Followup: I had added a ppolicy module to Master but not to Consumer. Thus the message about pwdChangeTime. Adding the module to consumer fixed replication.
-danny
On Fri, Jan 12, 2018 at 4:33 PM, Daniel Howard dannyman@toldme.com wrote:
Hello,
He have OpenLDAP replication set up based on the docs at https://help.ubuntu.com/lts/serverguide/openldap-server. html#openldap-server-replication
I noticed recently a symptom, whereby a new user exists only on the primary.
So, I started to debug:
Master: (ldap0)
0-16:23 djh@ldap0 ~$ ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=qxxxxxxxxd,dc=com contextCSN dn: dc=qxxxxxxxxd,dc=com contextCSN: 20180113002606.399160Z#000000#000#000000
Consumer: (ldap1)
0-16:23 djh@ldap1 ~$ ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base -b dc=qxxxxxxxxd,dc=com contextCSN dn: dc=qxxxxxxxxd,dc=com contextCSN: 20171121212631.416502Z#000000#000#000000
Ooohhh, my!
I have a lot of messages like this on the consumer:
Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_message_to_entry: rid=317 DN: uid=djh,ou=People,dc=qxxxxxxxxd,dc=com, UUID: 29f7fc06-7c2a-1035-83e5- 9d6082b37970 Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 inserted UUID 29f7fc06-7c2a-1035-83e5-9d6082b37970 Jan 12 16:28:55 ldap1 slapd[5383]: dn_callback : entries have identical CSN uid=djh,ou=People,dc=qxxxxxxxxd,dc=com 20180113002133.183992Z#000000# 000#000000 Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 be_search (0) Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 uid=djh,ou=People,dc=qxxxxxxxxd,dc=com Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 entry unchanged, ignored (uid=djh,ou=People,dc=qxxxxxxxxd,dc=com) Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_message_to_entry: rid=317 DN: uid=john,ou=People,dc=qxxxxxxxxd,dc=com, UUID: ddaae880-7c2f-1035-83ed- 9d6082b37970 Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_message_to_entry: rid=317 mods check (pwdChangedTime: attribute type undefined) Jan 12 16:28:55 ldap1 slapd[5383]: do_syncrepl: rid=317 rc 17 retrying
What is funny is I can, for example, change the loginshell on my account, and that replicates.
Is the latter message about pwdChangedTime a clue that maybe I had a schema change on Master that hasn't been applied to Consumer?
Please advise on where to look next? Thanks!
-danny