Hi, I'm trying to migrate from OpenLDAP 2.3.43-12.el5_6.7 to OpenLDAP 2.4.23-20.el6.x86_6. In 2.3, we currently have one master, replicating changes to 2 consumers via slurpd.
I'm trying to configure 2.4 w/ syncrepl, and have tried using refreshAndPersist to mimic that same routine of pushing changes from the master. I'm getting failures though:
on the master:
ay 25 13:55:25 slapd[6855]: send_search_entry: conn 1064 ber write failed. May 25 13:55:45 slapd[6855]: send_search_entry: conn 1066 ber write failed. May 25 13:56:45 slapd[6855]: send_search_entry: conn 1068 ber write failed. May 25 13:57:45 slapd[6855]: send_search_entry: conn 1078 ber write failed. May 25 13:58:45 slapd[6855]: send_search_entry: conn 1084 ber write failed. May 25 13:59:05 slapd[6855]: send_search_entry: conn 1086 ber write failed. May 25 13:59:15 slapd[6855]: send_search_entry: conn 1087 ber write failed.
on a consumer: May 25 13:45:15 slapd[28707]: do_syncrepl: rid=002 rc 68 retrying (9 retries left) May 25 13:45:25 slapd[28707]: syncrepl_entry: rid=002 be_add cn=XXXXXXX,dc=edu failed (68)
here are snippets from the master's slapd.conf and from one of the consumers:
master - -------
database hdb include /etc/openldap/slapd.access suffix "dc=XXXXdc=edu" checkpoint 1024 5 cachesize 30000 idlcachesize 90000 rootdn "cn=Manager,XXXXX,dc=edu" # NOTE: "updatedn" MUST BE COMMENTED OUT FOR INITIAL CREATION/LOAD OF # ROOT INFO
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #rootpw secret # needs to be changed to something someone knows. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain # review these index default pres,eq index uid eq,sub index entryUUID,entryCSN index cn,sn,givenName,ou,mail,telephoneNumber pres,eq,sub index employeeNumber,mailAlternateAddress,eduPersonPrincipalName index eduPersonAffiliation,eduPersonPrimaryAffiliation index objectClass,serialNumber eq index isMemberOf eq,subany TLSCertificateFile /etc/openldap/newcert.pem TLSCertificateKeyFile /etc/openldap/newkey.pem TLSCACertificateFile /etc/openldap/chain.pem
consumer - ------------------ database hdb suffix "dc=XXXXX=edu" checkpoint 1024 5 cachesize 30000 idlcachesize 90000 rootdn "cn=Manager,dc=XXXX,dc=edu" # NOTE: "updatedn" MUST BE COMMENTED OUT FOR INITIAL CREATION/LOAD OF # ROOT INFO
# Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #rootpw secret # needs to be changed to something someone knows. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain # review these index default pres,eq index uid eq,sub index entryUUID,entryCSN index cn,sn,givenName,ou,mail,telephoneNumber pres,eq,sub index employeeNumber,mailAlternateAddress,eduPersonPrincipalName index eduPersonAffiliation,eduPersonPrimaryAffiliation index objectClass,serialNumber eq index isMemberOf eq,subany TLSCertificateFile /etc/openldap/newcert.pem TLSCertificateKeyFile /etc/openldap/newkey.pem TLSCACertificateFile /etc/openldap/chain.pem
syncrepl rid=002 provider=ldap://providername-taken-out-here:389 type=refreshAndPersist retry="10 10 60 +" searchbase="dc=XXXX,dc=edu" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=Replicator,dc=XXXX,dc=edu" credentials="password"
updateref ldap://providername-takenout-here:389
the account I"m using to bind from the consumer has read access to everything on the master. Thanks in advance