Hi openldap Gurus,
I'm sorry for the long post, but I try to give as much details as possible.
We are having serious issues with syncrepl replication and our 3 openldap servers. These issues first occurred when one of the servers was upgraded to openldap 2.4.11 while the two others were (and still are) openldap-servers-2.3.39 and openldap-servers-2.3.30.
My main goal in writing this email is to make sure our 3-servers architecture is supported and to check if my setup is correct.
Just to let you know, the issues we've found so far include: * having the openldap 2.3.x servers unable to restart (with a crash report) [seems to be due to several contextCSN on the openlda2.4 server database] * sometimes the subtree obtained from the openldap2.4 by syncrepl processes in openldap2.3 servers disapears (by reading the log, with loglevel 16384,it seems that the NON PRESENT phase of the LdapSync protocol decides that entries are no more in the openldap2.4 provider [though they are still present]).
Since I have a doubt about our replication structure which uses syncrepl and subordinate databases, I wonder if it is really supported by these versions of openldap. I would really appreciate if someone could have a look at this and say if the following scenario is supported:
------------------------
AllServers have the following DIT:
dc=mycompany,dc=edu | |-dc=A,dc=mycompany,dc=edu | |-dc=B,dc=mycompany,dc=com | |-dc=B,dc=mycompany,dc=com
Each server replicates 2 subtrees from {dc=A, dc=B, dc=C} and is the provider for the remaining one.
Server A has the following setup: ================================= * a section used to glue the subordinate "dc=B,dc=mycompany,dc=com" subtree, with content replicated from the ldap.B.supelec.fr * section used to glue the subordinate "dc=C,dc=mycompany,dc=com" subtree, with content replicated from the ldap.C.supelec.fr * section having the root suffix "dc=mycompany,dc=com" and managing its own subtree dc=A,dc=mycompany,dc=com
The configuration file looks like:
* First section is used to get data from the B server, and set it in the dc=B,dc=mycompany,dc=com glued subtree (using subordinate keyword) database bdb suffix "dc=B,dc=mycompany,dc=com" rootdn "cn=mgr,dc=mycompany,dc=com" subordinate
directory /openldap/openldap-data-B
syncrepl rid=125 provider=ldaps://ldap.B.supelec.fr type=refreshOnly interval=00:00:03:00 retry="60 10 300 +" searchbase="dc=B,dc=mycompany,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="cn=replicator,dc=mycompany,dc=com" credentials="password"
* Second section is used to get data from the C server, and set it in the dc=C,dc=mycompany,dc=com glued subtree (using subordinate keyword) database bdb suffix "dc=C,dc=mycompany,dc=com" rootdn "cn=mgr,dc=mycompany,dc=com" subordinate
directory /openldap/openldap-data-C
syncrepl rid=120 provider=ldaps://ldap.C.supelec.fr type=refreshOnly interval=00:00:03:00 retry="60 10 300 +" searchbase="dc=C,dc=mycompany,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="cn=replicator,dc=mycompany,dc=com" credentials="password"
* Third section is used to define data from the A server, it has a root suffix of "dc=mycompany,dc=com" and owns his own subtree dc=A,dc=mycompany,dc=com database bdb suffix "dc=mycompany,dc=com" rootdn "cn=mgr,dc=mycompany,dc=com" rootpw THEPASS
directory /openldap/openldap-data-A overlay syncprov syncprov-checkpoint 100 10
Server B has the symetric setup: ================================= * section used to glue the subordinate "dc=C,dc=mycompany,dc=com" subtree, with content replicated from the ldap.C.supelec.fr * section used to glue the subordinate "dc=A,dc=mycompany,dc=com" subtree, with content replicated from the ldap.A.supelec.fr * section having the root suffix "dc=mycompany,dc=com" and managing its own subtree dc=B,dc=mycompany,dc=com
Server C has the symetric setup: ================================= * section used to glue the subordinate "dc=B,dc=mycompany,dc=com" subtree, with content replicated from the ldap.B.supelec.fr * section used to glue the subordinate "dc=A,dc=mycompany,dc=com" subtree, with content replicated from the ldap.A.supelec.fr * section having the root suffix "dc=mycompany,dc=com" and managing its own subtree dc=C,dc=mycompany,dc=com
------------------------
Do you think this structure is supported by these versions of openldap?
Though not explicitely described in the "Upgrading from 2.3.x" section of the Administrator guide, I've read in the slapd.conf manpage (openldap2.4) that the "serverID" new parameter is required when using "separate masters contributing to a glued set of databases." which, I think, is a correct description of our structure. Thus I added a "serverID 20" parameter to the openldap2.4 server's configuration.
Am I right in using serverID for our setup?
Adding this parameter had a side effect though: we end up having two contextCSN cookies on the openldap2.4 database suffix entry. We managed to get rid of these by: * extracting the database content with "slapcat -g", * deleting contextCSN and entryCSN lines form the file, * then purging the bdb files and importing with 'slapadd -g -l'.
Do you think this is a correct procedure to restart from scratch our openldap2.4 server ?
I thank you in advance for any information and advice you could give me in order to get back to a working configuration.
Regards, Thibault
--On Wednesday, September 10, 2008 6:12 PM +0200 Thibault Le Meur Thibault.LeMeur@supelec.fr wrote:
Hi openldap Gurus,
I'm sorry for the long post, but I try to give as much details as possible.
We are having serious issues with syncrepl replication and our 3 openldap servers. These issues first occurred when one of the servers was upgraded to openldap 2.4.11 while the two others were (and still are) openldap-servers-2.3.39 and openldap-servers-2.3.30.
I suggest examining the changelog for OpenLDAP 2.3, in particular the number of syncrepl related bugs since 2.3.30.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi Quanah,
I thank you for your answer.
Quanah Gibson-Mount a écrit :
--On Wednesday, September 10, 2008 6:12 PM +0200 Thibault Le Meur Thibault.LeMeur@supelec.fr wrote:
We are having serious issues with syncrepl replication and our 3 openldap servers. These issues first occurred when one of the servers was upgraded to openldap 2.4.11 while the two others were (and still are) openldap-servers-2.3.39 and openldap-servers-2.3.30.
I suggest examining the changelog for OpenLDAP 2.3, in particular the number of syncrepl related bugs since 2.3.30.
To be honest I've already read this changelog: It is true that the list of syncrepl/syncprov fixes is rather long and that a full upgrade to 2.4 is certainly recommended. Though, such an upgrade is not always easy to do in a production environment: we have to prepare it carefully. Moreover, I'm not always able to understand the implications of each fix. That's why I sent this email to the list with the aim to verify that our structure is supported (at least by openldap 2.4).
Regards, Thibault
Thibault Le Meur wrote:
Hi Quanah,
I thank you for your answer.
Quanah Gibson-Mount a écrit :
--On Wednesday, September 10, 2008 6:12 PM +0200 Thibault Le Meur Thibault.LeMeur@supelec.fr wrote:
We are having serious issues with syncrepl replication and our 3 openldap servers. These issues first occurred when one of the servers was upgraded to openldap 2.4.11 while the two others were (and still are) openldap-servers-2.3.39 and openldap-servers-2.3.30.
I suggest examining the changelog for OpenLDAP 2.3, in particular the number of syncrepl related bugs since 2.3.30.
To be honest I've already read this changelog: It is true that the list of syncrepl/syncprov fixes is rather long and that a full upgrade to 2.4 is certainly recommended. Though, such an upgrade is not always easy to do in a production environment: we have to prepare it carefully. Moreover, I'm not always able to understand the implications of each fix. That's why I sent this email to the list with the aim to verify that our structure is supported (at least by openldap 2.4).
Can you not use your test environment and replicate the setup?
openldap-software@openldap.org