Sent: Sun May 27 2012 13:11:32 GMT-0400 (EDT)
From: Elias Probst <mail@eliasprobst.eu>
To: openldap-technical@openldap.org
Subject: syncrepl for cn=config, changes fail with "tag=103 err=53 text=shadow context; no update referral"
Hi List,

I'm trying to setup a master/master replication scenario, starting with 
getting cn=config replicated properly using OpenLDAP 2.4.30 on Gentoo.

I've tried to start with a minimal config which is now up and running on both 
servers.

As long as I start only one of both servers I can edit everything in cn=config 
just fine, but as soon as they both run at the same time, they get into a 
state which causes some trouble.
Even shutting down one of both doesn't help then, I need to start from scratch 
again at this point.

Submitting any changes results in this error message:
RESULT tag=103 err=53 text=shadow context; no update referral

There are two servers, connected via OpenVPN:
ID 1, 10.44.0.1
ID 2, 10.44.0.7

I use the following configuration file to seed the initial online 
configuration for each server, before bringing them up both, using:
slapd -f /tmp/slapd.conf -F /etc/openldap/slapd.d -u ldap -g ldap -d1

moduleload    memberof.so
moduleload    syncprov.so
moduleload    refint.so

include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/openssh.schema

TLSCACertificateFile    /etc/ssl/slapd/slapd.cacrt
TLSCertificateFile      /etc/ssl/slapd/slapd.crt
TLSCertificateKeyFile   /etc/ssl/slapd/slapd.key
TLSVerifyClient         allow

pidfile        /var/run/openldap/slapd.pid
argsfile       /var/run/openldap/slapd.args

loglevel    256

access to attrs=userPassword
    by self write
    by * auth

access to *
    by * read

ServerID    1    ldap://10.44.0.1
ServerID    2    ldap://10.44.0.7

backend        bdb

database        config
rootdn          cn=config
rootpw          {SSHA}RI/d8i2R7XXlo2+kf2LcYzYOcIry+qaa

syncrepl        rid=001
                provider="ldap://10.44.0.7"
                binddn="cn=config"
                bindmethod="simple"
                credentials="nothingtoseehere"
                searchbase="cn=config"
                type=refreshAndPersist
                retry="10 +"
                filter="(!(olcDatabase={0}config))"

syncrepl        rid=002
                provider="ldap://10.44.0.1"
                binddn="cn=config"
                bindmethod="simple"
                credentials="nothingtoseehere"
                searchbase="cn=config"
                type=refreshAndPersist
                retry="10 +"
                filter="(!(olcDatabase={0}config))"

overlay         syncprov


I don't quite understand the error message, as it somehow indicates the 
servers would be running in shadow context/MirrorMode, which is set to FALSE.

So does anyone have an idea, what's wrong with my setup?

Thanks a lot!

- Elias


You need to enable MirrorMode.
The official mult-master replication guide covers this,
http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master

You are getting the error because the database thinks it is a slave to the other database, so it disallows local writes. MirrorMode is just as it sounds, both servers are 'mirrors'.

-Patrick