Hi,
We're using a proxied sync-repl installation to populate various consumers from our single master.
For some time now, we've been seeing all kind of strange phenomenons, mostly with missing objects on some (not all consumers). Previously, our consumers and our master hadn't been identical with regards to the OpenLDAP version and the operating system used. While, according to the specs, this should have worked, we decided to rule out one source of trouble and upgrade our infrastructure and so right now, we're using OpenLDAP 2.4.47 on debian buster on all involved boxes:
% dpkg -l slapd [...] ii slapd 2.4.47+dfsg-3+deb10u4 amd64 OpenLDAP server (slapd)
One of the issue we're currently seeing is that memberOf queries don't work as expected. Different consumers yield different results, which again are different from what the master has.
See for example:
# on the master root@minerva:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com memberOf: cn=qube,ou=Group,dc=example,dc=com
# consumer #1 root@demeter:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com
# consumer #2 root@peta:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com
However, when I investigate the group, I see the user listed in every one of them:
# on the master root@minerva:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...]
# on consumer #1 root@demeter:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...]
# on consumer #2 root@peta:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...]
The master only shares the relevant part of the DIT to the consumers, so unfortunately I cannot 1:1 compare them using slapcat. But if I again apply a group filter, slapcat delivers correct results on all instances as well (ie slapcat -a 'cn=qube')
My first idea was an index issue, but running slapindex didn't change anything.
Any ideas what might be wrong and/or how to debug this issue?
Additionally - bear with me - we're not using cn=config, but the old style slapd.conf configuration.
Thanks
Udo