Good morning list
I am having no end of problems trying to setup a delta synchronized replication. One consumer and one provider.
Symptoms are as follows:
User can authenticate and login using provider. If user changes password, new password does not get replicated to consumer. If password has not changed the user can authenticate and login using the consumer.
Provider configuration is as follows:
include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
loglevel 256 logfile /var/log/slapd.log
# Load dynamic backend modules using this path!!! modulepath /usr/lib/openldap
moduleload ppolicy.la moduleload accesslog.la
schemacheck on lastmod on
access to attrs=userPassword by self write by anonymous auth by * none
access to attrs=shadowLastChange by self write by * read
access to * by * read
##NOPE access to * by * write
# ------------------------------------------------------------------- # # Access log database instance for replication # ------------------------------------------------------------------- #
# Accesslog database definitions database bdb suffix cn=accesslog directory /var/lib/db/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
# Let the replica DN have limitless searches limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
# ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- #
database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin, dc=chin,dc=ca"
# rootpw rootpw {SSHA}xxxyyyzzzz
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq
# define the default policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca" ppolicy_use_lockout
# syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
The consumer configuration is as follows:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/misc.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for wrappers include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 bind_anon_cred
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
loglevel 256 #loglevel -1 #loglevel 16384 logfile /var/log/slapd.log
modulepath /usr/lib/openldap
# ------------------------------------------------------------------- # # Primary database instance # ------------------------------------------------------------------- #
database bdb suffix "dc=chin,dc=ca" rootdn "cn=admin,dc=chin,dc=ca"
directory /var/lib/ldap
# ------------------------------------------------------------------- # # Replica configuration instance # ------------------------------------------------------------------- #
# syncrepl specific indices index entryUUID eq
# syncrepl directives syncrepl rid=0 provider=ldap://ldap bindmethod=simple binddn="uid=replicator,ou=people,dc=chin,dc=ca" #binddn="cn=admin,dc=chin,dc=ca" credentials=xyzyzzz searchbase="dc=chin,dc=ca" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
# Refer updates to the master updateref ldap://ldap
Error messages on the consumer is:
Aug 15 09:28:08 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying Aug 15 09:29:09 stgvir009 slapd[31110]: syncrepl_message_to_entry: rid 000 mods check (pwdAttribute: value #0 invalid per syntax) Aug 15 09:29:09 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying
Which looks like it is missing a schema. But I can't find a schema that is missing.
Log messages on provider showing replicator account activity.
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 ACCEPT from IP=172.16.50.40:45510 (IP=0.0.0.0:389) Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128 Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0 Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 RESULT tag=97 err=0 text= Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)" Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH attr=* + Aug 15 09:29:53 provir009 slapd[27606]: send_search_entry: conn 6736 ber write failed. Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 closed (connection lost on write) Aug 15 09:29:53 provir009 slapd[27606]: connection_read(17): no connection! Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 fd=17 ACCEPT from IP=172.16.50.40:45511 (IP=0.0.0.0:389) Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128 Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0 Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 RESULT tag=97 err=0 text= Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=1 SRCH base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)"
I don't know what this means I'm afraid. But intuitively it doesn't look good.
Any guidance would be astoundingly great. I am new to ldap so this is a bit of a learning curve.
Many thanks
Rocke Robertson Gouvernement du Canada | Government of Canada
Besides Dmitriy's hint about your ACL.
rocke.robertson@pch.gc.ca wrote:
Error messages on the consumer is:
Aug 15 09:28:08 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying Aug 15 09:29:09 stgvir009 slapd[31110]: syncrepl_message_to_entry: rid 000 mods check (pwdAttribute: value #0 invalid per syntax) Aug 15 09:29:09 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying
Which looks like it is missing a schema. But I can't find a schema that is missing.
You have to enable slapo-ppolicy at the consumer as well if you are replicating the password policy entries and user entry slapo-ppolicy attributes.
Ciao, Michael.
openldap-technical@openldap.org
-
Dmitriy Kirhlarov -
Michael Ströder -
rocke.robertson@pch.gc.ca