Okay, I changed olcSyncrepl type to refreshAndPersist, and remove interval settings.
It seems to work now, although I don't really understand why.
Thanks for your help on ACLs
Regards,
Vincent
Hi,
You can find below my full config.
To be more precise, my problem is :
- I add a user on node1, it's replicated on node2
- I add a second user (or group) on node2, it's not replicated on node2.
In the logs, I get
Jan 15 16:11:21 node2 slapd[2465]: do_syncrep2: rid=102 LDAP_RES_SEARCH_RESULT
Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 LDAP_RES_SEARCH_RESULT
Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 cookie=rid=101,csn=20200115102817.516155Z#000000#000#000000
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 90915624-c578-1039-97ac-bb4be13c2c82, dn dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 90952132-c578-1039-8aef-6f411f63000a, dn cn=admin,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 909a0760-c578-1039-8af0-6f411f63000a, dn ou=people,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 909b4666-c578-1039-8af1-6f411f63000a, dn ou=groups,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 9a1f5e84-c578-1039-918d-7129ec86f31a, dn uid=appadmin,ou=people,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 9a48db24-c578-1039-918e-7129ec86f31a, dn cn=admins-for-app,ou=groups,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 present UUID 3032f6b0-cbcd-1039-952e-fb0cd8c5af02, dn uid=testuser,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: slap_queue_csn: queueing 0x7f4628103420 20200115102817.516155Z#000000#000#000000
Jan 15 16:11:22 node2 slapd[2465]: slap_graduate_commit_csn: removing 0x7f4628103420 20200115102817.516155Z#000000#000#000000What means "nonpresent_callback" ?
I also tested with replication user in a different database, as suggested in this mailing list, but the result is the same.
Regards,
Vincent
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcDisallows: bind_anon
olcLogLevel: any
olcPidFile: /var/run/slapd/slapd.pid
olcRequires: authc
olcToolThreads: 1
olcServerID: 0 ldap:///
olcServerID: 1 ldap://node1-vpn
olcServerID: 2 ldap://node2-vpn
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
# module{1}, config
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModuleLoad: {0}syncprov.la
# {0}mdb, config
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRequires: authc
olcRootDN: cn=admin,dc=nodomain
olcRootPW: {SSHA}HdZbPd66TxCjeYEIAASbAQTnvFh3GOTw
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
# {2}mdb, config
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/foobar/ldap
olcSuffix: dc=foo,dc=bar
olcAccess: {0}to attrs=userPassword by anonymous auth by self write by dn.exact="cn=rpuser,dc=foo,dc=bar" read
olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none
olcLastMod: TRUE
olcLimits: {0}dn.exact="uid=rpuser,dc=foo,dc=bar" time.soft=unlimited time.h
ard=unlimited size.soft=unlimited size.hard=unlimited
olcRequires: authc
olcRootDN: cn=admin,dc=foo,dc=bar
olcRootPW: {SSHA}zL8CSrnkBacsebLUsJ+dzva6eQ7xcyZJ
olcSyncrepl: {0}rid=101 provider=ldap://node1-vpn binddn="uid=rpuser,dc=foo,
dc=bar" bindmethod=simple credentials=rppwd searchbase="dc=foo,dc=bar" type=r
efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1
olcSyncrepl: {1}rid=102 provider=ldap://node2-vpn binddn="uid=rpuser,dc=foo,
dc=bar" bindmethod=simple credentials=rppwd searchbase="dc=foo,dc=bar" type=r
efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbMaxSize: 1073741824
# {0}syncprov, {2}mdb, config
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
Le 13/01/2020 à 20:31, Quanah Gibson-Mount a écrit :
--On Monday, January 13, 2020 6:32 PM +0100 Vincent Ducot <vincent.ducot@rubycat.eu> wrote:
Ok, I thought the rule matched if "by" also matched. Thanks to light it.
I apply the olcAccess you proposed.
I still have the problem of deletion of "dc=foo,dc=bar" tree on node2,
for example when I add a user on node1. Any idea why ?
Not off the top of my head. Without full configs for both servers or an understanding of the state of the replicated databases on each server, it would all be random speculation.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>