Pierangelo,
I offered to do post my configuration in my initial post. No one accepted my offer. Since you are now asking for it, I will gladly post it below.
Two, thanks for the hint about editing passwords, I can assure you that all confidential data posted below will have been tainted *somehow*.
I should also point out that today I made a change to my infrastructure that I hope will help the situation. Since I've noticed that most of the DIT discrepancies were limited to the standard Consumer boxes, and not the Providers, I have decided to do away entirely with the the standard Consumers. We now have six (6) virtually-identically configured Providers whom all replicate with the other five (5) respective hybrid Consumer/Providers. Essentially a six member multimaster mesh, all of whom can contact all of the other members perfectly via both LDAP and LDAPS.
Here is a slapd.conf from ONE of the SIX members:
#####
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/sudo.schema include /etc/ldap/schema/dhcp.schema include /etc/ldap/schema/samba.schema include /usr/share/doc/libpam-ldap/ldapns.schema include /etc/ldap/schema/hdb.schema include /etc/ldap/schema/uber.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args tool-threads 4
loglevel none
modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm.la moduleload back_monitor.la moduleload syncprov moduleload accesslog
serverID 100 ldaps://10.64.100.100:636/ serverID 107 ldaps://10.64.100.107:636/ serverID 108 ldaps://10.64.100.108:636/ serverID 811 ldaps://10.9.8.11:636/ serverID 812 ldaps://10.9.8.12:636/ serverID 814 ldaps://10.9.8.14:636/
TLSCertificateFile /etc/ldap/ssl/wildcard.site.example.com.crt TLSCertificateKeyFile /etc/ldap/ssl/wildcard.site.example.com.key TLSCACertificateFile /etc/ssl/certs/ca.cert
disallow bind_anon sizelimit unlimited timelimit unlimited
security tls=0
access to dn.subtree="cn=Subschema" by users read by * none stop
access to dn.base="" by users read by * none stop
defaultSearchBase dc=real,dc=example,dc=com
sasl-realm SITE.EXAMPLE.COM sasl-host ds.site.example.com #sasl-secprops minssf=0 authz-regexp "uid=(.*),cn=SITE.EXAMPLE.COM,cn=gssapi,cn=auth" "uid=$1,cn=plain,cn=auth,dc=site,dc=example,dc=com" authz-regexp "gidNumber=\\0+uidNumber=\ \0,cn=peercred,cn=external,cn=auth" "uid=writer,cn=plain,cn=auth,dc=real,dc=example,dc=com"
backend hdb
########### Monitoring Database - For slapd/hdb performance data database monitor rootdn uid=monitor,cn=monitor rootpw {SSHA}encrypted-hash access to dn.subtree="cn=monitor" by group/groupOfUniqueNames/ uniqueMember ="cn=ldapadmin,cn=ldap,cn=groups,dc=real,dc=example,dc=com" read by dn.exact="uid=rootdn,cn=plain,cn=auth,dc=real,dc=example,dc=com" read
########### example.Log database hdb suffix cn=log rootdn "uid=log,cn=log" rootpw {SSHA}encrypted-hash directory /var/lib/ldap/log index reqStart,objectClass,entryCSN,reqResult eq dbconfig set_cachesize 0 2097152 0 overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE access to dn.subtree="cn=log" by group/groupOfUniqueNames/ uniqueMember ="cn=ldapadmin,cn=ldap,cn=groups,dc=real,dc=example,dc=com" read by dn.base="uid=rootdn,cn=plain,cn=auth,dc=real,dc=example,dc=com" read by dn.base="uid=log,cn=log" read
########### example.real database hdb cachesize 10000 idlcachesize 30000 suffix "dc=real,dc=example,dc=com" checksum checkpoint 100 10 cachefree 20 rootdn "uid=rootdn,cn=plain,cn=auth,dc=real,dc=example,dc=com" rootpw {SSHA}encrypted-hash monitoring on directory "/var/lib/ldap/real" dncachesize 100000 dbconfig set_cachesize 1 0 2 dbconfig set_lg_max 10485760 dbconfig set_flags db_log_autoremove dbconfig set_lg_bsize 2097152 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,structuralObjectClass eq index entryCSN,entryUUID eq index cn,uid,memberUid eq
syncrepl rid=001 provider=ldaps://10.64.100.100:636/ bindmethod=simple binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com" credentials=syncreplpass scope=sub filter="(objectClass=*)" schemachecking=off searchbase="dc=real,dc=example,dc=com" retry="120 +" sizelimit=unlimited timeout=1 type=refreshAndPersist syncrepl rid=002 provider=ldaps://10.64.100.107:636/ bindmethod=simple binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com" credentials=syncreplpass scope=sub filter="(objectClass=*)" schemachecking=off searchbase="dc=real,dc=example,dc=com" retry="120 +" sizelimit=unlimited timeout=1 type=refreshAndPersist syncrepl rid=003 provider=ldaps://10.64.100.108:636/ bindmethod=simple binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com" credentials=syncreplpass scope=sub filter="(objectClass=*)" schemachecking=off searchbase="dc=real,dc=example,dc=com" retry="120 +" sizelimit=unlimited timeout=1 type=refreshAndPersist syncrepl rid=004 provider=ldaps://10.9.8.14:636/ bindmethod=simple binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com" credentials=syncreplpass scope=sub filter="(objectClass=*)" schemachecking=off searchbase="dc=real,dc=example,dc=com" retry="120 +" sizelimit=unlimited timeout=1 type=refreshAndPersist syncrepl rid=005 provider=ldaps://10.9.8.11:636/ bindmethod=simple binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com" credentials=syncreplpass scope=sub filter="(objectClass=*)" schemachecking=off searchbase="dc=real,dc=example,dc=com" retry="120 +" sizelimit=unlimited timeout=1 type=refreshAndPersist mirrormode true overlay syncprov syncprov-reloadhint TRUE #syncprov-checkpoint 10 5 syncprov-sessionlog 5000 overlay accesslog logdb cn=log logops writes logpurge 7+00:00 2+00:00 logsuccess TRUE
include /etc/ldap/acls include /etc/ldap/relays
####
Thanks again
Jeff
-
j@telepaths.org