Need help syncing with syncrepl 2.3
by L.B.
Hi;
I've finally decided to make the move to syncrepl after much delay and
procrastination. I've read the guide and also reviewed several howto's
on the topic... It still isn't running correctly for me because it
doesn't replicate a few new users I've added to the provider. Also I'm
seeing the following issue over and over (every time it tries a sync
on my 10m interval):
#########
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent:
rid 001 be_delete
uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
be_search (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001
uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0)
Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001
LDAP_RES_SEARCH_RESULT
#########
My setup is RHEL4 with Buchan's RPMs
(openldap2.3-servers-2.3.39-3.rhel4, etc.). I have a fairly simple
setup, one provider and one consumer.
Here is my provider config:
######################
include /usr/share/openldap2.3/schema/core.schema
include /usr/share/openldap2.3/schema/cosine.schema
include /usr/share/openldap2.3/schema/inetorgperson.schema
include /usr/share/openldap2.3/schema/nis.schema
include /usr/share/openldap2.3/schema/misc.schema
include /usr/share/openldap2.3/schema/corba.schema
include /usr/share/openldap2.3/schema/openldap.schema
include /usr/share/openldap2.3/schema/ppolicy.schema
include /usr/share/openldap2.3/schema/ldapns.schema
access to *
by dn.exact="cn=Replicator,dc=swa,dc=com" read
by self read
by * none break
limits group="cn=Replicator,dc=swa,dc=com"
size=unlimited
time=unlimited
access to *
by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com"
read
by self read
by * none break
access to attrs=userPassword
by self write
by * auth
pidfile /cluster/agis-ldap/ldap-master/var/run/slapd.pid
argsfile /cluster/agis-ldap/ldap-master/var/run/slapd.args
modulepath /usr/lib/openldap2.3
moduleload ppolicy.la
moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
TLSCertificateKeyFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
TLSCACertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
loglevel 256
database bdb
suffix "dc=swa,dc=com"
rootdn "cn=Manager,dc=swa,dc=com"
rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-master/var/lib/ldap
overlay ppolicy
ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com"
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 1 10
syncprov-sessionlog 100
serverid 001
cachesize 100000
idlcachesize 100000
checkpoint 256 5
index objectClass eq
index ou,cn,mail,givenname eq,subinitial
index uidNumber,gidNumber,memberUid,loginShell eq
index uid eq,subinitial
index uniqueMember pres
index entryCSN,entryUUID eq
######################
Here is my consumer config:
######################
include /usr/share/openldap2.3/schema/core.schema
include /usr/share/openldap2.3/schema/cosine.schema
include /usr/share/openldap2.3/schema/inetorgperson.schema
include /usr/share/openldap2.3/schema/nis.schema
include /usr/share/openldap2.3/schema/misc.schema
include /usr/share/openldap2.3/schema/corba.schema
include /usr/share/openldap2.3/schema/openldap.schema
include /usr/share/openldap2.3/schema/ppolicy.schema
include /usr/share/openldap2.3/schema/ldapns.schema
access to *
by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com"
read
by self read
by * none break
access to attrs=userPassword
by self write
by * auth
pidfile /cluster/agis-ldap/ldap-slave/var/run/slapd.pid
argsfile /cluster/agis-ldap/ldap-slave/var/run/slapd.args
modulepath /usr/lib/openldap2.3
moduleload ppolicy.la
moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
TLSCertificateKeyFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
TLSCACertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
loglevel sync
database bdb
suffix "dc=swa,dc=com"
rootdn "cn=Manager,dc=swa,dc=com"
rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-slave/var/lib/ldap
overlay ppolicy
ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com"
ppolicy_use_lockout
cachesize 100000
idlcachesize 100000
checkpoint 256 5
index objectClass eq
index ou,cn,mail,givenname eq,subinitial
index uidNumber,gidNumber,memberUid,loginShell eq
index uid eq,subinitial
index uniqueMember pres
index entryCSN,entryUUID eq
syncrepl rid=001
provider=ldap://ldap-agis01.mascorp.com
type=refreshOnly
interval=00:00:10:00
retry="60 10 300 +"
searchbase="dc=swa,dc=com"
filter="(objectClass=*)"
binddn="cn=Replicator,dc=swa,dc=com"
bindmethod=simple
credentials=yadayadayada
schemachecking=off
updateref ldap://ldap-agis01.mascorp.com/
######################
Any help would be much appreciated!
Thanks!!
Rafael
12 years, 10 months
syncrepl_del_nonpresent and syncrepl issues.
by Jorgen Lundman
openldap-2.3.41
db-4.2.52.NC-PLUS_5_PATCHES
Solaris 10 x86
Layout:
ldapmaster <-syncrepl-> ldapslave01/02/03/04 <-syncrepl-> data-clusters.
It has come to light that we have some sync inconsistencies. At the moment, a
customer domain that shows correct entries on ldapmaster, ldapslave02,
ldapslave04 (and all servers syncing from them).
But has incorrect, or rather missing, entries on ldapslave01 and ldapslave03.
There are no differences between these hosts (they are in fact HDD clones) and
config files are pushed from git, with only RID changed.
The logs on ldapslave03 for one of the broken entries (in this case, ou=DNS). I
have loglevel=sync on all servers:
slaplog.20100407.gz:Mar 3 12:27:12 ldapslave03.unix slapd[27355]: [ID 561622
local4.debug] syncrepl_del_nonpresent: rid 329 be_delete
DNSHostName=(a),DNSZoneName=example.com,ou=dns,$DC (66)
slaplog.20100407.gz:Mar 3 12:27:12 ldapslave03.unix slapd[27355]: [ID 561622
local4.debug] syncrepl_del_nonpresent: rid 329 be_delete
DNSZoneName=example.com,ou=dns,$DC (66)
What is "syncrepl_del_nonpresent"? Is it something I should be worried about? If
I count the number of entries with said error:
ldapslave02: 42
ldapslave03: 7240
Which makes me wonder if it is a global problem for us, but is exaggerated on
some servers.
I notice that the provisioning log for that customer's domain has about 24
"+dns" and "-dns" entries in a row. Not entirely sure why the customer was
changing their DNS back and forth so much, but perhaps it is related.
Can it be that a "delete/create/delete" sequence of the same DN, sent to master,
but which has not yet been pushed out to all slaves, may trigger this situation?
Surely all replication is in strict time sequence though.
Is there anything I can do presently?
Any advise is most appreciated.
Lund
--
Jorgen Lundman | <lundman(a)lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
12 years, 10 months
too many open files
by Hugo Monteiro
Hello list,
Although the subject suggests a fairly know issue, i cannot seem to
understand the cause.
Log file presents
Apr 22 12:57:36 proxyldap1 slapd[1511]: warning: cannot open
/etc/hosts.allow: Too many open files
Apr 22 12:57:36 proxyldap1 slapd[1511]: warning: cannot open
/etc/hosts.deny: Too many open files
, but
proxyldap1:~# cat /proc/sys/fs/file-max
100000
proxyldap1:~# cat /proc/sys/fs/file-nr
1088 0 100000
proxyldap1:~# lsof -p `pidof slapd`| wc -l
460
proxyldap1:~# su -c "ulimit -n" openldap
8192
slapd is version 2.4.17-2 (Debian Unstable) and is running on a xen vm,
using 64bit kernel 2.6.26-2-xen-amd64 in a Debian Lenny system.
Have i overlooked any aspect?
Thank you in advance,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
12 years, 10 months
authz-regexp and invalid filters
by David Hawes
When using a search-based mapping for an authentication DN to a user's
DN, certain characters, namely '(' and ')', will cause the mapping to
fail. In order for the mapping to succeed, the characters need to be
properly escaped so they pass str2filter().
Is there any reason that special characters used in authz-regexp filters
should not be escaped when using search-based mappings?
I am testing this with 2.4.21.
12 years, 10 months
Seg faults with 2.4.22
by Michael Ströder
HI!
I'm experiencing occasional seg faults with 2.4.22 while 2.4.21 worked without
issues on the very same system (self-compiled BDB, SASL, OpenLDAP on RHEL 5
with separate prefix) with the very same configuration. I can't provide a
stack trace since data on this system is private.
I suspect that something's wrong with slapo-allowed and deactivated it. Have
to observe that a little bit more since the problems seem to be not
deterministic. Were some API changes done in 2.4.22 which are not propagated
to slapo-allowed?
Ciao, Michael.
12 years, 10 months
Re: Exception handling!!!
by Pratima Shet
Ya, application is multi threaded, but only one thread will handle all ldap related operations.
I am linking to "libldap" not "libldap_r".
Crash happened only once. Am unabled to reproduce it. So, I dont have much information regarding the
line in the library where it crashed exactly.
Handle was not NULL, but it was corrupted.
Is there any way, to check whether ldap handle is proper or valid apart from NULL check ?
Regards,
Pratima
12 years, 10 months
working with Collect overlay (Openldap 2.4.17)
by Payasito Payasito
Hello,
I'm following the slapo-collect man page but I must be
missing something.
For this database the collectinfo directive is pointing
to "uid=template1,dc=test,dc=tld" dn and the "description"
attribute as the collective one.
database bdb
suffix "dc=test,dc=tld"
checkpoint 1024 5
cachesize 10000
rootdn "cn=root,dc=test,dc=tld"
rootpw secret
directory /var/lib/ldap-tests
index objectClass eq
access to * by * write
overlay collect
collectinfo "uid=template1,dc=test,dc=tld" description
however, a search doesn't return the collect attribute for
the result entries under "ou=people,dc=test,dc=tld"
anyone knows how to resolve this problem?
# ldapsearch -b "dc=test,dc=tld" -D "cn=root,dc=test,dc=tld" -w secret -LLL
dn: dc=test,dc=tld
objectClass: dcObject
objectClass: organization
dc: test
o: edu
dn: ou=people,dc=test,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: people
dn: uid=a01,ou=people,dc=test,dc=tld
objectClass: top
objectClass: account
uid: a01
dn: uid=a02,ou=people,dc=test,dc=tld
objectClass: top
objectClass: account
uid: a02
dn: uid=a03,ou=people,dc=test,dc=tld
objectClass: top
objectClass: account
uid: a03
dn: uid=template1,dc=test,dc=tld
objectClass: top
objectClass: account
uid: template1
description: The quick brown fox jumps over the lazy dog
12 years, 10 months
N-way multimaster replication problem
by Néher Márton
Hi,
I have just set up openldap on two nodes (alpha, beta). I am using openldap
for a passdb backend for samba.
I followed this guide:
http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master
To a point, everything seems to work just fine, the cn=config replication
works both ways.
After deleting everything from my base, I run smbldap-populate on the node
alpha.
It creates the default users, groups pretty fine, but it failed to replicat
to node beta.
the log entries shows this on alpha:
http://pastebin.com/Ykhvq4BY
on the other node the log shows this on beta:
http://pastebin.com/KNwgHQDW
My configuration looks the following:
cn=config:
http://pastebin.com/mT5A4K5i
olcDatabase={0}config,cn=config:
http://pastebin.com/kwBNEaeV
olcDatabase={0}hdb,cn=config:
http://pastebin.com/FsPaKK90
I have the olcOverlay={0}syncprov,olcDatabase={0}config,cn=config and
olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config set to olcOverlay:
{0}syncprov
I have nothing in slapd.conf
Do you know where to search this problem? What other logs should i attach to
figure it out?
Have a nice day,
Best Regards,
Marton, Neher
12 years, 10 months
ACL to deny deletes but allow entry creation.
by Aravind Gottipati
Hi,
I am working on an application where we want to grant an admin account
the privileges to create new entries, but prevent any further changes
(or deletes) to the entry by the admin account. I have looked through
the docs and the faqs for this, and I am pretty sure that this is not
possible. The simile folks relate this with, is the ability to grant
insert privileges to an account in mysql, but restrict selects,
updates etc.. Before I tell the developers that this is not possible,
I wanted to check with you folks first. Have Any of you encountered
similar situations? How do others deal with cases like this?
Thanks in advance,
Aravind.
12 years, 11 months
"Bad search filter"?
by Luis Neves
Hello,
Can someone confirm this error please?
Try to make a ldapsearch agains any attribute on a ldap directory with this filter please:
'Cart\xC3\xA3o'
Iam geting "bad search filter' because of the '\x'. But I need this search working to be able to query a X.509 Certificate field.
mod_authz_ldap is giving errors because of this
Regards,
Luis
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
12 years, 11 months
