Need help syncing with syncrepl 2.3
by L.B.
Hi;
I've finally decided to make the move to syncrepl after much delay and
procrastination. I've read the guide and also reviewed several howto's
on the topic... It still isn't running correctly for me because it
doesn't replicate a few new users I've added to the provider. Also I'm
seeing the following issue over and over (every time it tries a sync
on my 10m interval):
#########
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent:
rid 001 be_delete
uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
be_search (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001
LDAP_RES_SEARCH_RESULT
#########
My setup is RHEL4 with Buchan's RPMs
(openldap2.3-servers-2.3.39-3.rhel4, etc.). I have a fairly simple
setup, one provider and one consumer.
Here is my provider config:
######################
include /usr/share/openldap2.3/schema/core.schema
include /usr/share/openldap2.3/schema/cosine.schema
include /usr/share/openldap2.3/schema/inetorgperson.schema
include /usr/share/openldap2.3/schema/nis.schema
include /usr/share/openldap2.3/schema/misc.schema
include /usr/share/openldap2.3/schema/corba.schema
include /usr/share/openldap2.3/schema/openldap.schema
include /usr/share/openldap2.3/schema/ppolicy.schema
include /usr/share/openldap2.3/schema/ldapns.schema
access to *
by dn.exact="cn=Replicator,dc=swa,dc=com" read
by self read
by * none break
limits group="cn=Replicator,dc=swa,dc=com"
size=unlimited
time=unlimited
access to *
by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com"
read
by self read
by * none break
access to attrs=userPassword
by self write
by * auth
pidfile /cluster/agis-ldap/ldap-master/var/run/slapd.pid
argsfile /cluster/agis-ldap/ldap-master/var/run/slapd.args
modulepath /usr/lib/openldap2.3
moduleload ppolicy.la
moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
TLSCertificateKeyFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
TLSCACertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
loglevel 256
database bdb
suffix "dc=swa,dc=com"
rootdn "cn=Manager,dc=swa,dc=com"
rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-master/var/lib/ldap
overlay ppolicy
ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com"
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 1 10
syncprov-sessionlog 100
serverid 001
cachesize 100000
idlcachesize 100000
checkpoint 256 5
index objectClass eq
index ou,cn,mail,givenname eq,subinitial
index uidNumber,gidNumber,memberUid,loginShell eq
index uid eq,subinitial
index uniqueMember pres
index entryCSN,entryUUID eq
######################
Here is my consumer config:
######################
include /usr/share/openldap2.3/schema/core.schema
include /usr/share/openldap2.3/schema/cosine.schema
include /usr/share/openldap2.3/schema/inetorgperson.schema
include /usr/share/openldap2.3/schema/nis.schema
include /usr/share/openldap2.3/schema/misc.schema
include /usr/share/openldap2.3/schema/corba.schema
include /usr/share/openldap2.3/schema/openldap.schema
include /usr/share/openldap2.3/schema/ppolicy.schema
include /usr/share/openldap2.3/schema/ldapns.schema
access to *
by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com"
read
by self read
by * none break
access to attrs=userPassword
by self write
by * auth
pidfile /cluster/agis-ldap/ldap-slave/var/run/slapd.pid
argsfile /cluster/agis-ldap/ldap-slave/var/run/slapd.args
modulepath /usr/lib/openldap2.3
moduleload ppolicy.la
moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
TLSCertificateKeyFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
TLSCACertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
loglevel sync
database bdb
suffix "dc=swa,dc=com"
rootdn "cn=Manager,dc=swa,dc=com"
rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-slave/var/lib/ldap
overlay ppolicy
ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com"
ppolicy_use_lockout
cachesize 100000
idlcachesize 100000
checkpoint 256 5
index objectClass eq
index ou,cn,mail,givenname eq,subinitial
index uidNumber,gidNumber,memberUid,loginShell eq
index uid eq,subinitial
index uniqueMember pres
index entryCSN,entryUUID eq
syncrepl rid=001
provider=ldap://ldap-agis01.mascorp.com
type=refreshOnly
interval=00:00:10:00
retry="60 10 300 +"
searchbase="dc=swa,dc=com"
filter="(objectClass=*)"
binddn="cn=Replicator,dc=swa,dc=com"
bindmethod=simple
credentials=yadayadayada
schemachecking=off
updateref ldap://ldap-agis01.mascorp.com/
######################
Any help would be much appreciated!
Thanks!!
Rafael
12 years, 10 months
Slave connecting to maser always stay connected?
by Mathew Rowley
I have a setup with 2 masters (nway multimaster) and 4 slaves each having
syncrepl set up to connect to the 2 masters. The question I have, with the
following configuration (on the slaves) should they always be connected to
the masters? Netstat is showing that the connections are intermittent:
type=refreshAndPersist retry="60 +"
Netstat on the masters shows that the connections from the slaves will vary
sometimes 0, sometimes 4 seems to be somewhat random. We are trying to
determine if there is something wrong in our network. Thanks for the help.
MAT
12 years, 11 months
Re: slow slave performance
by Quanah Gibson-Mount
--On Monday, March 29, 2010 11:41 AM -0700 Jefferson Davis
<jdavis(a)standard.k12.ca.us> wrote:
>
> not quite the answer I was hoping for...
>
> However, I will look for more updated repo's - this 2.2 is the latest
> and greatest for rhel/centos 4.8...
>
> While i'm not averse to compiling source, it's generally simpler to
> maintain via package mgt than patching/compiling, etc...
>
> and wholesale upgrade of server os is not an option I want to look at
> right now.
>
> In the meantime... nothing I can do w/2.2?
You can try basic tuning (via DB_CONFIG for Berkeley DB) and the cachesize.
But some of the options for tuning available in later releases are not
valid for 2.2.
For running a production LDAP service, I near always recommend building and
maintaining it yourself.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
12 years, 12 months
Syncrepl loosing synchronization
by Massimo Lusetti
Hi all,
I have 6 servers which all synchronize with syncrepl mechanism from
a single master.
Of that six server one is the master and 2 are local connected servers,
every server is a 2.4, plus there are 3 remote connected servers which
are all 2.3
With local connected i mean LAN (maybe different DMZ) while remote
connected i mean WAN (with data over the relative-slow link).
It happens frequently that the remote servers loose synchronization
with the master (no more updates to data) when/if the link goes down.
Or even when the link is slower the usual.
The local connected servers are all with refreshAndPersist while the
remotes one are refreshOnly.
Every replica has a retry of "60 +" so it tries indefinitely and the
refreshOnly ones has an interval of 45
Did you have any clues while is should loose synchronization and the
only possible solution is to rebuild the whoile DIT on the replicas?
Cheers
--
Massimo
12 years, 12 months
architecture and DIT change strategy
by Guillaume Rousse
Hello.
I'm trying to find the best way to conduct a consequent change in our
data model and servers topology, with the fewer service disturbing.
Before the reorganisation, we were a single entity, splitted on three
different sites. As a consequence, we had a single database for all our
users and groups:
dc=new,dc=foo,dc=tld
|-users
| |-site1
| |-site2
| |-site3
|-groups
|-site1
|-site2
|-site3
The master server is hosted on one site, and we have slave servers on
three sites
After the reorganisation, we are three different entities, and I'd like
to break the tree in the three different databases, each site hosting a
server acting as the master for its own base, a slave for the two others:
dc=site1,dc=foo,dc=tld
|-users
|-groups
dc=site2,dc=foo,dc=tld
|-users
|-groups
dc=site3,dc=foo,dc=tld
|-users
|-groups
The change also involves dropping the last part of the original suffix,
which is no longer relevant.
I'm currently investigating the usage slapo-rwm to provide virtual views
of the current database according to the new structure, so as to
progressively migrate applications configuration first, then write an
automated conversion tool, and finally convert the virtual bases to new
ones. But maybe they are better strategies ?
--
BOFH excuse #193:
Did you pay the new Support Fee?
12 years, 12 months
Re: built in objectClasses and atrributes
by Michael Ströder
Please stay on the mailing list.
Itay Moav wrote:
> yes - only the hard coded ones (as I figured where to find and read the
> schema files that comes with the installation :-) )
Do not include schema files and start slapd with all the overlays you need.
Then look at the subschema subentry.
Ciao, Michael.
12 years, 12 months
Re: slow slave performance
by Michael Ströder
Jefferson Davis wrote:
>
> I know I need to remove the rpm packages before I install the new stuff.
Not necessarily. You could leave all the RPM-based stuff depending on libldap
and compile the server software to a completely separate prefix.
Ciao, Michael.
12 years, 12 months
Re: Replication problems.
by Steve Button
On 26 March 2010 17:41, Steve Button <steve(a)pointers-uk.net> wrote:
> On 26 March 2010 14:57, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
>
>> --On Friday, March 26, 2010 8:39 AM +0000 Steve Button <
>> steve(a)pointers-uk.net> wrote:
>>
>> I'm checking this by comparing the date stamp in the contextCSN. Have
>>> Any suggestions?
>>>
>> Which release?
>>
>> --Quanah
>>
>> The release is 2.3
>
>>
>>
I have just found the problem (well a colleague has actually - thanks Sam).
My original config had :-
type refreshOnly
interval 00:00:05:00
and it needed to be :-
type=refreshOnly
interval=00:00:05:00
Fixed these and replication is working fine using 2.3. At least so far
anyway. I'm using the version which comes with RedHat 5.3 which shows as
2.3.43-3
Steve
--
http://ournaturalway.co.uk
12 years, 12 months
Re: kerberized OpenLDAP
by Guillaume Rousse
Le 29/03/2010 10:26, Wolf-Agathon Schaly a écrit :
> If I leave the LDAP server listening on the TCP address of localhost (127.0.0.1) declips is cool.
> If I change the entry in /etc/openldap/ldap.conf from
> URI=ldap://127.0.0.1/
> to
> URI=ldap://10.1.1.1/
> I'm facing the same issue (gss_accept_sec_context) as on levante.
>
>
> Is there somebody out there who can lead me to a solution.
It seems like a name canonicalisation error for me, as you have a
multihomed setup, and result varies with the IP adress you're using.
You have to ensure the principal used in LDAP server keytab (its SPN)
matches both the ones used by client when they ask a service ticket (DNS
hostname for the IP adress used in their /etc/openldap/ldap.conf files),
and the one used by the server itself (by default, the one returned by
gethostname(), otherwise, the one specified with sasl_hostname directive
in its configuration file).
You may also check in the KDC logs what are the principal requested by
clients.
--
BOFH excuse #11:
magnetic interference from money/credit cards
12 years, 12 months
