Hi to all,
I still experimenting with openldap 2.6 and the deltasyncrepl with four hosts. I use debian 11 and the symas packages.
I set up all four hosts with the following ldif-files.
Starting with the basic settings: --------------------------------------- dn: cn=config objectClass: olcGlobal cn: config olcLogLevel: sync olcLogLevel: stats olcPidFile: /var/symas/run/slapd.pid olcArgsFile: /var/symas/run/slapd.args olcToolThreads: 1
# create cn=config #dn: olcBackend={0}mdb,cn=config #objectClass: olcBackendConfig #olcBackend: {0}mdb
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: back_mdb olcModuleLoad: back_monitor olcModuleLoad: autoca.la olcModuleLoad: otp.la olcModuleLoad: argon2.la olcModuleLoad: syncprov olcModuleLoad: back_monitor olcModuleLoad: accesslog.la
include: file:///opt/symas/etc/openldap/schema/core.ldif include: file:///opt/symas/etc/openldap/schema/cosine.ldif include: file:///opt/symas/etc/openldap/schema/nis.ldif include: file:///opt/symas/etc/openldap/schema/inetorgperson.ldif include: file:///opt/symas/etc/openldap/schema/dyngroup.ldif include: file:///opt/symas/etc/openldap/schema/kerberos.openldap.ldif
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcSizeLimit: 500 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcPasswordHash: {ARGON2}
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by * break
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcSuffix: dc=example,dc=net olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbCheckpoint: 512 30 olcDbDirectory: /var/symas/openldap-data olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920 olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unlimited size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlimited size=unlimited ---------------------------------------
After all four host have the same basic settings I change the "serverId" with the following LDIF-File. My problem is the same, even when I put the serverIds into the basic setup. The reason why I split the serverId from the basic settings is because I use Ansible to configure all hosts.
------------------------- dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://ldap01.example.net olcServerID: 2 ldap://ldap02.example.net olcServerID: 3 ldap://ldap03.example.net olcServerID: 4 ldap://ldap04.example.net ------------------------- The next step is setting up the deltasync replication with the following LDIf-file: ------------------------- dn: cn=config changetype: modify replace: olcServerID olcServerID: 1
dn: olcDatabase={3}mdb,cn=config changetype: add objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {3}mdb olcDbDirectory: /var/symas/accesslog olcSuffix: cn=accesslog olcAccess: {0}to dn.subtree="cn=accesslog" by dn.exact="uid=repl-user,ou=users,dc={first_dc}},dc=net" read by dn.exact="cn=admin,dc=example,dc=net" read olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcLimits: dn.exact="cn=uid=repl-user,dc=example,dc=net" time=unlimited size=unlimited olcSizeLimit: unlimited olcTimeLimit: unlimited olcMonitoring: TRUE olcDbCheckpoint: 0 0 olcDbIndex: entryCSN eq olcDbIndex: objectClass eq olcDbIndex: reqEnd eq olcDbIndex: reqResult eq olcDbIndex: reqStart eq olcDbIndex: reqDN eq olcDbMode: 0600 olcDbSearchStack: 16 olcDbMaxsize: 85899345920
dn: olcOverlay=syncprov,olcDatabase={3}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 200
dn: olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {1}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE olcAccessLogPurge: 01+00:00 00+04:00
dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=102 provider=ldap://ldap02.example.net bindmethod=simple timeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net credentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog scope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=accesslog keepalive=240:10:30 starttls=yes olcSyncrepl: rid=103 provider=ldap://ldap03.example.net bindmethod=simple timeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net credentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog scope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=accesslog keepalive=240:10:30 starttls=yes olcSyncrepl: rid=104 provider=ldap://ldap04.example.net bindmethod=simple timeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net credentials=secret filter="(objectclass=*)" searchbase="dc=example,dc=net" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog scope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=accesslog keepalive=240:10:30 starttls=yes - replace: olcMirrorMode olcMirrorMode: TRUE -------------------------
The olcSyncrepl is different on each host this one is from ldap01.example.net so the host is not in the list.
On each other host everything is setup the same.
When in Start slapd I always getting this error messsages (on server ldap1: --------------------- ez 09 15:20:56 ldap01 slapd[2406]: conn=1035 fd=18 ACCEPT from IP=192.168.56.48:56760 (IP=0.0.0.0:389) Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=0 STARTTLS Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=0 RESULT oid= err=0 qtime=0.000024 etime=0.000299 text= Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 fd=18 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=1 BIND dn="uid=repl-user,ou=users,dc=example,dc=net" method=128 Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=1 BIND dn="uid=repl-user,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=1 RESULT tag=97 err=0 qtime=0.000033 etime=0.026849 text= Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior reqControls entryCSN Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 syncprov_op_search: got a persistent search with a cookie=rid=101,sid=004,csn=20211208190517.239632Z#000000#001#000000 Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 syncprov_findbase: searching Dez 09 15:20:56 ldap01 slapd[2406]: findbase failed! 32 Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 SEARCH RESULT tag=101 err=32 qtime=0.000019 etime=0.000166 nentries=0 text= Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=3 UNBIND Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 fd=18 closed --------------------- The rid 101 is NOT configured on this host, because it's ldap01
The same configuration is working on a Debian 10 with the openldpa-packages from debian.
One more thing on debian 10 I see_ ---------------------- root@hm-01:~# ss -a | grep ldap | awk '{print$1 " " $2 " " $5 " " $6}' u_str LISTEN /var/run/slapd/ldapi 13381 tcp LISTEN 0.0.0.0:ldaps 0.0.0.0:* tcp LISTEN 0.0.0.0:ldap 0.0.0.0:* tcp ESTAB 192.168.56.41:ldap 192.168.56.44:35400 tcp ESTAB 192.168.56.41:ldap 192.168.56.42:57096 tcp ESTAB 192.168.56.41:ldap 192.168.56.43:54992 tcp ESTAB 192.168.56.41:33408 192.168.56.42:ldap tcp ESTAB 192.168.56.41:50268 192.168.56.43:ldap tcp LISTEN [::]:ldaps [::]:* tcp LISTEN [::]:ldap [::]:* ---------------------- What i expected because of "refreshAndPersist" on the Debian 11 host with the symas packages I see: --------------------- root@ldap01:~# ss -a | grep ldap | awk '{print$1 " " $2 " " $5 " " $6}' u_str LISTEN /var/symas/run/ldapi 14159 tcp LISTEN 0.0.0.0:ldaps 0.0.0.0:* tcp LISTEN 0.0.0.0:ldap 0.0.0.0:* tcp LISTEN [::]:ldaps [::]:* tcp LISTEN [::]:ldap [::]:* --------------------- So there is no permanent connection, that also shows the log. Error 32 means "no such object" but which object is missing. The accesslog DB files are there.
The slapd is NOT running as rootI change all the permissions and settings to run slapd as unprivileged user.
I'm lost :-)
Stefan