Hello all,
Last year I switched from the slapd.conf to the OLC style config for OpenLDAP and transitionally tested it by making the OLC server a replication slave to the older LDAP server configured with slapd.conf. Now I've disabled replication from that old server and am making the OLC server (LDAP01 - version 2.4.23) the new master and threw up a new VM called LDAP02 (2.4.23) to become the new sync replication slave/consumer. Though I'm using multiple guides of varying detail the simplest setup steps basically followed this article: http://gagravarr.livejournal.com/145679.html.
I followed the same steps I thought I did for LDAP01, but despite the fact that I see LDAP02 bind and try to fetch entries for replication nothing is being fetched. The problem description is almost identical to this person's issue: http://www.openldap.org/lists/openldap-software/200911/msg00017.html (with "nentries=0" in the replication log messages, but plenty of entries found with an ldapsearch manually).
Though I think my setup situation is different than that person's, and they were exporting using slapcat/slapadd (which I did for converting my existing slapd.conf config to LDAP01 last year, but this time I merely setup LDAP02 from scratch as a cn=config OLC server to begin with), one of the follow-up responses to that email thread said this:
"The only correct usage of -w is when you have an LDIF produced by slapcat on a database that was not being used with replication before, and so is missing the contextCSN. But all the other operational attributes (entryUUID and entryCSN in particular) are present and valid."
This made me wonder if the problem I'm seeing is because LDAP02 (or LDAP01?) is somehow missing a contextCSN. I am seeing no "cookie" messages associated with replication in my log.
Some of my config is below as well as the log messages I am seeing on LDAP01 (edited domain & password). I did notice off-the-bat though that I am missing an "olcDbIndex: entryUUID pres,eq" entry on LDAP02 where I have it on LDAP01. Is that a crucial setting for replication? Lastly, I deleted the database files in /var/lib/ldap/ on LDAP02 and restarted slapd once I had configured "olcSyncRepl" on LDAP02 to ensure that I was starting from scratch.
------- LDAP01's log entry for LDAP02's attempted connection looks like this:
Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 fd=359 ACCEPT from IP=192.168.21.60:46198 (IP=0.0.0.0:389) Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=0 STARTTLS Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=0 RESULT oid= err=0 text= Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 fd=359 TLS established tls_ssf=256 ssf=256 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=1 BIND dn="cn=root,dc=myerslab,dc=haib,dc=org" method=128 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=1 BIND dn="cn=root,dc=myerslab,dc=haib,dc=org" mech=SIMPLE ssf=0 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=1 RESULT tag=97 err=0 text= Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=2 SRCH base="dc=myerslab,dc=haib,dc=org" scope=2 deref=0 filter="(objectClass=*)" Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=2 SRCH attr=* + Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=3 UNBIND Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 fd=359 closed
------- LDAP02's /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:
dn: olcDatabase={1}bdb objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb olcSuffix: dc=mydomain,dc=org olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=mydomain,dc=org olcRootPW:: olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbDirectory: /var/lib/ldap olcDbCacheSize: 50000 olcDbCheckpoint: 10240 720 olcSyncrepl: {0}rid=001 provider=ldap://ldap01.mydomain.org bindmethod=si mple timeout=1 network-timeout=0 binddn="cn=root,dc=mydomain,dc=org" credentials="ld4p3650" keepalive=0:0:0 starttls=yes filter="(objectclass=*)" s earchbase="dc=mydomain,dc=org" scope=sub schemachecking=off type=refr eshOnly interval=00:00:00:10 retry="5 5 300 5" tls_cacert=/etc/openldap/certs/rootCA.cert olcUpdateRef: ldap://ldap01.mydomain.org olcMirrorMode: TRUE olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: ou pres,eq,sub olcDbIndex: loginShell pres,eq olcDbIndex: sn pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbIndex: memberUid pres,eq,sub olcDbIndex: nisMapName pres,eq,sub olcDbIndex: nisMapEntry pres,eq,sub olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcBdbConfig entryUUID: 31e2c8b0-c0ec-1033-8c20-43a6f59853d5 creatorsName: cn=config createTimestamp: 20140825214036Z entryCSN: 20140912164223.814325Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140912164223Z
------- LDAP01's /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:
dn: olcDatabase={1}bdb objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb olcSuffix: dc=mydomain,dc=org olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * no ne olcAccess: {1}to * by anonymous read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=mydomain,dc=org olcRootPW:: olcSyncUseSubentry: FALSE olcMirrorMode: TRUE olcMonitoring: TRUE olcDbDirectory: /var/lib/ldap olcDbCacheSize: 50000 olcDbCheckpoint: 10240 720 olcDbConfig: {0}# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.3.2.4 2007/1 2/18 11:53:27 ghenry Exp $ olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB databas es. olcDbConfig: {2}# olcDbConfig: {3}# See the Oracle Berkeley DB documentation olcDbConfig: {4}# <http://www.oracle.com/technology/documentation/berkeley-d b/db/ref/env/db_config.html> olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics. olcDbConfig: {6}# olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ olcDbConfig:: ezh9Iwk8aHR0cDovL3d3dy5vcGVubGRhcC5vcmcvZmFxL2luZGV4LmNnaT9maWxl PTI+ olcDbConfig: {9}# in particular: olcDbConfig: {10}# http://www.openldap.org/faq/index.cgi?file=1075 olcDbConfig: {11} olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only upon re building olcDbConfig: {13}# the DB environment. olcDbConfig: {14} olcDbConfig: {15}# one 0.25 GB cache olcDbConfig: {16}set_cachesize 0 268435456 1 olcDbConfig: {17} olcDbConfig: {18}# Data Directory olcDbConfig: {19}#set_data_dir db olcDbConfig: {20} olcDbConfig: {21}# Transaction Log settings olcDbConfig: {22}set_lg_regionmax 262144 olcDbConfig: {23}set_lg_bsize 2097152 olcDbConfig: {24}#set_lg_dir logs olcDbConfig: {25} olcDbConfig: {26}# Note: special DB_CONFIG flags are no longer needed for "qui ck" olcDbConfig:: ezI3fSMgc2xhcGFkZCg4KSBvciBzbGFwaW5kZXgoOCkgYWNjZXNzIChzZWUgdGhl aXIgLXEgb3B0aW9uKS4g olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass pres,eq olcDbIndex: entryUUID pres,eq olcDbIndex: entryCSN pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: ou pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: memberUid pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: loginShell pres,eq olcDbIndex: givenName pres,eq,sub olcDbIndex: nisMapName pres,eq,sub olcDbIndex: nisMapEntry pres,eq,sub olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcBdbConfig entryUUID: 727d260c-cc5c-1032-89cf-2fc7acd5ca31 creatorsName: cn=config createTimestamp: 20131018161654Z entryCSN: 20140915195740.431843Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140915195740Z ------
Thanks, Josh Nielsen