RE: OpenLDAP replciation issue with MirrorMode

Dear OpenLDAP Administrators, Not sure if you get time to look into this issue yet. This issue only happens when power-off/power cut-off one of the mirror servers, and could be probably prevented by “sending heart beat” to verify the established connections. Thanks for your time looking at this email thread and your effort :) Thanks, Eric ________________________________ From: owner-qdlcp-security(a)LIST.ALCATEL-LUCENT.COM [mailto:owner-qdlcp-security@LIST.ALCATEL-LUCENT.COM] On Behalf Of ZHOU Eric JP Sent: 2012年1月4日 15:56 To: openldap-bugs(a)openldap.org; info(a)OpenLDAP.org; openldap-technical(a)openldap.org; openldap-devel(a)openldap.org Cc: qdlcp-security(a)list.alcatel-lucent.com; ANTHONY Michael; HO Yao; VAN RANGELROOIJ Ardo Subject: OpenLDAP replciation issue with MirrorMode Dear OpenLDAP Administrators, Recently we come across an OpenLDAP replication issue with OpenLDAP Mirror Mode. After configuring MIRROR-A and MIRROR-B in mirror mode with below configuration, it worked pretty well for a long period. But an issue comes up after MIRROR-A reboot, MIRROR-B could not get modification from MIRROR-A any more. After investigating the issue we find the original socket on MIRROR-B (consumer) is not reconnected. ==================================== ## MIRROR-A ---------------------------------------------------------------------- ## ---------------------------------------------------------------------- serverID 1 ## Consumer syncrepl rid=001 provider=ldap://10.207.131.1:389 bindmethod=simple binddn="uid=PrivDirUsr,o=CSOSSO" credentials=mypassword searchbase="o=CSOSSO" schemachecking=on type=refreshAndPersist interval=00:00:01:00 retry="10 +" mirrormode on ## MIRROR-A ---------------------------------------------------------------------- ## ---------------------------------------------------------------------- serverID 2 ## Consumer syncrepl rid=001 provider=ldap://10.207.130.1:389 bindmethod=simple binddn="uid=PrivDirUsr,o=CSOSSO" credentials=mypassword searchbase="o=CSOSSO" schemachecking=on type=refreshAndPersist interval=00:00:01:00 retry="10 +" mirrormode on Below is the socket information after MIRROR-A reboot, ==================================== ## MIRROR-A ---------------------------------------------------------------------- # lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10 slapd 16842 root 14u IPv4 36160 TCP ln007-cnfg-p00m000-d0:51114->10.207.131.1:ldap (ESTABLISHED) ## MIRROR-B ---------------------------------------------------------------------- # lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10 slapd 4825 root 14u IPv4 168497 TCP ln007-cnfg-p00m001-d0:52239->10.207.131.0:ldap (ESTABLISHED) slapd 4825 root 18u IPv4 193403 TCP ln007-mi-p00m001-d0:ldap->10.207.130.0:51114 (ESTABLISHED) Normally it should be, ## MIRROR-A ---------------------------------------------------------------------- # lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10 slapd 16842 root 14u IPv4 36160 TCP ln007-cnfg-p00m000-d0:51114->10.207.131.1:ldap (ESTABLISHED) slapd 4825 root 18u IPv4 193403 TCP ln007-mi-p00m000-d0:ldap->10.207.130.1: 52239 (ESTABLISHED) // This link is missing ## MIRROR-B ---------------------------------------------------------------------- # lsof -i :389 | grep ldap | grep -v sshd | grep -v localhost | grep 10 slapd 4825 root 14u IPv4 168497 TCP ln007-cnfg-p00m001-d0:52239->10.207.131.0:ldap (ESTABLISHED) slapd 4825 root 18u IPv4 193403 TCP ln007-mi-p00m001-d0:ldap->10.207.130.0:51114 (ESTABLISHED) I would greatly apreicate if you could provide some suggestions/comments upon this or improve OpenLDAP functionality to avoid this. For me I think this is normal TCP server down scenario, but probably you people could prohibit this from happening in below two methods? 1. Let OpenLDAP send mutual heart beat so that client knows when server is dead. 2. Let OpenLDAP send message to all its client when it is dying (e.g. receiving SIGTERM) // this does not work when MIRROR-A power cycle. Sincerely, Eric Zhou Jianping P please save a tree by not printing this e-mail. ________________________________ To unsubscribe: qdlcp-security-unsubscribe-request@list.alcatel-lucent.com<mailto:qdlcp-security-unsubscribe-request@list.alcatel-lucent.com>