Thanks for reply Mark, I have corrected my comments.
Still not succeeded in replication.
The current version of my product (with openldap 2.2) does replication using slurpd.With new RHEL 6.x(openldap 2.4) we want replication to work using syncrepl in such way that it can replicate data to slaves databases (clients using openldap 2.2).
suggest way to replace slurpd. For initial understanding I have kept configured setup very similar to document(standalone proxy) Master---> Consumer Proxy --->syncrepl->Slave database(replica).
1)Can you please guide me why am getting following error ?
I am getting error following error message in consumer proxy logs
----------------------------------------------------------------------
syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
syncrepl_entry: rid=001 be_search (49)
syncrepl_entry: rid=001 dc=suretecsystems,dc=com
null_callback : error code 0x31
syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com (49)
syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com failed (49)
do_syncrepl: rid=001 rc 49 retrying (4 retries left)
----------------------------------------------------------------------
Master logs show following
----------------------------------------------------------------------
connection_read(13): no connection!
connection_read(13): no connection!
syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000
connection_read(13): no connection!
connection_read(13): no connection!
syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000
----------------------------------------------------------------------
Slave logs doesn’t say much
----------------------------------------------------------------------
mockbuild@x86-007.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
slapd starting
----------------------------------------------------------------------
My processes and configurations file slapd.conf(master),proxy.conf(consumer proxy) and slave.conf are as below
/usr/sbin/slapd -h ldap://10.52.35.204:389 -f /usr/share/openldap-servers/slapd.conf -d16384
/usr/sbin/slapd -h ldap://10.52.35.204:9012 -f /usr/share/openldap-servers/proxy.conf -d16384
/usr/sbin/slapd -h ldap://10.52.35.204:9015 -f /usr/share/openldap-servers/slave.conf -d16384
I performed below steps for replication
I) Started Master and Proxy consumer databases and took slapcat output
II) Started new slave database, populated slave(slapadd )using output of slapcat out of Master.
III) Added an entry to master for testing replication to check replication
slapd.conf(Master configuration)
---------------------------------------------------------------------------
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /usr/share/openldap-servers/slapd.acl
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
modulepath /usr/lib/openldap
moduleload accesslog.la
moduleload syncprov.la
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=suretecsystems,dc=com"
#directory /etc/openldap/ldap_db_dir
directory /usr/share/openldap-servers/ldap_data
rootdn "cn=admin,dc=suretecsystems,dc=com"
rootdn "cn=admin,dc=suretecsystems,dc=com"
rootpw testing
checkpoint 1024 5
cachesize 10000
idlcachesize 10000
index objectClass eq
index default sub
checkpoint 1024 5
cachesize 10000
idlcachesize 10000
index entryCSN eq
index entryUUID eq
overlay syncprov
syncprov-checkpoint 1000 60
limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
database monitor
database config
rootpw testing
proxy.conf(Consumer proxy configuration)
----------------------------------------------------------------------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
allow bind_v2
pidfile /var/run/openldap/slapd.3.pid
argsfile /var/run/openldap/slapd.3.args
# Load dynamic backend modules
modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
moduleload accesslog.la
moduleload pcache.la
moduleload syncprov.la
##############################################################################
# Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap
##############################################################################
database ldap
# ignore conflicts with other databases, as we need to push out to same suffix
hidden on
suffix "dc=suretecsystems,dc=com"
rootdn "cn=slapd-ldap"
uri ldap://10.52.35.204:9012/
lastmod on
restrict all
acl-bind bindmethod=simple
binddn="cn=Rupesh,dc=suretecsystems,dc=com"
credentials=1234
syncrepl rid=001
provider=ldap://10.52.35.204:389/
binddn="cn=Rupesh,dc=suretecsystems,dc=com"
bindmethod=simple
credentials=1234
searchbase="dc=suretecsystems,dc=com"
type=refreshAndPersist
retry="5 5 300 5"
overlay syncprov
Slave.conf (Slave configuration file)
--------------------------------------------------------------------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /usr/share/openldap-servers/slapd.acl
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.sl.pid
argsfile /var/run/openldap/slapd.sl.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
moduleload accesslog.la
# moduleload pcache.la
moduleload syncprov.la
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
loglevel sync stats
database bdb
suffix "dc=suretecsystems,dc=com"
directory /usr/share/openldap-servers/ldap_slave_data
rootdn "cn=admin,dc=suretecsystems,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootdn "cn=admin,dc=suretecsystems,dc=com"
rootpw testing
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
checkpoint 1024 5
cachesize 10000
idlcachesize 10000
# Indices to maintain for this database
index objectClass eq
index default sub
limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
updatedn "cn=Rupesh,dc=suretecsystems,dc=com"
updateref ldap://10.52.35.204:389
database monitor
database config
rootpw testing
------------------------------------------------------------------
cat /usr/share/openldap-servers/slapd.acl
------------------------------------------------------------------
access to dn.base="dc=suretecsystems,dc=com"
by dn.base="cn=admin,dc=suretecsystems,dc=com" write
by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write
by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read
by anonymous auth
access to dn.regex="cn=([^,]+),dc=suretecsystems,dc=com"
by dn.base="cn=admin,dc=suretecsystems,dc=com" write
by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write
by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read
by anonymous auth
------------------------------------------------------------------
Other than consumer proxy log errors I have following queries
2)updateref entry in slave configuration pointing to master "ldap://10.52.35.204:389", should it point to " proxy "ldap://10.52.35.204:9012" ?
3)If I want to query proxy consumer using ldapsearch utility, I believe I will require to set proxycache setting(overlay pcache) ?
Thanks
Rupesh
-----Original Message-----
From: Marc Patermann [
mailto:hans.moser@ofd-z.niedersachsen.de]
Sent: Friday, August 19, 2011 4:43 PM
To: Rupesh Thakkar; openldap-technical openldap org
Subject: Re: openldap syncrepl Provider with Slave(older version)
Rupesh,
Rupesh Thakkar schrieb:
> #syncrepl Provider for primary db
> overlay syncprov
> syncprov-checkpoint 1000 60
> # Let the replica DN have limitless searches
> limits dn.exact="umObjectGUID=218afb42cb5e11e09542001a64e587d4,ou=People,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
> limits dn.exact="cn=replicator,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
[...]
> syncrepl rid=001
> provider=ldap://localhost:389/
> binddn="cn=replicator,dc=Avaya"
> #binddn="umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya
> bindmethod=simple
> credentials=Testpw
> #credentials=1234
> searchbase="dc=Avaya"
> type=refreshAndPersist
> retry="5 5 300 5"
As far as I know, you cannot comment out "lines" in options like
syncrepl, because interally this is only one line. And so everything
after your first "#" is commented out.
"If a line begins with white space, it is considered a continuation of
the previous line. No physical line should be over 2000 bytes long.
Blank lines and comment lines beginning with a `#' character are
ignored. Note: continuation lines are unwrapped before comment pro-
cessing is applied."
- man slapd.conf
Marc