Hello Jonathan & Oliver,
thanks for your answers... because you both are asking about config details, i'll try to answer but you can find my complete slapd.conf below, so that you can take a look by yourself.
On 18.08.2010 11:57, Jonathan Clarke wrote:
Hi,
Does your config also contain appropriate SID definitions and a syncrepl consumer for each master? With mirrormode set to TRUE?
i think so; please see my complete slapd.conf below. @Oliver: Server ID's are different, and i think i have also a separate syncrepl section for every server.
Are the servers tightly time synchronized, via NTP or equivalent?
I'm in doubt about that. Of course ntp is configured and works on both servers, but the offset from their master timeserver differs quite a bit: ldapmaster: remote refid offset ========================================= LOCAL(0) .LOCL. 0.000 *ns1.at.signintr 192.168.220.82 48.630 +a891lx03.schenk 192.168.220.82 188.350
ldapslave: remote refid offset ========================================= LOCAL(0) .LOCL. 0.000 *a890lx03.schenk 192.168.220.82 7.553 +ns2.at.signintr 192.168.220.82 132.635
I have read recommendations, that the offset of both servers should not differ more than one or two milliseconds, but i don't know how i could achieve / influence that. Both machines are in the same subnet and physically in the same location; and hardware and ntpd setup is the same.
What error messages (if any) are given when running with "olcLogLevel: sync", on either nodes?
It logs a lot, and i don't know for what to look exactly. Please give me some time to arrange it into a readable form...
Here's my complete slapd.conf: --------------------------------
loglevel 16384 # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,userPKCS12 by self write by * auth
access to attrs=shadowLastChange by self write by * read
access to * by * read
# # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
## server-ids/urls fuer mmr ###
ServerID 1 "ldap://ldapmaster.local.site" ServerID 2 "ldap://ldapslave.local.site"
####################################################################### database config rootdn cn=config rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q
### syncrepl- direktiven fuer mmr der olc ### syncrepl rid=003 provider="ldap://ldapmaster.local.site" searchbase="cn=config" type=refreshAndPersist retry="5 +" bindmethod=simple binddn="cn=config" credentials="<secret>" filter="(!(olcDatabase={0}config))"
syncrepl rid=004 provider="ldap://ldapslave.local.site" searchbase="cn=config" type=refreshAndPersist retry="5 +" bindmethod=simple binddn="cn=config" credentials="<secret>" filter="(!(olcDatabase={0}config))"
overlay syncprov MirrorMode On
####################################################################### # BDB database definitions #######################################################################
database hdb suffix "dc=local,dc=site" rootdn "cn=ldapadmin,dc=local,dc=site" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}iLwhoppdqOjJ+0HUroiScDJ3cpbOgo4u # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/ # Indices to maintain index objectClass eq index entryUUID,entryCSN eq
overlay syncprov syncprov-checkpoint 10 1 syncprov-sessionlog 100
limits dn.exact="cn=replicator,dc=local,dc=site" size=unlimited time=unlimited
access to * by dn.exact="cn=replicator,dc=local,dc=site" read by * break
### syncrepl- direktiven fuer mmr des hauptkontextes ### syncrepl rid=001 provider="ldap://ldapmaster.local.site" type=refreshAndPersist retry="5 +" searchbase="dc=local,dc=site" bindmethod=simple binddn="cn=replicator,dc=local,dc=site" credentials="<secret>"
syncrepl rid=002 provider=ldap://ldapslave.local.site type=refreshAndPersist retry="5 +" searchbase="dc=local,dc=site" bindmethod=simple binddn="cn=replicator,dc=local,dc=site" credentials="<secret>"
MirrorMode On
----------------------------------------
best regards.. -- elmar