On Tue, 2008-12-23 at 15:55 +0000, Gavin Henry wrote:
Try dropping nopresent and reloadhint relating to ITS5669. You only need these two syncprov settings on an accesslog db.
Gavin.
Thanks, that did the job!
Pat
On 23/12/2008, Pat Riehecky prieheck@iwu.edu wrote:
On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
Can you post your config somewhere?
allow bind_v2
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/eduperson-200412.schema include /etc/ldap/schema/hdb.schema include /etc/ldap/schema/IWU.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap moduleload back_hdb moduleload back_monitor moduleload memberof moduleload syncprov moduleload smbk5pwd
tool-threads 2 sizelimit 500 idletimeout 7200
TLSCACertificateFile /etc/ldap/ssl/IWU.crt TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key TLSVerifyClient allow
localSSF 160 security ssf=1 update_ssf=128 simple_bind=112 sasl-secprops noanonymous
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read
backend hdb database hdb
overlay memberof overlay smbk5pwd overlay syncprov
smbk5pwd-enable samba smbk5pwd-enable krb5 smbk5pwd-must-change 0
syncprov-checkpoint 100 10 syncprov-sessionlog 200 syncprov-nopresent TRUE syncprov-reloadhint TRUE
suffix "dc=iwu,dc=edu"
rootdn "cn=admin,dc=iwu,dc=edu" rootpw {redacted}
authz-regexp "uidNumber=0\\ +gidNumber=.*,cn=peercred,cn=external,cn=auth" "cn=ldapi,dc=iwu,dc=edu" authz-regexp "gidNumber=.*\\ +uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=ldapi,dc=iwu,dc=edu"
authz-regexp "uid=(.+),cn=.+,cn=auth" "uid=$1,ou=People,dc=iwu,dc=edu"
directory "/var/lib/ldap/"
dbconfig set_cachesize 0 62914560 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500
# Make sure to do a nightly slapcat dbconfig set_flags DB_LOG_AUTOREMOVE
index objectClass eq,pres index default eq,sub,pres index mail eq,sub,pres index sn eq,sub,pres index cn eq,sub,pres index displayName eq,sub,pres index gecos eq,sub,pres index uid eq,sub,pres index memberUid eq,sub,pres index uidNumber eq,pres index gidNumber eq,pres index entryCSN eq,pres index entryUUID eq,pres index uniqueMember eq,pres index userPassword eq,pres index krb5PrincipalName eq,pres index krb5PrincipalRealm eq,pres index sambaDomainName eq,pres index sambaSID eq,pres index sambaPrimaryGroupSID eq,pres index sambaSIDList eq,pres
lastmod on
checkpoint 256 15
password-hash {SSHA}
limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited time.hard=unlimited size.soft=unlimited time.soft=unlimited limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited time.hard=unlimited size.soft=unlimited time.soft=unlimited limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited time.hard=unlimited size.soft=unlimited time.soft=unlimited limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited time.hard=unlimited size.soft=unlimited time.soft=unlimited limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited time.hard=unlimited size.soft=unlimited time.soft=unlimited
access to dn.sub="dc=iwu,dc=edu" by dn.exact="cn=ldapi,dc=iwu,dc=edu" write by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write by dn.exact="cn=mirror,dc=iwu,dc=edu" read by dn.exact="cn=freeradius,dc=iwu,dc=edu" read by * break
access to dn.sub="dc=iwu,dc=edu" attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key by anonymous auth by self write by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write by users auth by * break
access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none
access to dn.regex="uid=.*$,ou=People,dc=iwu,dc=edu" by self read by * none access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by * none access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by self read by * none access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by self read by * none access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self read by * none
access to dn.regex="krb5PrincipalName=.*@IWU.EDU,ou=People,dc=iwu,dc=edu" by self read by * none
access to dn.sub="dc=iwu,dc=edu" attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName by self write by users read by anonymous none by * break
access to dn.sub="dc=iwu,dc=edu" attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber by self read by anonymous none by * break
access to dn.sub="dc=iwu,dc=edu" attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid by * none
access to dn.sub="dc=iwu,dc=edu" attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength by self read by anonymous none by * break
access to dn.sub="dc=iwu,dc=edu" by * read
serverID 1
syncrepl rid=2 provider=ldap://ldap2.iwu.edu/ schemachecking=off searchbase="dc=iwu,dc=edu" scope=sub type=refreshAndPersist binddn="cn=mirror,dc=iwu,dc=edu" credentials={redacted} bindmethod=simple starttls=yes tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt tls_key=/etc/ldap/ssl/ldap.iwu.edu.key tls_cacert=/etc/ldap/ssl/IWU.crt tls_reqcert=try interval=00:00:00:30 retry="15 +" timeout=1 timelimit=unlimited sizelimit=unlimited
mirrormode on
############################### database monitor limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited time.hard=unlimited size.soft=unlimited time.soft=unlimited
access to dn.exact="cn=Monitor" by dn.exact="cn=admin,dc=iwu,dc=edu" read by * none
access to dn.subtree="cn=Monitor" by dn.exact="cn=admin,dc=iwu,dc=edu" read by * none
On 22/12/2008, Pat Riehecky prieheck@iwu.edu wrote:
Here is the quick and dirty what I am trying to do:
ldap1 and ldap2 are supposed to be in MultiMaster. They are time synced to pool.ntp.org and each other (if they drift I would rather they sorta drift together, but pool should be keeping that in check).
Right now I am just beating them up to see how 2.4.13 performs. (So far VERY well, minus this little problem)
I have a rather small ldif (41 entries) that just wont sync (I'm starting small). Debug gives me
ber_scanf fmt (m}) ber: ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62 0000: 00 3c 72 69 64 3d 30 30 31 2c 73 69 64 3d 30 30 .<rid=001,sid=00 0010: 32 2c 63 73 6e 3d 32 30 30 38 31 32 32 32 31 37 2,csn=2008122217 0020: 34 37 32 31 2e 38 35 35 39 30 34 5a 23 30 30 30 4721.855904Z#000 0030: 30 30 30 23 30 30 31 23 30 30 30 30 30 30 000#001#000000 do_syncrep2: cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000 do_syncrep2: rid=001 CSN too old, ignoring 20081222174721.855904Z#000000#001#000000 ldap_msgfree
I am not exactly sure how it gotten to be "too old." The ldif I am importing is not the result of a slapcat or anything that would preserve the CSN or UUID attributes (not that syncrepl uses UUID). I am loading one single file with ldapadd which, in my understanding, sets up the CSN and wouldn't let me import one anyway.
Each server has no entries until I load the one, so there shouldn't be any weird stale CSNs causing this. They are "sync'ed" almost instantly after the one system is loaded - I just don't have everything.
After a sync: ldap1 - slapcat |grep dn: |wc -l = 41 ldap2 - slapcat |grep dn: |wc -l = 18
Right now I can get them in sync with a slapcat/slapadd, but when the go into production I wont be able to say for certain which one is authoritative. That is the purpose of multi-master....
OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu Linux 32 bit
Any ideas as to what I can do to stop this from happening?
Pat