The problem is centos + openldap. They don't compile their openldap packages with overlay support so nothing will work the way you want it. Trust me, the same thing happened to me and caused hours of hair pulling aggravation. On top of that, mirror mode isn't supported in openldap 2.3. You'll have to use a third party repository with openldap 2.4 if you expect it to work with centos. http://blog.zrmt.com/2007/10/18/rhel5-openldap/ Follow the instructions there on how to setup openldap using a third party repo. Also note to install openldap 2.4 (which you need) run those yum install commands with '2.4' appended ie: yum install openldap2.4-servers openldap2.4 clients. Trust me, you MUST use these packages if you expect anything to work and I can honestly say the quality of these packages are much better than what centos has to offer.
Tyler
On Fri, 27 Mar 2009 10:36:02 -0700 Jonas Haskins jhaskins@adready.com wrote:
Hello friends, I've been trying to setup Mirror Mode replication, using the openldap.org docs and others from googling.. and am having some interesting results. I am new to this so this has been an enlightening experience to say the least, but perhaps if someone on the list might be able to answer a few questions that would be awesome...
I have 2 nodes, and want to get mirror mode running for high availibility .. and will add samba to auth ( later )
Basically it seems that mirror mode is sort of working.. i can see the syncRep talking back and forth .. However .. I cannot write to either nodes once replication is running.
Below example is me trying to add a user account:
error is : ( phpldapadmin reports ) LDAP said: Server is unwilling to perform Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM) Description: The LDAP server refused to perform the operation.
log file reports in detail:
Mar 26 13:14:38 ldap01 slapd[1433]: >>> dnPrettyNormal: <cn=joepreston,dc=foobar,dc=com> Mar 26 13:14:38 ldap01 slapd[1433]: <<< dnPrettyNormal: <cn=joepreston,dc=foobar,dc=com>, <cn=joepreston,dc=foobar,dc=com> Mar 26 13:14:38 ldap01 slapd[1433]: do_add: dn (cn=joepreston,dc=foobar,dc=com) Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 ADD dn="cn=joepreston,dc=foobar,dc=com" Mar 26 13:14:38 ldap01 slapd[1433]: bdb_dn2entry("cn=joepreston,dc=foobar,dc=com") Mar 26 13:14:38 ldap01 slapd[1433]: => bdb_dn2id("cn=joepreston,dc=foobar,dc=com") Mar 26 13:14:38 ldap01 slapd[1433]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Mar 26 13:14:38 ldap01 slapd[1433]: bdb_referrals: op=104 target="cn=joepreston,dc=foobar,dc=com" matched="dc=foobar,dc=com" Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: conn=14 op=1 p=3 Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: err=53 matched="" text="shadow context; no update referral" Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_response: msgid=2 tag=105 err=53 Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 RESULT tag=105 err=53 text=shadow context; no update referral Mar 26 13:14:38 ldap01 slapd[1433]: daemon: activity on 1 descriptor Ma
so:: text="shadow context; no update referral"
using mirrormode, i should be able to write to the db correct?
initally, i used ldapadd to add my ldif files on node 1 ( with syncRep commented out ) then useds slapcat/slapadd to populate the db on node 2, then uncommented syncRep on both nodes and restarted both.. ( this was because i was trying to troubleshoot the DB_NOTFOUND error above ... the result was it still errored ) however, it seems the text=shadow context; no update referral may be the real issue.
am i missing something in these configs in reguards to mirrormode?
logs seem to indicate syncRep is talking, and access is allowed, but no write, and if i ldap add to node 1 ( with Rep commented out ) then uncomment and restart both ( so node 1 has data but node2 does not, i can see syncRep talking, but node2 never picks up the changes )
ok whew, sorry about all of that.. any ideas?
using: openldap-2.3.27 CentOS 5.2 2.6.18-92.el5 64 db-4.7.25 smbldap-tools-0.9.5-1
was going to upgrade to the latest, but there are a ton of deps , so i though i'd ask forst..
many many thanks!
node1: slapd.conf
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/samba.schema
loglevel -1
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload back_bdb.la moduleload back_ldap.la moduleload back_ldbm.la moduleload back_passwd.la moduleload back_shell.la
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapdcert.pem TLSCertificateKeyFile /etc/openldap/slapdkey.pem
access to * by dn.base="cn=Manager,dc=foobar,dc=com" read by * break
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=foobar,dc=com" rootdn "cn=Manager,dc=foobar,dc=com" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX
directory /var/lib/ldap
index objectclass,entryCSN,entryUUID eq index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index memberUid,mail,givenname eq,subinitial
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
# Global section serverID 1 # database section
# syncrepl directive syncrepl rid=001 provider=ldap://ldap02.hq.foobar.com bindmethod=simple binddn="cn=Manager,dc=foobar,dc=com" credentials=morefoo searchbase="dc=foobar,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
mirrormode on
node2:
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/samba.schema
loglevel -1
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload back_bdb.la moduleload back_ldap.la moduleload back_ldbm.la moduleload back_passwd.la moduleload back_shell.la
TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapdcert.pem TLSCertificateKeyFile /etc/openldap/slapdkey.pem
access to * by dn.base="cn=Manager,dc=foobar,dc=com" read by * break
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=foobar,dc=com" rootdn "cn=Manager,dc=foobar,dc=com" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX
directory /var/lib/ldap
index objectclass,entryCSN,entryUUID eq index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index memberUid,mail,givenname eq,subinitial
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
# Global section serverID 2 # database section
# syncrepl directive syncrepl rid=001 provider=ldap://ldap01.hq.foobar.com bindmethod=simple binddn="cn=Manager,dc=foobar,dc=com" credentials=morefoo searchbase="dc=foobar,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
mirrormode on