Hi!
Actually when trying to "fix" my configuration, I completely messed it up 8-( Probably because I could not really understand the relationship and/or meaning of some configuration attributes:
In an MMR configuration I thought I don't need olcUpdateRef (server sends updates to another one) because the syncrepl configuration would propagate any changes. Likewise I'm unsure about olcMirrorMode (olcMultiProvider): Is it needed for MMR?
The odd thing is that I have a database configure similar to cn=config (using MDB), and I can apply a change to config that is accepted, but I cannot apply the corresponding change to {1}mdb. The configuration has no updateref,syncrepl, or multiprovider attributes set.
The change tries to add {5}mdb to be used as accesslog, and the server complains: adding new entry "olcDatabase={5}mdb,cn=config" ldap_add: Server is unwilling to perform (53) additional info: shadow context; no update referral
The failed change looks like this: ldapmodify -Y EXTERNAL -H ldapi:/// <<LDIF || exit dn: olcDatabase={5}mdb,cn=config changetype: add objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {5}mdb olcAccess: {0} to * by dn.exact="uid=syncrepl,ou=system,$CONTEXT" read by * break olcDbDirectory: /var/lib/ldap/changelog-1 olcDbIndex: objectclass eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: reqEnd eq olcDbIndex: reqResult eq olcLimits: dn.exact="uid=syncrepl,ou=system,$CONTEXT" size.soft=unlimited olcDbMaxSize: 104857600 olcRootDN: cn=changelog-1 olcRootPW: log-1 olcSecurity: ssf=128 update_ssf=128 simple_bind=128 olcSuffix: cn=changelog-1 LDIF
I don't understand.
Mit freundlichen Grüßen Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Friday, April 4, 2025 1:01 PM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Message "slapd[2734]: config error processing olcDatabase={0}config,cn=config: <olcMultiProvider> database is not a shadow"
On Fri, Apr 04, 2025 at 05:29:03AM +0000, Windl, Ulrich wrote:
Hi!
While setting up an OpenLDAP-2.5-based MMR configuration I had set up the master node, then dumped the config database, copied the LDIF to the other node. However when starting slapd, it failed with the message slapd[2734]: config error processing olcDatabase={0}config,cn=config: <olcMultiProvider> database is not a shadow
See also https://stackoverflow.com/q/6792212/6607497
The context of olcMultiProvider is: dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config ... olcMultiProvider: TRUE
On the first node I had updated the config using this LDIF: dn: olcDatabase=${db},cn=config changetype: modify delete: olcMirrorMode olcMirrorMode: TRUE
add: olcMultiProvider olcMultiProvider: TRUE
Hi Ulrich, olcMirrorMode and olcMultiProvider are two names for the same attribute, you can get switched over just by slapcat+slapadd'ing the configuration.
So I don't understand why this won't work on the second node. Specifically I can restart the first node without an issue. The only difference is that the primary node has a patch against crashing on an invalid olcAuthzRegexp (I had reported).
Well can anybody explain what this message means?
It's saying you probably don't have an effective olcSyncrepl attribute on the database in question so it's not a "shadow" (doesn't replicate from anyone). This requirement will be softened somewhat in 2.7 (see ITS#9729).
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP