be_modify failed (53) Dez 15 10:37:56 ldap02 slapd[6271]: do_syncrepl: rid=004 rc 53 retrying (18 retries left)
----------------- A change with ldapmodify is only changing the cn=config on the server I did the ldapmodify. All other servers do not see anything, no message in the log.
All systems are Debian 11 with symas packages 2.6.0-5.
https://bugs.openldap.org/show_bug.cgi?id=9772
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |replication Summary|replication of cn=config |cn=config replication of |for |olcDbCheckpoint is broken |olcDatabase={2}mdb,cn=confi | |g not working |
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- The problematic change is missing from the bug report. From the mailing list, the change that broke cn=config replication is:
dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcDbCheckpoint olcDbCheckpoint: 1 1
https://bugs.openldap.org/show_bug.cgi?id=9772
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Target Milestone|--- |2.5.10 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #2 from Ondřej Kuzník ondra@mistotebe.net --- I cannot reproduce this issue:
``` cd tests ./run -k test050-syncrepl-multiprovider ldapmodify -x -H ldap://localhost:9011/ -D 'cn=config' -y testrun/configpw <<EOMOD dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcDbCheckpoint olcDbCheckpoint: 1 1 EOMOD for uri in ldap://localhost:{9011..9014}/; do ldapsearch -xLLL -o ldif-wrap=no -H ldap://localhost:9012/ -D 'cn=config' -y testrun/configpw -b 'olcDatabase={1}mdb,cn=config' -s base olcDbCheckpoint entryCSN; done ```
Please provide a more complete description on how to get to that point or logs that actually show the relevant events (the write and its replication).
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #3 from stefan@kania-online.de --- Created attachment 864 --> https://bugs.openldap.org/attachment.cgi?id=864&action=edit dump from cn=config
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #4 from stefan@kania-online.de --- See my config of all ldap-server in cn_config.txt. With this configuration I modify "serverID" in "dn: cn=config" and I see the following messages on the ldap where I do the changes: ------------- Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 fd=39 ACCEPT from IP=192.168.56.45:60488 (IP=0.0.0.0:389) Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=0 BIND dn="cn=admin,cn=config" method=128 Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=0 BIND dn="cn=admin,cn=config" mech=SIMPLE bind_ssf=0 ssf=0 Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.004416 text= Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=1 MOD dn="cn=config" Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=1 MOD attr=olcServerID Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=1 syncprov_matchops: recording uuid for dn=cn=config on opc=0x7f57d4000d18 Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=1 syncprov_findbase: searching Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=1 syncprov_findbase: searching Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=1 syncprov_findbase: searching Jan 04 19:25:55 ldap01 slapd[289]: slap_get_csn: conn=1053 op=1 generated new csn=20220104182555.949883Z#000000#001#000000 manage=1 Jan 04 19:25:55 ldap01 slapd[289]: slap_queue_csn: queueing 0x7f57d422b4a0 20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1047 op=2 syncprov_qresp: set up a new syncres mode=1 csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1046 op=2 syncprov_qresp: set up a new syncres mode=1 csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1045 op=2 syncprov_qresp: set up a new syncres mode=1 csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=1 RESULT tag=103 err=0 qtime=0.000007 etime=0.000332 text= Jan 04 19:25:55 ldap01 slapd[289]: slap_graduate_commit_csn: removing 0x7f57d422b4a0 20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1047 op=2 syncprov_sendresp: to=004, cookie=rid=001,sid=001,csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1047 op=2 syncprov_sendresp: sending LDAP_SYNC_ADD, dn=cn=config Jan 04 19:25:55 ldap01 slapd[289]: conn=1046 op=2 syncprov_sendresp: to=003, cookie=rid=001,sid=001,csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1046 op=2 syncprov_sendresp: sending LDAP_SYNC_ADD, dn=cn=config Jan 04 19:25:55 ldap01 slapd[289]: conn=1045 op=2 syncprov_sendresp: to=002, cookie=rid=001,sid=001,csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap01 slapd[289]: conn=1045 op=2 syncprov_sendresp: sending LDAP_SYNC_ADD, dn=cn=config Jan 04 19:25:55 ldap01 ldapmodify[2589]: DIGEST-MD5 common mech free Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 op=2 UNBIND Jan 04 19:25:55 ldap01 slapd[289]: conn=1053 fd=39 closed
-------------
On all other ldap-servers I see: ------------- Jan 04 19:25:55 ldap02 slapd[493]: do_syncrep2: rid=001 cookie=rid=001,sid=001,csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 slapd[493]: syncrepl_message_to_entry: rid=001 DN: cn=config, UUID: 1298b21a-fb42-103b-84c0-7f85171bcaa6 Jan 04 19:25:55 ldap02 slapd[493]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=20220104182555.949883Z#000000#001#000000 tid 0x7f5c535d0700 Jan 04 19:25:55 ldap02 slapd[493]: syncrepl_entry: rid=001 be_search (0) Jan 04 19:25:55 ldap02 slapd[493]: syncrepl_entry: rid=001 cn=config Jan 04 19:25:55 ldap02 slapd[493]: slap_queue_csn: queueing 0x7f5c3812d290 20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 slapd[493]: conn=-1 op=0 syncprov_matchops: recording uuid for dn=cn=config on opc=0x7f5c380035b8 Jan 04 19:25:55 ldap02 slapd[493]: conn=-1 op=0 syncprov_findbase: searching Jan 04 19:25:55 ldap02 slapd[493]: conn=-1 op=0 syncprov_findbase: searching Jan 04 19:25:55 ldap02 slapd[493]: conn=1007 op=2 syncprov_qresp: set up a new syncres mode=1 csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 slapd[493]: conn=1005 op=2 syncprov_qresp: set up a new syncres mode=1 csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 slapd[493]: slap_graduate_commit_csn: removing 0x7f5c3812d290 20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 slapd[493]: syncrepl_entry: rid=001 be_modify cn=config (0) Jan 04 19:25:55 ldap02 slapd[493]: slap_queue_csn: queueing 0x7f5c38139c50 20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 slapd[493]: conn=1007 op=2 syncprov_sendresp: to=004, cookie=rid=002,sid=002,csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 systemd[1]: Starting Cleanup of Temporary Directories... Jan 04 19:25:55 ldap02 slapd[493]: conn=1007 op=2 syncprov_sendresp: sending LDAP_SYNC_ADD, dn=cn=config Jan 04 19:25:55 ldap02 slapd[493]: conn=1005 op=2 syncprov_sendresp: to=003, cookie=rid=002,sid=002,csn=20220104182555.949883Z#000000#001#000000 Jan 04 19:25:55 ldap02 slapd[493]: conn=1005 op=2 syncprov_sendresp: sending LDAP_SYNC_ADD, dn=cn=config Jan 04 19:25:55 ldap02 slapd[493]: slap_graduate_commit_csn: removing 0x7f5c38139c50 20220104182555.949883Z#000000#001#000000
------------- Looks good to me
then I change an ACL in "dn: olcDatabase={2}mdb,cn=config" that's my main DB for all my objects.
This is the ldif I use: --------------- dn: olcDatabase={2}mdb,cn=config changeType: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.exact="gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth" manage by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by dn.exact="uid=sssd-user,cn=gssapi,cn=auth" read by dn.exact="krbPrincipalName=K/M@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by dn.exact="uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="uid=kadmin,ou=kerberos-adm,dc=example,dc=net" write by * break ---------------
The messages on the ldap where I do the modify: --------------- Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=0 BIND dn="cn=admin,cn=config" method=128 Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=0 BIND dn="cn=admin,cn=config" mech=SIMPLE bind_ssf=0 ssf=0 Jan 04 19:36:13 ldap01 slapd[289]: connection_input: conn=1055 deferring operation: binding Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=0 RESULT tag=97 err=0 qtime=0.000023 etime=0.016252 text= Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=1 MOD dn="olcDatabase={2}mdb,cn=config" Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=1 MOD attr=olcAccess olcAccess Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=1 syncprov_matchops: recording uuid for dn=olcDatabase={2}mdb,cn=config on opc=0x7f57c4001db8 Jan 04 19:36:13 ldap01 slapd[289]: slap_get_csn: conn=1055 op=1 generated new csn=20220104183613.852654Z#000000#001#000000 manage=1 Jan 04 19:36:13 ldap01 slapd[289]: slap_queue_csn: queueing 0x7f57c4119860 20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1047 op=2 syncprov_qresp: set up a new syncres mode=2 csn=20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1046 op=2 syncprov_qresp: set up a new syncres mode=2 csn=20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1045 op=2 syncprov_qresp: set up a new syncres mode=2 csn=20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=1 RESULT tag=103 err=0 qtime=0.000946 etime=0.002456 text= Jan 04 19:36:13 ldap01 slapd[289]: slap_graduate_commit_csn: removing 0x7f57c4119860 20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1047 op=2 syncprov_sendresp: to=004, cookie=rid=001,sid=001,csn=20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1047 op=2 syncprov_sendresp: sending LDAP_SYNC_MODIFY, dn=olcDatabase={2}mdb,cn=config Jan 04 19:36:13 ldap01 slapd[289]: conn=1046 op=2 syncprov_sendresp: to=003, cookie=rid=001,sid=001,csn=20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1046 op=2 syncprov_sendresp: sending LDAP_SYNC_MODIFY, dn=olcDatabase={2}mdb,cn=config Jan 04 19:36:13 ldap01 slapd[289]: conn=1045 op=2 syncprov_sendresp: to=002, cookie=rid=001,sid=001,csn=20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap01 slapd[289]: conn=1045 op=2 syncprov_sendresp: sending LDAP_SYNC_MODIFY, dn=olcDatabase={2}mdb,cn=config Jan 04 19:36:13 ldap01 ldapmodify[2611]: DIGEST-MD5 common mech free Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 op=2 UNBIND Jan 04 19:36:13 ldap01 slapd[289]: conn=1055 fd=39 closed Jan 04 19:36:13 ldap01 slapd[289]: conn=1046 op=3 UNBIND Jan 04 19:36:13 ldap01 slapd[289]: conn=1046 fd=41 closed Jan 04 19:36:13 ldap01 slapd[289]: conn=1047 op=3 UNBIND Jan 04 19:36:13 ldap01 slapd[289]: conn=1047 fd=42 closed Jan 04 19:36:13 ldap01 slapd[289]: conn=1045 op=3 UNBIND Jan 04 19:36:13 ldap01 slapd[289]: conn=1045 fd=40 closed
---------------
and here the messages on all other ldap: -------------- Jan 04 19:36:13 ldap02 slapd[493]: do_syncrep2: rid=001 cookie=rid=001,sid=001,csn=20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_message_to_entry: rid=001 DN: olcDatabase={2}mdb,cn=config, UUID: 129bc81a-fb42-103b-999a-95e961ed368a Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) csn=20220104183613.852654Z#000000#001#000000 tid 0x7f5c51dcd700 Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_entry: rid=001 be_search (0) Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_entry: rid=001 olcDatabase={2}mdb,cn=config Jan 04 19:36:13 ldap02 slapd[493]: slap_queue_csn: queueing 0x7f5c44243640 20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap02 slapd[493]: slap_graduate_commit_csn: removing 0x7f5c44243640 20220104183613.852654Z#000000#001#000000 Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_entry: rid=001 be_add olcDatabase={2}mdb,cn=config (68) Jan 04 19:36:13 ldap02 slapd[493]: conn=-1 op=0 syncprov_matchops: recording uuid for dn=olcDatabase={2}mdb,cn=config on opc=0x7f5c44000ce8 Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_null_callback : error code 0x35 Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_entry: rid=001 be_modify olcDatabase={2}mdb,cn=config (53) Jan 04 19:36:13 ldap02 slapd[493]: syncrepl_entry: rid=001 be_modify failed (53) Jan 04 19:36:13 ldap02 slapd[493]: do_syncrepl: rid=001 rc 53 retrying (2 retries left) Jan 04 19:36:18 ldap02 slapd[493]: do_syncrep1: rid=001 starting refresh (sending cookie=rid=001,sid=002,csn=20220104182555.949883Z#000000#001#000000;20220104181643.625745Z#000000#002#000000) Jan 04 19:36:18 ldap02 slapd[493]: do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_message_to_entry: rid=001 DN: olcDatabase={2}mdb,cn=config, UUID: 129bc81a-fb42-103b-999a-95e961ed368a Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) csn=(none) tid 0x7f5c51dcd700 Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_entry: rid=001 be_search (0) Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_entry: rid=001 olcDatabase={2}mdb,cn=config Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_entry: rid=001 be_add olcDatabase={2}mdb,cn=config (68) Jan 04 19:36:18 ldap02 slapd[493]: conn=-1 op=0 syncprov_matchops: recording uuid for dn=olcDatabase={2}mdb,cn=config on opc=0x7f5c44000cb0 Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_null_callback : error code 0x35 Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_entry: rid=001 be_modify olcDatabase={2}mdb,cn=config (53) Jan 04 19:36:18 ldap02 slapd[493]: syncrepl_entry: rid=001 be_modify failed (53) Jan 04 19:36:18 ldap02 slapd[493]: do_syncrepl: rid=001 rc 53 retrying (1 retries left) --------------
Here you see the error 53. So changing the "dn: olcDatabase={2}mdb,cn=config"always fails. I can do changes to any othe of the dn: entries in cn=config only the changes in the configuration of the main DB are failing.
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- On Tue, Jan 04, 2022 at 06:45:27PM +0000, openldap-its@openldap.org wrote:
See my config of all ldap-server in cn_config.txt. With this configuration I modify "serverID" in "dn: cn=config" and I see the following messages on the ldap where I do the changes:
Here you see the error 53. So changing the "dn: olcDatabase={2}mdb,cn=config"always fails. I can do changes to any othe of the dn: entries in cn=config only the changes in the configuration of the main DB are failing.
It doesn't say why it failed, could you set up accesslog on its config database with olclogsuccess: FALSE and post the failed operation?
Thanks,
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #6 from stefan@kania-online.de --- Hi Ondřej,
before I did not get the right information for you, here are two ldifs for setting up accesslog on cn=config. Could you take a look if its ok. If not what do I have to change?
Stefan
Am 05.01.22 um 10:26 schrieb openldap-its@openldap.org:
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- On Tue, Jan 04, 2022 at 06:45:27PM +0000, openldap-its@openldap.org wrote:
See my config of all ldap-server in cn_config.txt. With this configuration I modify "serverID" in "dn: cn=config" and I see the following messages on the ldap where I do the changes:
Here you see the error 53. So changing the "dn: olcDatabase={2}mdb,cn=config"always fails. I can do changes to any othe of the dn: entries in cn=config only the changes in the configuration of the main DB are failing.
It doesn't say why it failed, could you set up accesslog on its config database with olclogsuccess: FALSE and post the failed operation?
Thanks,
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #9 from Ondřej Kuzník ondra@mistotebe.net --- On Wed, Jan 05, 2022 at 02:57:03PM +0000, openldap-its@openldap.org wrote:
before I did not get the right information for you, here are two ldifs for setting up accesslog on cn=config. Could you take a look if its ok. If not what do I have to change?
Hi Stefan, that should be fine for the database storing the data, the more important part is actually adding the acceslog overlay to the database in "olcDatabase={0}config,cn=config", making sure it logs failed operations and making the failing change again. I'm interested in an operation that failed to replicate and what it looks like on both servers (where it succeeded and the one it failed on).
Thanks,
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #10 from stefan@kania-online.de --- I add the access-config-log.ldif to the first ldap-server and the change in the configuration was replicated to all other ldap-server. Then I did a: --------- ldapmodify -x -D cn=admin,cn=config -w secret -f /home/ansible/access-log-config-overly.ldif -H ldap://ldap01 --------- to add the overlay and the server crashes: ----------- Jan 05 17:37:46 ldap01 kernel: slapd[3254]: segfault at 48 ip 00007f7f376e3ad1 sp 00007f572e7fab68 error 4 in libc-2.31.so[7f7f375a9000+14b000] Jan 05 17:37:46 ldap01 kernel: Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 77 1f <c5> fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1 Jan 05 17:37:46 ldap01 systemd[1]: symas-openldap-server.service: Main process exited, code=killed, status=11/SEGV Jan 05 17:37:46 ldap01 systemd[1]: symas-openldap-server.service: Failed with result 'signal' ----------- After a few seconds the other 3 ldap servers are chrashing with the same error.
Trying to restart slapd shows the following error: -------------
Jan 05 17:44:48 ldap03 systemd[1]: symas-openldap-server.service: Main process exited, code=killed, status=6/ABRT Jan 05 17:44:48 ldap03 slapd[3170]: slapd: accesslog.c:1603: accesslog_response: Assertion `0' failed. Jan 05 17:44:48 ldap03 slapd[3170]: syncrepl_entry: rid=004 be_add olcDatabase={2}mdb,cn=config (68) Jan 05 17:44:48 ldap03 systemd[1]: symas-openldap-server.service: Failed with result 'signal'. Jan 05 17:44:48 ldap03 slapd[3170]: conn=-1 op=0 accesslog_response: the op had a CSN assigned, if you're replicating the accesslog at (null), you might lose changes ------------- Either a new bug or I did something wrong in my ldif to add the overlay.
BTW doing the modify to add the overlay is replicated to all ldap server, that's why all servers chrashes. I will add the actual configuration in attachment "slapcat-with-overlay.txt" it's with the overlay configured.
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #11 from stefan@kania-online.de --- Created attachment 869 --> https://bugs.openldap.org/attachment.cgi?id=869&action=edit configuration with overlay accesslog to cn=config
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #12 from Ondřej Kuzník ondra@mistotebe.net --- On Wed, Jan 05, 2022 at 04:54:19PM +0000, openldap-its@openldap.org wrote:
I add the access-config-log.ldif to the first ldap-server and the change in the configuration was replicated to all other ldap-server. Then I did a: [...] Either a new bug or I did something wrong in my ldif to add the overlay.
BTW doing the modify to add the overlay is replicated to all ldap server, that's why all servers chrashes. I will add the actual configuration in attachment "slapcat-with-overlay.txt" it's with the overlay configured.
Hi Stefan, just to make sure you're not hitting ITS#9538 (the only crashes I've seen locally), could you change olcLogOps from 'all' to 'writes'?
If it still crashes for you, can you run it under gdb and provide the output of 'thread apply all backtrace'?
Thanks,
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #13 from stefan@kania-online.de --- Hi Ondřej,
t worked with "olcLogOps: writes". So here is the result from the accesslog when I try to change an ACL in the configuration of the main DB: ------------- dn: reqStart=20220107124049.000003Z,cn=configlog objectClass: auditModify reqStart: 20220107124049.000003Z reqEnd: 20220107124049.000004Z reqType: modify reqSession: 1 reqAuthzID: cn=admin,cn=config reqDN: olcDatabase={2}mdb,cn=config reqMessage: reqResult: 53 reqMod: objectClass:= olcDatabaseConfig reqMod: objectClass:= olcMdbConfig reqMod: olcAccess:- {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred, cn=external,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peerc red,cn=external,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example ,dc=net write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break reqMod: olcAccess:+ {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,c n=external,cn=auth" manage by dn.exact="gidNumber=1111+uidNumber=1111,cn=peer cred,cn=external,cn=auth" manage by dn.exact="uid=ldap-admin,ou=users,dc=exam ple,dc=net" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by dn.exact="uid=sssd-user,cn=gssapi,cn=auth" read by dn.exact="krbPrincipal Name=K/M@EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by d n.exact="uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="uid=ka dmin,ou=kerberos-adm,dc=example,dc=net" write by * read reqMod: entryUUID:= 74b8ed7a-0290-103c-8a96-1feb14c990fb reqMod: entryCSN:= 20220107124044.203563Z#000000#001#000000 reqMod: modifiersName:= cn=admin,cn=config reqMod: modifyTimestamp:= 20220107124044Z reqEntryUUID: 74b7f7bc-0290-103c-9fd6-f16d7542d525
------------- I hope, it will help.
Stefan
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #14 from Ondřej Kuzník ondra@mistotebe.net --- On Fri, Jan 07, 2022 at 12:48:29PM +0000, openldap-its@openldap.org wrote:
It worked with "olcLogOps: writes". So here is the result from the accesslog when I try to change an ACL in the configuration of the main DB:
reqMod: objectClass:= olcDatabaseConfig reqMod: objectClass:= olcMdbConfig
It is replacing the objectClass which is what I saw might cause this, what is the content of the entry on both hosts? Again, starting from test050 I don't see this behaviour and not sure what it is that makes your environment different.
Thanks,
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #15 from stefan@kania-online.de --- Here the content of "dn: olcDatabase={2}mdb,cn=config" from ldap01 the server where I made the changes: ----------- dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/symas/openldap-data olcSuffix: dc=example,dc=net olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage by dn.exact="gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth" manage by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=ne t" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by dn.ex act="uid=sssd-user,cn=gssapi,cn=auth" read by dn.exact="krbPrincipalName=K/M@ EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by dn.exact=" uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="uid=kadmin,ou=k erberos-adm,dc=example,dc=net" write by * read olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unlimi ted size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcSizeLimit: unlimited olcSyncrepl: {0}rid=101 provider=ldap://ldap01.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {1}rid=102 provider=ldap://ldap02.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {2}rid=103 provider=ldap://ldap03.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {3}rid=104 provider=ldap://ldap04.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcTimeLimit: unlimited olcMultiProvider: TRUE olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920 -----------
And here the content of "dn: olcDatabase={2}mdb,cn=config" from one of the other ldap-server: ----------- dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/symas/openldap-data olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net w rite by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unlimi ted size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcSizeLimit: unlimited olcSyncrepl: {0}rid=101 provider=ldap://ldap01.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {1}rid=102 provider=ldap://ldap02.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {2}rid=103 provider=ldap://ldap03.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcSyncrepl: {3}rid=104 provider=ldap://ldap04.example.net bindmethod=simple t imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr edentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logf ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog s cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow olcTimeLimit: unlimited olcMultiProvider: TRUE olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920 ----------- I made a diff on both and only the changed ACL is listed: ----------------- diff config-ldap01.txt config-ldap02.txt
✔ 4468 17:19:53 7,14c7,10 < olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa < l,cn=auth" manage by dn.exact="gidNumber=1111+uidNumber=1111,cn=peercred,cn=e < xternal,cn=auth" manage by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=ne < t" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by dn.ex < act="uid=sssd-user,cn=gssapi,cn=auth" read by dn.exact="krbPrincipalName=K/M@ < EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by dn.exact=" < uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="uid=kadmin,ou=k < erberos-adm,dc=example,dc=net" write by * read ---
olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net w rite by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break
-----------------
Again I'm setting up my four ldap-server via Ansible.
The first step, after installing the symas-packages (on debian11), is adding the config from file "config.ldif" (see attachment).
The next step is configuring the certificates for TLS via Ansible-tasks with the Ansible module "ldap_attr".
Then create the initial objects on the first ldap-server (ldap01), via Ansible-module ldap_entry.
Then configuring the delta-syncrepl of the main DB via Ansible with "main-db-repl.ldif (see attachment) on all four servers.
Then configuring the replication of cn=config on all four server with "repl_config.ldif" (see attachment)
And that's how I setup the all servers with my Ansible-role
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #16 from stefan@kania-online.de --- Created attachment 872 --> https://bugs.openldap.org/attachment.cgi?id=872&action=edit ldif for initial setup via slapadd
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #17 from stefan@kania-online.de --- Created attachment 873 --> https://bugs.openldap.org/attachment.cgi?id=873&action=edit setup for the delta-syncrepl replication of the main DB
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #18 from stefan@kania-online.de --- Created attachment 874 --> https://bugs.openldap.org/attachment.cgi?id=874&action=edit Setup for the replication of cn=config
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #19 from Ondřej Kuzník ondra@mistotebe.net --- I can see it's because attr_cmp picks up on the difference between 'olcmdbConfig' and 'olcMdbConfig'. For now you can avoid it by making sure you use the latter everywhere.
https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #20 from stefan@kania-online.de --- FINALLY it's working :-). I hope that's the only attribute that is case sensitiv now.
https://bugs.openldap.org/show_bug.cgi?id=9772
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |CONFIRMED Ever confirmed|0 |1
https://bugs.openldap.org/show_bug.cgi?id=9772
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS
--- Comment #21 from Quanah Gibson-Mount quanah@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/476
https://bugs.openldap.org/show_bug.cgi?id=9772
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|IN_PROGRESS |RESOLVED
--- Comment #22 from Quanah Gibson-Mount quanah@openldap.org --- head: • 2443e986 by Ondřej Kuzník at 2022-01-18T05:12:53+00:00 ITS#9772 Allow objectClass edits that don't actually change them
re26:
• 4c33ce65 by Ondřej Kuzník at 2022-01-18T23:02:55+00:00 ITS#9772 Allow objectClass edits that don't actually change them
re25:
• 57c3bd5d by Ondřej Kuzník at 2022-01-18T23:04:09+00:00 ITS#9772 Allow objectClass edits that don't actually change them
https://bugs.openldap.org/show_bug.cgi?id=9772
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org