Jeffrey Crawford wrote:
I'm trying to stabilize our openldap server farm before going live and am finding that despite the contextCSN matching between providers and replicas, the actual content of the server is getting out of sync. This is most prominent when we are testing our population routine and we need to remove all accounts before starting. right now it's only about 22000 entries (It will get much larger).
During the mass delete we got the following sprinkled throughout the logs on all machines: ==== Nov 15 15:47:16 idm-prod-ldap-2 slapd[33070]: bdb(dc=domain,dc=name): previous transaction deadlock return not resolved
Wow. I've never seen this error message before. What version of OpenLDAP and BerkeleyDB are you using?
Nov 15 15:47:16 idm-prod-ldap-2 slapd[33070]: => bdb_idl_delete_key: cursor failed: Invalid argument (22)
and the various replicas would still have accounts left over but they wouldn't match each other.
There are known bugs in syncrepl delete handling. ITS#7052 is probably relevant here. The fix will be in 2.4.27.