On 09/11/2009 14:33, Scott Behrens wrote:
The client pointing to the replica is a 3rd host also running centOS. OpenLDAP 2.3.43. I can pretty much narrow down the issue to configuration, our network/server config side is pretty straightforward.
I turned the logging to 256 on the replica, I pointed my client using authconfig to the replica.
su - ldapuser
Just hangs, in the logs on replica:
Nov 9 02:25:48 mnetmgt2 slapd[30963]: slapd shutdown: initiated Nov 9 02:25:48 mnetmgt2 slapd[30963]: ====> bdb_cache_release_all Nov 9 02:25:48 mnetmgt2 slapd[30963]: slapd destroy: freeing system resources. Nov 9 02:25:48 mnetmgt2 slapd[30963]: slapd stopped. Nov 9 02:25:48 mnetmgt2 slapd[15086]: @(#) $OpenLDAP: slapd 2.3.43 (Jan 21 2009 03:59:37) $ mockbuild@builder10.centos.org:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd Nov 9 02:25:48 mnetmgt2 slapd[15087]: slapd starting
This log just shows slapd being shut down and restarted. Nothing connection related - did you restart slapd after changing the loglevel in slapd.conf? Without more logs, it's hard to tell what's going on.
A good test would be to use ldapsearch directly to interrogate your two servers. This will help determine whether the problem is coming from your LDAP server(s) or your system authentication settings.
Hope this helps, Jonathan
If I point it back to the primary, it works fine. Here are the slapd files, they look correct based on what I read in the documentation.
Primary Slapd.conf:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/solaris.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema
# DATABASE CONFIG database bdb suffix "dc=domain,dc=com" rootdn "cn=Manager,dc=domain,dc=com" rootpw {SSHA}somepassword
directory /var/lib/ldap
index entryCSN,entryUUID eq,pres index objectClass,uid,uidNumber,gidNumber,ou eq index cn,mail,surname,givenname eq,subinitial index memberUid eq index nisDomain eq index uniqueMember pres #index sudoUser eq,sub
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 loglevel 1
# Performance tuning directives sizelimit 5000 threads 16 idletimeout 14400 cachesize 10000 checkpoint 256 15 password-hash {SSHA}
Replica slapd.conf file:
nclude /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/solaris.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/duaconf.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# DATABASE CONFIG database bdb suffix "dc=domain,dc=com" rootdn "cn=Manager,dc=domain,dc=com" rootpw {SSHAsomehash
index entryCSN,entryUUID eq,pres directory /var/lib/ldap loglevel 256
syncrepl rid=001 provider=ldap://10.10.1.91 interval=00:05:00:00 bindmethod=simple scope=sub filter="(objectClass=organizationalPerson)" attrs="cn,sn,ou,telephoneNumber,title,l" searchbase="dc=matlock,dc=com" binddn="cn=proxyagent,ou=profile,dc=matlock,dc=com" credentials="abc123" schemachecking=off type=refreshAndPersist retry="60 +"
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,ou eq index cn,mail,surname,givenname eq,subinitial index memberUid eq index nisDomain eq index uniqueMember pres
# Performance tuning directives sizelimit 5000 threads 16 idletimeout 14400 cachesize 10000 checkpoint 256 15 password-hash {SSHA}
On Mon, Nov 9, 2009 at 3:16 AM, Jonathan Clarkejonathan@phillipoux.net wrote:
On 06/11/2009 15:31, Scott Behrens wrote:
Hello,
I am running 2 hosts CentOS release 5.3 (Final) with kernel 2.6.18-164.el5l.
One box is the provider and the other is a consumer using syncrepl. When the primary goes down, I can perform searches against the domain from the replica so I know the replica has replicated the data (when I stop both hosts I can't preform the search obviously). When I point a client to the replica, I get a timeout when trying to perform searches or pull data. ldap_bind: Can't contact LDAP server (-1).
Any ideas? I will provide more information if needed.
Hi,
Which client are you pointing to the replica? ldapsearch? And what version of OpenLDAP are you running?
This is a pretty vague error, many things could be the cause: bad client setup, network problems, server problems...
I suggest you check out the logs from the server you're trying to connect to, having previously set them to include "stats" (level 256).
Hope this helps, Jonathan