Hi Quanah,
Thank your very much. Your reply is quite clear. After that I made a decision to migrate to delta-sync and to increase my session log (I have 800k users and 2.000.000 of entries). Please take a look on my new config after these changes, and let me know if it's ok:
Node A:
# Accesslog database definitions database mdb suffix cn=accesslog directory /var/db/openldap-data/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
#####
# primary db config overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 2000000
# accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00
# Global section serverID 1 # database section
# syncrepl directive syncrepl rid=001 provider=ldaps://02.host.com bindmethod=simple binddn="cn=root,dc=xxx" credentials=xxx searchbase="dc=xxx" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="10 +" syncdata=accesslog tls_cacert=/usr/local/etc/openldap/cert/certServerID2.crt
mirrormode on
Node B:
# Accesslog database definitions database mdb suffix cn=accesslog directory /var/db/openldap-data/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
#####
# primary db config overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 2000000
# accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00
# Global section serverID 2 # database section
# syncrepl directive syncrepl rid=001 provider=ldaps://01.host.com bindmethod=simple binddn="cn=root,dc=xxx" credentials=xxx searchbase="dc=xxx" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="10 +" syncdata=accesslog tls_cacert=/usr/local/etc/openldap/cert/certServerID1.crt
mirrormode on
After that I made a change on Node A and it replicated to node B, then I made a change on node B and it replicated to A. So seems it's working. My doubt is how can I make sure it's working with delta-sync mode?
Another question, changing to delta-sync can I use more than 2 nodes, for instance, 3 servers receiving writing and replicating between them?
Thank you.
On Wed, Apr 3, 2019 at 1:09 PM Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, April 03, 2019 11:14 AM -0300 Alex Hebra hebraalex@gmail.com wrote:
Thanks for your answer. Here are the details asked:
OpenLDAP version 2.4.46.
syncprov-sessionlog 100 syncprov-sessionlog 100
Hi Alex,
Your sessionlog value is way too small. It needs to be something a little larger than the entire size of your database (so > 800,000 in your case). I also see you're using standard syncrepl rather than delta-syncrepl.
Generally, having a "glued" object on a server indicates that at some point, the server was in a REFRESH mode (either you populated the server using syncrepl instead of slapcat, or it had some reason to fall back to REFRESH at a later date).
In the REFRESH mode, the server may get entries "out of order". In this case, a stub (glue) object is created to "hold" the place for tha entry until it gets fully replicated. Unfortunately, this doesn't always happen, and you end up being stuck with the glued object on the server.
You may be able to force replication of the object onto the server where it's missing by doing a MOD op against the affected entry on the master where it exists. If one master is "complete" (I.e., no glued objects), you could also slapcat that master and import the database into the othe rmaster via slapadd to resolve the problem for now.
Overally, I strongly advise using delta-syncrepl as it largely avoids these issues (as long as it never has to fall back to standard syncrepl REFRESH mode).
I would note that there was a fix in OpenLDAP 2.4.47 specific to delta-syncrepl when ppolicy is in use, so if using delta-sync you likely want that fix.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, April 03, 2019 4:36 PM -0300 Alex Hebra hebraalex@gmail.com wrote:
Node A: # Accesslog database definitions database mdb suffix cn=accesslog directory /var/db/openldap-data/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
Add an index for "reqDN" here as well.
#####
# primary db config
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 2000000
As I noted in the previous email, you want it slightly larger than the total number of entries in the database. If you have exactly 2 million, I'd probably set the session log to something like 2.1 million.
# accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00
Depending on how busy the system is in regards to write ops, you may want to "clean" the accesslog DB more frequently (I generally do 4 hour increments). Otherwise the entire server can pause while the clean operation is executed if there is a large amount of data that needs deleting.
# Global section serverID 1
I would note that the serverID should technically be one of the first lines of the slapd.conf file since it is a global option. I can't really tell from your snippets where it appears. ;)
Node B:
# Accesslog database definitions database mdb suffix cn=accesslog directory /var/db/openldap-data/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
Same comment as before about reqDN
syncprov-sessionlog 2000000
Same comment as before about the session log size.
# scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00
Same comment as before as to the frequency of purging.
# Global section serverID 2
Same comment as before about where this should be defined in the slapd.conf file
After that I made a change on Node A and it replicated to node B, then I made a change on node B and it replicated to A. So seems it's working. My doubt is how can I make sure it's working with delta-sync mode?
If you have "stats" logging enabled, you can tell from the bind/search op of the syncrepl client to the other master by looking at the search filter and base in use of the default query.
Another question, changing to delta-sync can I use more than 2 nodes, for instance, 3 servers receiving writing and replicating between them?
Delta-syncrepl is valid for N-way MMR, so yes, 3-way MMR is just fine.
One final note -- I don't know what overlays you have in use on your servers, nor the order they are instantiated against the primary DB. This was covered in a different thread yesterday, but on the primary DB, it must be:
overlay syncprov <syncprov overlay options>
overlay accesslog <accesslog overlay options>
overlay WHATEVER <options>
I.e., syncprov must be the first instantiated overlay, accesslog the second instantiated overlay. All other overlays occurring after them.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Alex Hebra -
Quanah Gibson-Mount