Dear all,
I have 4 servers with version 2.4.9 configured into 4 way masters, the name of the servers are disb01 (SID:001), disb02 (SID:002), pisb01 (SID:003) and pisb02 (SID:004). Attached is the config file for the 4 servers.
All the 4 servers are configured and started on Oct 29 night. At that time, I test the data synchronization, the result is positive. However, today, customer reported that data synchronization occurs, then, I perform the following simple test and find that data is really can't replicated.
- When I added a record (the key is 20081104105123.573091Z#000000#003#000000) in pisb01, the data can be replicated to pisb02, but the other 2 servers disb01 and disb02 cannot find this record. The log in disb01 and disb02 indicates that the CSN is too old.
- When I added a record (the key is 20081104105455.436768Z#000000#001#000000) in disb01, the data can be replicated to pisb01, but the other 2 servers disb02 and pisb02 cannot find this record. The log in disb01 and disb02 indicates that the CSN is too old.
The log for the 4 servers is attached...
Any possible reasons for this error "CSN too old" ? I find from the log that seems all servers received update at the same time (up to seconds, no millisecond is shown in the log)
Thanks
Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/pccw.schema include /usr/local/etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
#modulepath /usr/local/libexec/openldap/ #moduleload ppolicy.la
# Password policy #overlay ppolicy #ppolicy_default "cn=default,ou=Policies" #ppolicy_default "cn=default,ou=Policies,o=HKSARG"
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "" rootdn "cn=Manager" #rootdn "ou=SCIG,ou=Govt-Dept,o=HKSARG,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #rootpw secret rootpw {SSHA}hzt3Mw7MTu+PvXuk8p24xMwLyscP2rls # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass,entryCSN,entryUUID,cn,pwdChangedTime eq
#replogfile /var/lib/ldap/openldap-master-replog loglevel 16384 logfile /var/lib/ldap/ldap.log
overlay syncprov overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG" ppolicy_hash_cleartext
#access to * by dn="cn=Manager" write by * read access to * by anonymous auth by * write by dn.base="o=HKSARG" write by * none access to * by * write access to * by * read #database monitor #syncprov-checkpoint 100 10 syncprov-sessionlog 100
# syncrepl directives syncrepl rid=001 provider=ldap://disb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=002 provider=ldap://disb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=003 provider=ldap://pisb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=004 provider=ldap://pisb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
mirrormode on serverID 002
#overlay syncprov #syncprov-checkpoint 100 10 #syncprov-sessionlog 100
# Performance tuning directives sizelimit 5000 threads 8 idletimeout 14400 cachesize 10000 checkpoint 256 15
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/pccw.schema include /usr/local/etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
#modulepath /usr/local/libexec/openldap/ #moduleload ppolicy.la
# Password policy #overlay ppolicy #ppolicy_default "cn=default,ou=Policies" #ppolicy_default "cn=default,ou=Policies,o=HKSARG"
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "" rootdn "cn=Manager" #rootdn "ou=SCIG,ou=Govt-Dept,o=HKSARG,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #rootpw secret rootpw {SSHA}hzt3Mw7MTu+PvXuk8p24xMwLyscP2rls # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass,entryCSN,entryUUID,cn,pwdChangedTime eq
#replogfile /var/lib/ldap/openldap-master-replog loglevel 16384 logfile /var/lib/ldap/ldap.log
overlay syncprov overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG" ppolicy_hash_cleartext
#access to * by dn="cn=Manager" write by * read access to * by anonymous auth by * write by dn.base="o=HKSARG" write by * none access to * by * write access to * by * read #database monitor #syncprov-checkpoint 100 10 syncprov-sessionlog 100
# syncrepl directives syncrepl rid=001 provider=ldap://disb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=002 provider=ldap://disb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=003 provider=ldap://pisb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=004 provider=ldap://pisb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
mirrormode on serverID 001
#overlay syncprov #syncprov-checkpoint 100 10 #syncprov-sessionlog 100
# Performance tuning directives sizelimit 5000 threads 8 idletimeout 14400 cachesize 10000 checkpoint 256 15
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/pccw.schema include /usr/local/etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
#modulepath /usr/local/libexec/openldap/ #moduleload ppolicy.la
# Password policy #overlay ppolicy #ppolicy_default "cn=default,ou=Policies" #ppolicy_default "cn=default,ou=Policies,o=HKSARG"
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "" rootdn "cn=Manager" #rootdn "ou=SCIG,ou=Govt-Dept,o=HKSARG,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #rootpw secret rootpw {SSHA}hzt3Mw7MTu+PvXuk8p24xMwLyscP2rls # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass,entryCSN,entryUUID,cn,pwdChangedTime eq
#replogfile /var/lib/ldap/openldap-master-replog loglevel 16384 logfile /var/lib/ldap/ldap.log
overlay syncprov overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG" ppolicy_hash_cleartext
#access to * by dn="cn=Manager" write by * read access to * by anonymous auth by * write by dn.base="o=HKSARG" write by * none access to * by * write access to * by * read #database monitor #syncprov-checkpoint 100 10 syncprov-sessionlog 100
# syncrepl directives syncrepl rid=001 provider=ldap://disb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=002 provider=ldap://disb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=003 provider=ldap://pisb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=004 provider=ldap://pisb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
mirrormode on serverID 003
#overlay syncprov #syncprov-checkpoint 100 10 #syncprov-sessionlog 100
# Performance tuning directives sizelimit 5000 threads 8 idletimeout 14400 cachesize 10000 checkpoint 256 15
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/pccw.schema include /usr/local/etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
#modulepath /usr/local/libexec/openldap/ #moduleload ppolicy.la
# Password policy #overlay ppolicy #ppolicy_default "cn=default,ou=Policies" #ppolicy_default "cn=default,ou=Policies,o=HKSARG"
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "" rootdn "cn=Manager" #rootdn "ou=SCIG,ou=Govt-Dept,o=HKSARG,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. #rootpw secret rootpw {SSHA}hzt3Mw7MTu+PvXuk8p24xMwLyscP2rls # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass,entryCSN,entryUUID,cn,pwdChangedTime eq
#replogfile /var/lib/ldap/openldap-master-replog loglevel 16384 logfile /var/lib/ldap/ldap.log
overlay syncprov overlay ppolicy ppolicy_default "cn=default,ou=Policies,o=HKSARG" ppolicy_hash_cleartext
#access to * by dn="cn=Manager" write by * read access to * by anonymous auth by * write by dn.base="o=HKSARG" write by * none access to * by * write access to * by * read #database monitor #syncprov-checkpoint 100 10 syncprov-sessionlog 100
# syncrepl directives syncrepl rid=001 provider=ldap://disb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=002 provider=ldap://disb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=003 provider=ldap://pisb01:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
syncrepl rid=004 provider=ldap://pisb02:389/ bindmethod=simple binddn="cn=Manager" credentials=secret searchbase="o=HKSARG" schemachecking=off type=refreshAndPersist attrs="*,+" retry="1 +"
mirrormode on serverID 004
#overlay syncprov #syncprov-checkpoint 100 10 #syncprov-sessionlog 100
# Performance tuning directives sizelimit 5000 threads 8 idletimeout 14400 cachesize 10000 checkpoint 256 15
openldap-technical@openldap.org