Okay, I changed olcSyncrepl type to refreshAndPersist, and remove interval settings.
It seems to work now, although I don't really understand why.
Thanks for your help on ACLs
Regards,
Vincent
Le 15/01/2020 à 17:27, Vincent Ducot a écrit :
Hi,
You can find below my full config.
To be more precise, my problem is :
- I add a user on node1, it's replicated on node2
- I add a second user (or group) on node2, it's not replicated on node2.
In the logs, I get
Jan 15 16:11:21 node2 slapd[2465]: do_syncrep2: rid=102 LDAP_RES_SEARCH_RESULT Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 LDAP_RES_SEARCH_RESULT Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 cookie=rid=101,csn=20200115102817.516155Z#000000#000#000000 Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 90915624-c578-1039-97ac-bb4be13c2c82, dn dc=foo,dc=bar Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 90952132-c578-1039-8aef-6f411f63000a, dn cn=admin,dc=foo,dc=bar Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 909a0760-c578-1039-8af0-6f411f63000a, dn ou=people,dc=foo,dc=bar Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 909b4666-c578-1039-8af1-6f411f63000a, dn ou=groups,dc=foo,dc=bar Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 9a1f5e84-c578-1039-918d-7129ec86f31a, dn uid=appadmin,ou=people,dc=foo,dc=bar Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 9a48db24-c578-1039-918e-7129ec86f31a, dn cn=admins-for-app,ou=groups,dc=foo,dc=bar Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 3032f6b0-cbcd-1039-952e-fb0cd8c5af02, dn uid=testuser,dc=foo,dc=bar Jan 15 16:11:22 node2 slapd[2465]: slap_queue_csn: queueing 0x7f4628103420 20200115102817.516155Z#000000#000#000000 Jan 15 16:11:22 node2 slapd[2465]: slap_graduate_commit_csn: removing 0x7f4628103420 20200115102817.516155Z#000000#000#000000
What means "nonpresent_callback" ?
I also tested with replication user in a different database, as suggested in this mailing list, but the result is the same.
Regards,
Vincent
# config dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcDisallows: bind_anon olcLogLevel: any olcPidFile: /var/run/slapd/slapd.pid olcRequires: authc olcToolThreads: 1 olcServerID: 0 ldap:/// olcServerID: 1 ldap://node1-vpn olcServerID: 2 ldap://node2-vpn
# module{0}, config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb
# module{1}, config dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} olcModuleLoad: {0}syncprov.la
# {0}mdb, config dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
# {-1}frontend, config dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 500
# {0}config, config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break
# {1}mdb, config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=nodomain olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
- none
olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRequires: authc olcRootDN: cn=admin,dc=nodomain olcRootPW: {SSHA}HdZbPd66TxCjeYEIAASbAQTnvFh3GOTw olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824
# {2}mdb, config dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/foobar/ldap olcSuffix: dc=foo,dc=bar olcAccess: {0}to attrs=userPassword by anonymous auth by self write by dn.exact="cn=rpuser,dc=foo,dc=bar" read olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none olcLastMod: TRUE olcLimits: {0}dn.exact="uid=rpuser,dc=foo,dc=bar" time.soft=unlimited time.h ard=unlimited size.soft=unlimited size.hard=unlimited olcRequires: authc olcRootDN: cn=admin,dc=foo,dc=bar olcRootPW: {SSHA}zL8CSrnkBacsebLUsJ+dzva6eQ7xcyZJ olcSyncrepl: {0}rid=101 provider=ldap://node1-vpn binddn="uid=rpuser,dc=foo, dc=bar" bindmethod=simple credentials=rppwd searchbase="dc=foo,dc=bar" type=r efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1 olcSyncrepl: {1}rid=102 provider=ldap://node2-vpn binddn="uid=rpuser,dc=foo, dc=bar" bindmethod=simple credentials=rppwd searchbase="dc=foo,dc=bar" type=r efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1 olcMirrorMode: TRUE olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbMaxSize: 1073741824
# {0}syncprov, {2}mdb, config dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov
Le 13/01/2020 à 20:31, Quanah Gibson-Mount a écrit :
--On Monday, January 13, 2020 6:32 PM +0100 Vincent Ducot vincent.ducot@rubycat.eu wrote:
Ok, I thought the rule matched if "by" also matched. Thanks to light it.
I apply the olcAccess you proposed.
I still have the problem of deletion of "dc=foo,dc=bar" tree on node2, for example when I add a user on node1. Any idea why ?
Not off the top of my head. Without full configs for both servers or an understanding of the state of the replicated databases on each server, it would all be random speculation.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com