Hello all,
Last year I switched from the slapd.conf to the OLC style config for OpenLDAP and transitionally tested it by making the OLC server a replication slave to the older LDAP server configured with slapd.conf. Now I've disabled replication from that old server and am making the OLC server (LDAP01 - version 2.4.23) the new master and threw up a new VM called LDAP02 (2.4.23) to become the new sync replication slave/consumer. Though I'm using multiple guides of varying detail the simplest setup steps basically followed this article: http://gagravarr.livejournal.com/145679.html.
I followed the same steps I thought I did for LDAP01, but despite the fact that I see LDAP02 bind and try to fetch entries for replication nothing is being fetched. The problem description is almost identical to this person's issue: http://www.openldap.org/lists/openldap-software/200911/msg00017.html (with "nentries=0" in the replication log messages, but plenty of entries found with an ldapsearch manually).
Though I think my setup situation is different than that person's, and they were exporting using slapcat/slapadd (which I did for converting my existing slapd.conf config to LDAP01 last year, but this time I merely setup LDAP02 from scratch as a cn=config OLC server to begin with), one of the follow-up responses to that email thread said this:
"The only correct usage of -w is when you have an LDIF produced by slapcat on a database that was not being used with replication before, and so is missing the contextCSN. But all the other operational attributes (entryUUID and entryCSN in particular) are present and valid."
This made me wonder if the problem I'm seeing is because LDAP02 (or LDAP01?) is somehow missing a contextCSN. I am seeing no "cookie" messages associated with replication in my log.
Some of my config is below as well as the log messages I am seeing on LDAP01 (edited domain & password). I did notice off-the-bat though that I am missing an "olcDbIndex: entryUUID pres,eq" entry on LDAP02 where I have it on LDAP01. Is that a crucial setting for replication? Lastly, I deleted the database files in /var/lib/ldap/ on LDAP02 and restarted slapd once I had configured "olcSyncRepl" on LDAP02 to ensure that I was starting from scratch.
------- LDAP01's log entry for LDAP02's attempted connection looks like this:
Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 fd=359 ACCEPT from IP=192.168.21.60:46198 (IP=0.0.0.0:389) Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=0 STARTTLS Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=0 RESULT oid= err=0 text= Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 fd=359 TLS established tls_ssf=256 ssf=256 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=1 BIND dn="cn=root,dc=myerslab,dc=haib,dc=org" method=128 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=1 BIND dn="cn=root,dc=myerslab,dc=haib,dc=org" mech=SIMPLE ssf=0 Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=1 RESULT tag=97 err=0 text= Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=2 SRCH base="dc=myerslab,dc=haib,dc=org" scope=2 deref=0 filter="(objectClass=*)" Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=2 SRCH attr=* + Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 op=3 UNBIND Sep 15 16:29:07 ldap01 slapd[18869]: conn=1472 fd=359 closed
------- LDAP02's /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:
dn: olcDatabase={1}bdb objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb olcSuffix: dc=mydomain,dc=org olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=mydomain,dc=org olcRootPW:: olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbDirectory: /var/lib/ldap olcDbCacheSize: 50000 olcDbCheckpoint: 10240 720 olcSyncrepl: {0}rid=001 provider=ldap://ldap01.mydomain.org bindmethod=si mple timeout=1 network-timeout=0 binddn="cn=root,dc=mydomain,dc=org" credentials="ld4p3650" keepalive=0:0:0 starttls=yes filter="(objectclass=*)" s earchbase="dc=mydomain,dc=org" scope=sub schemachecking=off type=refr eshOnly interval=00:00:00:10 retry="5 5 300 5" tls_cacert=/etc/openldap/certs/rootCA.cert olcUpdateRef: ldap://ldap01.mydomain.org olcMirrorMode: TRUE olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: ou pres,eq,sub olcDbIndex: loginShell pres,eq olcDbIndex: sn pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbIndex: memberUid pres,eq,sub olcDbIndex: nisMapName pres,eq,sub olcDbIndex: nisMapEntry pres,eq,sub olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcBdbConfig entryUUID: 31e2c8b0-c0ec-1033-8c20-43a6f59853d5 creatorsName: cn=config createTimestamp: 20140825214036Z entryCSN: 20140912164223.814325Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140912164223Z
------- LDAP01's /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:
dn: olcDatabase={1}bdb objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb olcSuffix: dc=mydomain,dc=org olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * no ne olcAccess: {1}to * by anonymous read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=mydomain,dc=org olcRootPW:: olcSyncUseSubentry: FALSE olcMirrorMode: TRUE olcMonitoring: TRUE olcDbDirectory: /var/lib/ldap olcDbCacheSize: 50000 olcDbCheckpoint: 10240 720 olcDbConfig: {0}# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.3.2.4 2007/1 2/18 11:53:27 ghenry Exp $ olcDbConfig: {1}# Example DB_CONFIG file for use with slapd(8) BDB/HDB databas es. olcDbConfig: {2}# olcDbConfig: {3}# See the Oracle Berkeley DB documentation olcDbConfig: {4}# <http://www.oracle.com/technology/documentation/berkeley-d b/db/ref/env/db_config.html> olcDbConfig: {5}# for detail description of DB_CONFIG syntax and semantics. olcDbConfig: {6}# olcDbConfig: {7}# Hints can also be found in the OpenLDAP Software FAQ olcDbConfig:: ezh9Iwk8aHR0cDovL3d3dy5vcGVubGRhcC5vcmcvZmFxL2luZGV4LmNnaT9maWxl PTI+ olcDbConfig: {9}# in particular: olcDbConfig: {10}# http://www.openldap.org/faq/index.cgi?file=1075 olcDbConfig: {11} olcDbConfig: {12}# Note: most DB_CONFIG settings will take effect only upon re building olcDbConfig: {13}# the DB environment. olcDbConfig: {14} olcDbConfig: {15}# one 0.25 GB cache olcDbConfig: {16}set_cachesize 0 268435456 1 olcDbConfig: {17} olcDbConfig: {18}# Data Directory olcDbConfig: {19}#set_data_dir db olcDbConfig: {20} olcDbConfig: {21}# Transaction Log settings olcDbConfig: {22}set_lg_regionmax 262144 olcDbConfig: {23}set_lg_bsize 2097152 olcDbConfig: {24}#set_lg_dir logs olcDbConfig: {25} olcDbConfig: {26}# Note: special DB_CONFIG flags are no longer needed for "qui ck" olcDbConfig:: ezI3fSMgc2xhcGFkZCg4KSBvciBzbGFwaW5kZXgoOCkgYWNjZXNzIChzZWUgdGhl aXIgLXEgb3B0aW9uKS4g olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass pres,eq olcDbIndex: entryUUID pres,eq olcDbIndex: entryCSN pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: ou pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: memberUid pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: loginShell pres,eq olcDbIndex: givenName pres,eq,sub olcDbIndex: nisMapName pres,eq,sub olcDbIndex: nisMapEntry pres,eq,sub olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcBdbConfig entryUUID: 727d260c-cc5c-1032-89cf-2fc7acd5ca31 creatorsName: cn=config createTimestamp: 20131018161654Z entryCSN: 20140915195740.431843Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140915195740Z ------
Thanks, Josh Nielsen
Josh Nielsen wrote:
OLC server (LDAP01 - version 2.4.23) the new master and threw up a new VM called LDAP02 (2.4.23) to become the new sync replication slave/consumer.
Don't use such an ancient version which is four years old now. Many syncrepl issues have been fixed since then (and are to be fixed in upcoming 2.4.40).
And better don't argue that you have to use your favourite distribution's packages. We had this discussion here numerous times.
And of course it could be a ACL issue in your particular configuration. In particular you have
olcRootDN: cn=admin,dc=mydomain,dc=org
but
olcSyncrepl: {0} [..] binddn="cn=root,dc=mydomain,dc=org"
Anyway you should not use rootdn for anything. Set up proper group-based ACLs for service accounts instead.
...
Ciao, Michael.
Yes, I used distro packages for Centos 6; and yes, I understand your point. I may have the luxury of building openldap from scratch for LDAP02, though I don't have the redundancy (the point of this whole exercise) that I need to reinstall LDAP01 by building it from scratch. That was an unfortunate mistake in hindsight that I stuck with the distro package there. I suppose to start over I would have to make a new server and slapcat the LDAP01 config? How would I carry over the existing DB entries without using replication? I'm still a novice when it comes to OLC.
As for the ACL, that was a result of my sloppy email editing. I changed the name of the DNs. They actually match in my config. Once I proof-of-concept the replication I will create replication-only user DNs.
But nothing looks overtly amiss with my CSNs or UUIDs?
Thanks, Josh
On Tue, Sep 16, 2014 at 10:16 AM, Michael Ströder michael@stroeder.com wrote:
Josh Nielsen wrote:
OLC server (LDAP01 - version 2.4.23) the new master and threw up a new VM called LDAP02 (2.4.23) to become the new sync replication slave/consumer.
Don't use such an ancient version which is four years old now. Many syncrepl issues have been fixed since then (and are to be fixed in upcoming 2.4.40).
And better don't argue that you have to use your favourite distribution's packages. We had this discussion here numerous times.
And of course it could be a ACL issue in your particular configuration. In particular you have
olcRootDN: cn=admin,dc=mydomain,dc=org
but
olcSyncrepl: {0} [..] binddn="cn=root,dc=mydomain,dc=org"
Anyway you should not use rootdn for anything. Set up proper group-based ACLs for service accounts instead.
...
Ciao, Michael.
--On Tuesday, September 16, 2014 11:38 AM -0500 Josh Nielsen jnielsen@hudsonalpha.org wrote:
Yes, I used distro packages for Centos 6; and yes, I understand your point. I may have the luxury of building openldap from scratch for LDAP02, though I don't have the redundancy (the point of this whole exercise) that I need to reinstall LDAP01 by building it from scratch. That was an unfortunate mistake in hindsight that I stuck with the distro package there. I suppose to start over I would have to make a new server and slapcat the LDAP01 config? How would I carry over the existing DB entries without using replication? I'm still a novice when it comes to OLC.
As for the ACL, that was a result of my sloppy email editing. I changed the name of the DNs. They actually match in my config. Once I proof-of-concept the replication I will create replication-only user DNs.
But nothing looks overtly amiss with my CSNs or UUIDs?
Hi Josh,
2.4.23 is known to have numerous bugs in sync replication. So even once you have your system configured correctly, there is no guarantee that your data will be correctly pushed out. I strongly advise you to read over the CHANGES file for everything fixed since 2.4.23 to the 2.4.40 release:
In addition, there's no requirement that you build OpenLDAP yourself. You can obtain current OpenLDAP builds from Symas (https://symas.com/) or the LTB project (http://ltb-project.org/wiki/download#openldap) for deployment.
Regards, Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Josh Nielsen -
Michael Ströder -
Quanah Gibson-Mount