Dear OpenLDAP Administrators,
Not sure if you get time to look into this issue yet.
This issue only happens when power-off/power cut-off one of the mirror servers, and could be probably prevented by “sending heart beat” to verify the established connections.
Thanks for your time looking at this email thread and your effort :)
Thanks,
Eric
________________________________
From: owner-qdlcp-security(a)LIST.ALCATEL-LUCENT.COM [mailto:owner-qdlcp-security@LIST.ALCATEL-LUCENT.COM] On Behalf Of ZHOU Eric JP
Sent: 2012年1月4日 15:56
To: openldap-bugs(a)openldap.org; info(a)OpenLDAP.org; openldap-technical(a)openldap.org; openldap-devel(a)openldap.org
Cc: qdlcp-security(a)list.alcatel-lucent.com; ANTHONY Michael; HO Yao; VAN RANGELROOIJ Ardo
Subject: OpenLDAP replciation issue with MirrorMode
Dear OpenLDAP Administrators,
Recently we come across an OpenLDAP replication issue with OpenLDAP Mirror Mode.
After configuring MIRROR-A and MIRROR-B in mirror mode with below configuration, it worked pretty well for a long period.
But an issue comes up after MIRROR-A reboot, MIRROR-B could not get modification from MIRROR-A any more.
After investigating the issue we find the original socket on MIRROR-B (consumer) is not reconnected.
====================================
## MIRROR-A ----------------------------------------------------------------------
## ----------------------------------------------------------------------
serverID 1
## Consumer
syncrepl rid=001
provider=ldap://10.207.131.1:389
bindmethod=simple
binddn="uid=PrivDirUsr,o=CSOSSO"
credentials=mypassword
searchbase="o=CSOSSO"
schemachecking=on
type=refreshAndPersist
interval=00:00:01:00
retry="10 +"
mirrormode on
## MIRROR-A ----------------------------------------------------------------------
## ----------------------------------------------------------------------
serverID 2
## Consumer
syncrepl rid=001
provider=ldap://10.207.130.1:389
bindmethod=simple
binddn="uid=PrivDirUsr,o=CSOSSO"
credentials=mypassword
searchbase="o=CSOSSO"
schemachecking=on
type=refreshAndPersist
interval=00:00:01:00
retry="10 +"
mirrormode on
Below is the socket information after MIRROR-A reboot,
====================================
## MIRROR-A ----------------------------------------------------------------------
# lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10
slapd 16842 root 14u IPv4 36160 TCP ln007-cnfg-p00m000-d0:51114->10.207.131.1:ldap (ESTABLISHED)
## MIRROR-B ----------------------------------------------------------------------
# lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10
slapd 4825 root 14u IPv4 168497 TCP ln007-cnfg-p00m001-d0:52239->10.207.131.0:ldap (ESTABLISHED)
slapd 4825 root 18u IPv4 193403 TCP ln007-mi-p00m001-d0:ldap->10.207.130.0:51114 (ESTABLISHED)
Normally it should be,
## MIRROR-A ----------------------------------------------------------------------
# lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10
slapd 16842 root 14u IPv4 36160 TCP ln007-cnfg-p00m000-d0:51114->10.207.131.1:ldap (ESTABLISHED)
slapd 4825 root 18u IPv4 193403 TCP ln007-mi-p00m000-d0:ldap->10.207.130.1: 52239 (ESTABLISHED) // This link is missing
## MIRROR-B ----------------------------------------------------------------------
# lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10
slapd 4825 root 14u IPv4 168497 TCP ln007-cnfg-p00m001-d0:52239->10.207.131.0:ldap (ESTABLISHED)
slapd 4825 root 18u IPv4 193403 TCP ln007-mi-p00m001-d0:ldap->10.207.130.0:51114 (ESTABLISHED)
I would greatly apreicate if you could provide some suggestions/comments upon this or improve OpenLDAP functionality to avoid this.
For me I think this is normal TCP server down scenario, but probably you people could prohibit this from happening in below two methods?
1. Let OpenLDAP send mutual heart beat so that client knows when server is dead.
2. Let OpenLDAP send message to all its client when it is dying (e.g. receiving SIGTERM) // this does not work when MIRROR-A power cycle.
Sincerely,
Eric Zhou Jianping
P please save a tree by not printing this e-mail.
________________________________
To unsubscribe: qdlcp-security-unsubscribe-request(a)list.alcatel-lucent.com<mailto:qdlcp-security-unsubscribe-request@list.alcatel-lucent.com>