Hi;
I've finally decided to make the move to syncrepl after much delay and procrastination. I've read the guide and also reviewed several howto's on the topic... It still isn't running correctly for me because it doesn't replicate a few new users I've added to the provider. Also I'm seeing the following issue over and over (every time it tries a sync on my 10m interval):
######### Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent: rid 001 be_delete uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_search (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_SEARCH_RESULT #########
My setup is RHEL4 with Buchan's RPMs (openldap2.3-servers-2.3.39-3.rhel4, etc.). I have a fairly simple setup, one provider and one consumer.
Here is my provider config: ######################
include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema
access to * by dn.exact="cn=Replicator,dc=swa,dc=com" read by self read by * none break
limits group="cn=Replicator,dc=swa,dc=com" size=unlimited time=unlimited
access to * by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com" read by self read by * none break
access to attrs=userPassword by self write by * auth
pidfile /cluster/agis-ldap/ldap-master/var/run/slapd.pid argsfile /cluster/agis-ldap/ldap-master/var/run/slapd.args
modulepath /usr/lib/openldap2.3 moduleload ppolicy.la moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem TLSCertificateKeyFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem TLSCACertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem
loglevel 256
database bdb suffix "dc=swa,dc=com" rootdn "cn=Manager,dc=swa,dc=com" rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-master/var/lib/ldap
overlay ppolicy ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com" ppolicy_use_lockout
overlay syncprov syncprov-checkpoint 1 10 syncprov-sessionlog 100 serverid 001
cachesize 100000 idlcachesize 100000
checkpoint 256 5
index objectClass eq index ou,cn,mail,givenname eq,subinitial index uidNumber,gidNumber,memberUid,loginShell eq index uid eq,subinitial index uniqueMember pres index entryCSN,entryUUID eq ######################
Here is my consumer config: ###################### include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema
access to * by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com" read by self read by * none break
access to attrs=userPassword by self write by * auth
pidfile /cluster/agis-ldap/ldap-slave/var/run/slapd.pid argsfile /cluster/agis-ldap/ldap-slave/var/run/slapd.args
modulepath /usr/lib/openldap2.3 moduleload ppolicy.la moduleload syncprov.la
TLSCertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem TLSCertificateKeyFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem TLSCACertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem
loglevel sync
database bdb suffix "dc=swa,dc=com" rootdn "cn=Manager,dc=swa,dc=com" rootpw {SSHA}YADYADAYADA
directory /cluster/agis-ldap/ldap-slave/var/lib/ldap
overlay ppolicy ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com" ppolicy_use_lockout
cachesize 100000 idlcachesize 100000
checkpoint 256 5
index objectClass eq index ou,cn,mail,givenname eq,subinitial index uidNumber,gidNumber,memberUid,loginShell eq index uid eq,subinitial index uniqueMember pres index entryCSN,entryUUID eq
syncrepl rid=001 provider=ldap://ldap-agis01.mascorp.com type=refreshOnly interval=00:00:10:00 retry="60 10 300 +" searchbase="dc=swa,dc=com" filter="(objectClass=*)" binddn="cn=Replicator,dc=swa,dc=com" bindmethod=simple credentials=yadayadayada schemachecking=off updateref ldap://ldap-agis01.mascorp.com/ ######################
Any help would be much appreciated!
Thanks!!
Rafael
On Monday, 29 March 2010 21:30:20 L.B. wrote:
Hi;
I've finally decided to make the move to syncrepl after much delay and procrastination. I've read the guide and also reviewed several howto's on the topic... It still isn't running correctly for me because it doesn't replicate a few new users I've added to the provider. Also I'm seeing the following issue over and over (every time it tries a sync on my 10m interval):
This normally indicates that the consumer didn't get the final control, usually because it didn't have sufficient (size/time) access to get the full search results.
######### Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent: rid 001 be_delete uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_search (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_SEARCH_RESULT #########
My setup is RHEL4 with Buchan's RPMs (openldap2.3-servers-2.3.39-3.rhel4, etc.).
2.3.43 has been available for a long time ...
I have a fairly simple setup, one provider and one consumer.
Here is my provider config: ######################
include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema
access to * by dn.exact="cn=Replicator,dc=swa,dc=com" read by self read by * none break
limits group="cn=Replicator,dc=swa,dc=com" size=unlimited time=unlimited
The intention in my limits example is that you would create a groupOfNames for cn=Replicator, and add additional host-specific DNs to this groupOfNames object. But, it seems you have only one cn=Replicator non-group entry, changed the ACL appropriately, but not the limits statement.
[...]
syncrepl rid=001 provider=ldap://ldap-agis01.mascorp.com type=refreshOnly interval=00:00:10:00 retry="60 10 300 +" searchbase="dc=swa,dc=com" filter="(objectClass=*)" binddn="cn=Replicator,dc=swa,dc=com" bindmethod=simple credentials=yadayadayada schemachecking=off updateref ldap://ldap-agis01.mascorp.com/
Assuming you have more than 500 entries, if you do a search as this syncrepl binddn, with the rest of the search parameters based on the syncrepl configuration, do you get all entries, or a "Size limit exceeded" ?
Regards, Buchan
Hi Buchan - I updated the limits statement to the following:
limits dn.exact="cn=Replicator,dc=swa,dc=com" size=unlimited time=unlimited
and now it appears to be working as expected!
On a side note, I never received a "Size limit exceeded" using the same parameters from the syncrepl configuration (I'm under 500 entries).
Thanks!
Rafael
Below is the new output after a synchronization:
May 20 22:16:06 admin-agis01 last message repeated 3 times May 20 22:16:48 admin-agis01 slapd2.3[32501]: do_syncrep2: rid 001 LDAP_RES_INTERMEDIATE - SYNC_ID_SET May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_del_nonpresent: rid 001 be_delete uid=dyrnaesd,ou=Software Applications,dc=swa,dc=com (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_search (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 cn=users,ou=groups,dc=swa,dc=com May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_modify (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_search (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 cn=swa,ou=groups,dc=swa,dc=com May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_modify (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_search (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 uid=barreror,ou=Software Applications,dc=swa,dc=com May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_modify (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_search (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com May 20 22:16:48 admin-agis01 slapd2.3[32501]: syncrepl_entry: rid 001 be_modify (0) May 20 22:16:48 admin-agis01 slapd2.3[32501]: do_syncrep2: rid 001 LDAP_RES_SEARCH_RESULT May 20 22:17:23 admin-agis01 slapd2.3[32501]: <= bdb_equality_candidates: (uniqueMember) not indexed
On Mar 30, 2010, at 4:10 AM, Buchan Milne wrote:
On Monday, 29 March 2010 21:30:20 L.B. wrote:
Hi;
I've finally decided to make the move to syncrepl after much delay and procrastination. I've read the guide and also reviewed several howto's on the topic... It still isn't running correctly for me because it doesn't replicate a few new users I've added to the provider. Also I'm seeing the following issue over and over (every time it tries a sync on my 10m interval):
This normally indicates that the consumer didn't get the final control, usually because it didn't have sufficient (size/time) access to get the full search results.
######### Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent: rid 001 be_delete uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_search (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_SEARCH_RESULT #########
My setup is RHEL4 with Buchan's RPMs (openldap2.3-servers-2.3.39-3.rhel4, etc.).
2.3.43 has been available for a long time ...
I have a fairly simple setup, one provider and one consumer.
Here is my provider config: ######################
include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema
access to * by dn.exact="cn=Replicator,dc=swa,dc=com" read by self read by * none break
limits group="cn=Replicator,dc=swa,dc=com" size=unlimited time=unlimited
The intention in my limits example is that you would create a groupOfNames for cn=Replicator, and add additional host-specific DNs to this groupOfNames object. But, it seems you have only one cn=Replicator non-group entry, changed the ACL appropriately, but not the limits statement.
[...]
syncrepl rid=001 provider=ldap://ldap-agis01.mascorp.com type=refreshOnly interval=00:00:10:00 retry="60 10 300 +" searchbase="dc=swa,dc=com" filter="(objectClass=*)" binddn="cn=Replicator,dc=swa,dc=com" bindmethod=simple credentials=yadayadayada schemachecking=off updateref ldap://ldap-agis01.mascorp.com/
Assuming you have more than 500 entries, if you do a search as this syncrepl binddn, with the rest of the search parameters based on the syncrepl configuration, do you get all entries, or a "Size limit exceeded" ?
Regards, Buchan
openldap-software@openldap.org
-
Buchan Milne -
L. B. -
L.B.