On 29Jun16 10:04-0700, Quanah Gibson-Mount wrote:
--On Wednesday, June 29, 2016 4:21 PM +0200 Bastian Tweddell b.tweddell@fz-juelich.de wrote:
On 27Jun16 09:16-0700, Quanah Gibson-Mount wrote:
--On Monday, June 27, 2016 2:00 PM +0000 Gurjot Kaur gurjot.kaur@aricent.com wrote:
Thanks Bastian for your response.
But I want to clear that I don't use slapadd while slapd is running. I have LDIF data which needs to be imported in the new Multimaster servers. That's why I used slapadd. When I did the import (slapadd) with the big data, it doesn't get replicated. To check the problems I did the import with single entry only.
It is not now, nor has it ever been, supported to do an offline add via slapadd on a master, and then magically expect that to replicate out to a consumer via syncrepl. Syncrepl is an active protocol (it replicates the changes that occur while slapd is running). If you are going to offline modify slapd on the master, you will have to do the same thing on the replicas, OR reload them via slapadd, OR trigger a refresh manually on the replicas.
How to trigger a refresh on a replica?
One question:
My disaster recovery (and sandbox initialization) is using slapadd to bring up a fresh instance of my ldap environment. Technically:
- bring up n replicated slapds with an empty db - stop them - slapadd the db dump into A - start A - start B..That always worked. By now, I have to say. I even use slapadd without -w.
Do I understand correctly, that I should prefer the use of ldapadd? Does ldapadd also support operational and user attributes?
You should just slapadd A & B at the same time. It's the most efficient way to load an OpenLDAP Server.
I would like to elaborate a bit more on that.
From the manual [1]: --- paste: 18.1.1.2. Syncrepl Details --- [...] Note that at startup time, if the provider is unable to read a contextCSN from the suffix entry, it will scan the entire database to determine the value, and this scan may take quite a long time on a large database. When a contextCSN value is read, the database will still be scanned for any entryCSN values greater than it, to make sure the contextCSN value truly reflects the greatest committed entryCSN in the database. [...] --- eop ---
1: http://www.openldap.org/doc/admin24/replication.html#LDAP%20Sync%20Replicati...
A bit more detail about the disaster recovery method I (plan to) use: - recreate two slapds A and B (mirrormode) - the slapdump file of my data base contains contextCSN, entryCSN attributes for all entries - slapadd is used without -w to db of slapd A - Starting slapd A - After that, slapd B is started which has a complete empty DB, even without an entry for the suffix - A complete synchronization takes place from A to B
After reading the manual again, when B comes up it does not have any idea in which state the provider engine is, so it has nothing to do. The consumer facility then fetches all entries from the provider in A.
Further from the manual [2]: --- paste: 18.3.1.4. Start the provider and the consumer slapd --- [...] contextCSN is automatically generated as needed: it might be originally contained in the LDIF file, generated by slapadd (8), generated upon changes in the context, or generated when the first LDAP Sync search arrives at the provider [...] --- eop ---
2: http://www.openldap.org/doc/admin24/replication.html#Syncrepl
This part lets me believe, that even if I do not have contextCSN in my db in A these would be created on the first sync requested from B.
- What is the designed behavior for the consumer engine if the db is completely empty?
- How to trigger a refresh on the consumer? I have never done that, but I can imagine, that is done by slapd -c?
About the question from Gurjot, where he misses entries on the replicated side. What about, after he slapadds his entries to the db, remove the contextCSN entry of his suffix. When slapd starts up, the syncrepl engine would scan the entire DB.
In any case, my assumptions rely on the admin manual which might not reflect the code base. But from what I read, I still feel I did it the right way all by now. So Quanah, if you find some time, please let me know what I am missing and why my disaster recovery is unsafe.
Cheers,