Thanks for reply Mark, I have corrected my comments. Still not succeeded in replication.
The current version of my product (with openldap 2.2) does replication using slurpd.With new RHEL 6.x(openldap 2.4) we want replication to work using syncrepl in such way that it can replicate data to slaves databases (clients using openldap 2.2). The openldap document http://www.openldap.org/doc/admin24/replication.html suggest way to replace slurpd. For initial understanding I have kept configured setup very similar to document(standalone proxy) Master---> Consumer Proxy --->syncrepl->Slave database(replica).
1)Can you please guide me why am getting following error ? I am getting error following error message in consumer proxy logs ---------------------------------------------------------------------- syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) syncrepl_entry: rid=001 be_search (49) syncrepl_entry: rid=001 dc=suretecsystems,dc=com null_callback : error code 0x31 syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com (49) syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com failed (49) do_syncrepl: rid=001 rc 49 retrying (4 retries left) ----------------------------------------------------------------------
Master logs show following ---------------------------------------------------------------------- connection_read(13): no connection! connection_read(13): no connection! syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000 connection_read(13): no connection! connection_read(13): no connection! syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000 ---------------------------------------------------------------------- Slave logs doesn't say much ---------------------------------------------------------------------- mockbuild@x86-007.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd slapd starting ----------------------------------------------------------------------
My processes and configurations file slapd.conf(master),proxy.conf(consumer proxy) and slave.conf are as below /usr/sbin/slapd -h ldap://10.52.35.204:389 -f /usr/share/openldap-servers/slapd.conf -d16384
/usr/sbin/slapd -h ldap://10.52.35.204:9012 -f /usr/share/openldap-servers/proxy.conf -d16384
/usr/sbin/slapd -h ldap://10.52.35.204:9015 -f /usr/share/openldap-servers/slave.conf -d16384
I performed below steps for replication I) Started Master and Proxy consumer databases and took slapcat output II) Started new slave database, populated slave(slapadd )using output of slapcat out of Master. III) Added an entry to master for testing replication to check replication
slapd.conf(Master configuration) --------------------------------------------------------------------------- # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /usr/share/openldap-servers/slapd.acl # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules modulepath /usr/lib/openldap moduleload accesslog.la moduleload syncprov.la ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=suretecsystems,dc=com" #directory /etc/openldap/ldap_db_dir directory /usr/share/openldap-servers/ldap_data rootdn "cn=admin,dc=suretecsystems,dc=com" rootdn "cn=admin,dc=suretecsystems,dc=com" rootpw testing checkpoint 1024 5 cachesize 10000 idlcachesize 10000 index objectClass eq index default sub checkpoint 1024 5 cachesize 10000 idlcachesize 10000 index entryCSN eq index entryUUID eq overlay syncprov syncprov-checkpoint 1000 60 limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited database monitor database config rootpw testing
proxy.conf(Consumer proxy configuration) ---------------------------------------------------------------------------- # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema allow bind_v2 pidfile /var/run/openldap/slapd.3.pid argsfile /var/run/openldap/slapd.3.args # Load dynamic backend modules modulepath /usr/lib/openldap # modulepath /usr/lib64/openldap moduleload accesslog.la moduleload pcache.la moduleload syncprov.la ############################################################################## # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap ############################################################################## database ldap # ignore conflicts with other databases, as we need to push out to same suffix hidden on suffix "dc=suretecsystems,dc=com" rootdn "cn=slapd-ldap" uri ldap://10.52.35.204:9012/ lastmod on restrict all acl-bind bindmethod=simple binddn="cn=Rupesh,dc=suretecsystems,dc=com" credentials=1234 syncrepl rid=001 provider=ldap://10.52.35.204:389/ binddn="cn=Rupesh,dc=suretecsystems,dc=com" bindmethod=simple credentials=1234 searchbase="dc=suretecsystems,dc=com" type=refreshAndPersist retry="5 5 300 5" overlay syncprov
Slave.conf (Slave configuration file) -------------------------------------------------------------------------- # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /usr/share/openldap-servers/slapd.acl # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.sl.pid argsfile /var/run/openldap/slapd.sl.args # Load dynamic backend modules # - modulepath is architecture dependent value (32/64-bit system) # - back_sql.la overlay requires openldap-server-sql package # - dyngroup.la and dynlist.la cannot be used at the same time modulepath /usr/lib/openldap # modulepath /usr/lib64/openldap moduleload accesslog.la # moduleload pcache.la moduleload syncprov.la ####################################################################### # ldbm and/or bdb database definitions ####################################################################### loglevel sync stats database bdb suffix "dc=suretecsystems,dc=com" directory /usr/share/openldap-servers/ldap_slave_data rootdn "cn=admin,dc=suretecsystems,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootdn "cn=admin,dc=suretecsystems,dc=com" rootpw testing # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. checkpoint 1024 5 cachesize 10000 idlcachesize 10000 # Indices to maintain for this database index objectClass eq index default sub limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited updatedn "cn=Rupesh,dc=suretecsystems,dc=com" updateref ldap://10.52.35.204:389 database monitor database config rootpw testing ------------------------------------------------------------------ cat /usr/share/openldap-servers/slapd.acl ------------------------------------------------------------------ access to dn.base="dc=suretecsystems,dc=com" by dn.base="cn=admin,dc=suretecsystems,dc=com" write by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read by anonymous auth access to dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" by dn.base="cn=admin,dc=suretecsystems,dc=com" write by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read by anonymous auth ------------------------------------------------------------------
Other than consumer proxy log errors I have following queries 2)updateref entry in slave configuration pointing to master "ldap://10.52.35.204:389", should it point to " proxy "ldap://10.52.35.204:9012" ? 3)If I want to query proxy consumer using ldapsearch utility, I believe I will require to set proxycache setting(overlay pcache) ?
Thanks Rupesh
-----Original Message----- From: Marc Patermann [mailto:hans.moser@ofd-z.niedersachsen.de] Sent: Friday, August 19, 2011 4:43 PM To: Rupesh Thakkar; openldap-technical openldap org Subject: Re: openldap syncrepl Provider with Slave(older version)
Rupesh,
Rupesh Thakkar schrieb:
#syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # Let the replica DN have limitless searches limits dn.exact="umObjectGUID=218afb42cb5e11e09542001a64e587d4,ou=People,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited limits dn.exact="cn=replicator,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
[...]
syncrepl rid=001 provider=ldap://localhost:389/ binddn="cn=replicator,dc=Avaya" #binddn="umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya bindmethod=simple credentials=Testpw #credentials=1234 searchbase="dc=Avaya" type=refreshAndPersist retry="5 5 300 5"
As far as I know, you cannot comment out "lines" in options like syncrepl, because interally this is only one line. And so everything after your first "#" is commented out.
"If a line begins with white space, it is considered a continuation of the previous line. No physical line should be over 2000 bytes long. Blank lines and comment lines beginning with a `#' character are ignored. Note: continuation lines are unwrapped before comment pro- cessing is applied." - man slapd.conf
Marc
"This email and any files transmitted with it contain confidential, proprietary, privileged information of Symphony Services Corp (India) Pvt. Ltd. and are intended solely for the use of the recipient/s to whom it is addressed. Any unauthorized notifying, copying or distributing of this e-mail, directly or indirectly, and the contents therein in full or part is prohibited by any entity who is not a recipient. Any email received inadvertently or by mistake should be deleted by the entity who is not a recipient thereof. You may be pleased to notify the sender immediately by email and the email should be deleted from your system".