Oops -- forgot to enter subject-line!
On Thu, Dec 27, 2012 at 2:11 AM, fal patel fal0patel@gmail.com wrote:
Hello,
I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.
Specifically, per The OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi=Master", I have created the following LDIF file and slapd.conf file, but when I run slapadd to create my config database it fails.
Could you please advise?
Thank you very much.
Fal
(1) The slapadd command, I execute, and the error message I get:
sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 2.58% eta none elapsed none spd 1.1 M/s Closing DB...
(2) My LDIF File, mmr-servers.ldif
# This sets up the config database: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret
# second and third servers will have a different olcServerID obviously: dn: cn=config objectClass: olcGlobal cn: config olcServerID: 2
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret
dn: cn=config objectClass: olcGlobal cn: config olcServerID: 3
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret
# This sets up syncrepl as a provider (since these are all masters): dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/libexec/openldap olcModuleLoad: syncprov.la
# Now we setup the first Master Node # (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls): dn: cn=config changetype: modify replace: olcServerID ## olcServerID: 1 $URI1
olcServerID: 1 ldap://ldap.awshost.ldapservice.hq.mycompany.com ## olcServerID: 2 $URI2 olcServerID: 2 ldap://ldap.schost.ldapservice.hq.mycompany.com ## olcServerID: 3 $URI3 olcServerID: 3 ldap://ldap.sachost.ldapservice.hq.mycompany.com
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
add: olcMirrorMode olcMirrorMode: TRUE
# Now start up the Master and a consumer/s; # also add the above LDIF to the first consumer, second consumer etc. # It will then replicate cn=config. # You now have N-Way Multimaster on the config database.
# We still have to replicate the actual data, not just the config; # so add to the master # (all active and configured consumers/masters will pull down this config, # as they are all syncing). # Also, replace all ${} variables with whatever is applicable to your setup: dn: olcDatabase={1}$BACKEND,cn=config objectClass: olcDatabaseConfig objectClass: olc${BACKEND}Config olcDatabase: {1}$BACKEND olcSuffix: $BASEDN olcDbDirectory: ./db olcRootDN: $MANAGERDN olcRootPW: $PASSWD olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
# Note: All of your servers' clocks must be tightly synchronized using e.g. NTP. # Note: URLs specified in olcSyncRepl directives are the servers URLs to replicate from. # These must exactly match the URLs slapd listens on (-h in Command-Line Options). # Otherwise slapd may attempt to replicate from itself, causing a loop.
(3) My slapd.conf file:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions ####################################################################### ## database bdb ## suffix "dc=my-domain,dc=com" ## rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. ## rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. ## directory /usr/local/var/openldap-data # Indices to maintain ## index objectClass eq
## added for multimaster replication (prior to running slapadd to create db): database bdb # suffix <DN of root of subtree you are trying to create> suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootpw secret # directory for index files directory /usr/local/var/openldap-data # specify which indices you want to build index objectClass eq # loglevel 64
I have these additional questions also, please:
- It's "refreshAndPersist" Provider Push replication I want to implement,
not "refreshOnly" Consumer Poll Pull. So in my mmr-servers.ldif file, can/should I change all the "refreshOnly" clauses in the Data Replication part to "refreshAndPersist"?
- In the above LDIF file, in both the Config Replication section and the
Data Replication section, why does it add MirrorMode and set it to True? It's N-Way Multi-Master replication I want to implement, not Mirror-Mode replication, so can/should I get rid of all those "Mirror Mode" clause statements?
Thank you once again.
Am Thu, 27 Dec 2012 02:22:18 -0800 schrieb fal patel fal0patel@gmail.com:
Oops -- forgot to enter subject-line!
On Thu, Dec 27, 2012 at 2:11 AM, fal patel fal0patel@gmail.com wrote:
Hello,
I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.
[...]
(1) The slapadd command, I execute, and the error message I get:
sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 2.58% eta none elapsed none
This error is quite clear, cn=config has to be database number 0, that is, the first database declaration must be cn=config. This is probably due to including a slapd.conf file with a database declaration.
-Dieter
Hi Dieter,
Thank you very much, but even though I spent all day trying to figure out the problem I could not make any progress at all.
The mmr_servers.ldif file I provided is an *exact* copy of the OpenLDAP 2.4 Administrator's Guide Section 18.3.3 "N-Way Multi-Master", so if it is not working it has to be a documentation error/bug in that section of the Administrator's Guide itself. Or is it the case that the variables I'm setting therein are wrong?
Here are the variable values I'm setting: ============================ # Also, replace all ${} variables with whatever is applicable to your setup: BACKEND=bdb BASEDN="dc=ldapservice,dc=hq,dc=mycompany,dc=com" MANAGERDN="cn=admin,$BASEDN" PASSWD=secret
The slapd.conf file also is the *exact* same one that gets created at install-time in /usr/local/etc/openldap/ , with the only change being my "BDB database definitions" customisations as follows: ####################################################################### # BDB database definitions #######################################################################
## added for multimaster replication (prior to running slapadd to create db): database bdb # suffix <DN of root of subtree you are trying to create> suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootpw secret # directory for index files directory /usr/local/var/openldap-data # specify which indices you want to build index objectClass eq # loglevel 64
Whatever I try, however, slapadd gives the same error: ======================================= ubuntu11@ubuntu11:~$ sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d 50dd4b2a bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=practicefusion,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 3.25% eta none elapsed none spd 833.5 k/s Closing DB...
I didn't quite understand your instructions either: ================================== "cn=config has to be database number 0, that is, the first database declaration must be cn=config."
In mmr_servers.ldif, the very first line is dn: cn=config
How do I cause cn=config to be database number 0 , please?
And why should I have to, unless the text in OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi-Master" has a bug?
Could you please advise? I am completely stuck.
Thank you very much.
Fal
On Thu, Dec 27, 2012 at 3:54 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Thu, 27 Dec 2012 02:22:18 -0800 schrieb fal patel fal0patel@gmail.com:
Oops -- forgot to enter subject-line!
On Thu, Dec 27, 2012 at 2:11 AM, fal patel fal0patel@gmail.com wrote:
Hello,
I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.
[...]
(1) The slapadd command, I execute, and the error message I get:
sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 2.58% eta none elapsed none
This error is quite clear, cn=config has to be database number 0, that is, the first database declaration must be cn=config. This is probably due to including a slapd.conf file with a database declaration.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
Am Fri, 28 Dec 2012 00:14:15 -0800 schrieb fal patel fal0patel@gmail.com:
Hi Dieter,
Thank you very much, but even though I spent all day trying to figure out the problem I could not make any progress at all.
The mmr_servers.ldif file I provided is an *exact* copy of the OpenLDAP 2.4 Administrator's Guide Section 18.3.3 "N-Way Multi-Master", so if it is not working it has to be a documentation error/bug in that section of the Administrator's Guide itself. Or is it the case that the variables I'm setting therein are wrong?
Here are the variable values I'm setting:
# Also, replace all ${} variables with whatever is applicable to your setup: BACKEND=bdb BASEDN="dc=ldapservice,dc=hq,dc=mycompany,dc=com" MANAGERDN="cn=admin,$BASEDN" PASSWD=secret
The slapd.conf file also is the *exact* same one that gets created at install-time in /usr/local/etc/openldap/ , with the only change being my "BDB database definitions" customisations as follows: ####################################################################### # BDB database definitions #######################################################################
## added for multimaster replication (prior to running slapadd to create db): database bdb # suffix <DN of root of subtree you are trying to create> suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootpw secret # directory for index files directory /usr/local/var/openldap-data # specify which indices you want to build index objectClass eq # loglevel 64
Whatever I try, however, slapadd gives the same error:
ubuntu11@ubuntu11:~$ sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d 50dd4b2a bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=practicefusion,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 3.25% eta none elapsed none spd 833.5 k/s Closing DB...
I didn't quite understand your instructions either:
"cn=config has to be database number 0, that is, the first database declaration must be cn=config."
In mmr_servers.ldif, the very first line is dn: cn=config
How do I cause cn=config to be database number 0 , please?
And why should I have to, unless the text in OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi-Master" has a bug?
Could you please advise? I am completely stuck.
Thank you very much.
As I mentioned, your slapdadd parameters include -f /path/to/slapd,conf and -F /path/to/slapd.d directory. you should disable any database declaration in slapd.conf oder edit slapd.conf the old fashioned way and run slaptest(8) afterwards.
-Dieter
On Thu, Dec 27, 2012 at 3:54 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Thu, 27 Dec 2012 02:22:18 -0800 schrieb fal patel fal0patel@gmail.com:
Oops -- forgot to enter subject-line!
On Thu, Dec 27, 2012 at 2:11 AM, fal patel fal0patel@gmail.com wrote:
Hello,
I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.
[...]
(1) The slapadd command, I execute, and the error message I get: ================================================ sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 2.58% eta none elapsed none
This error is quite clear, cn=config has to be database number 0, that is, the first database declaration must be cn=config. This is probably due to including a slapd.conf file with a database declaration.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
From the manpage of slapadd:
'-n dbnum Add entries to the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option. To populate the config database slapd-config(5), use -n 0 as it is always the first database. It must physically exist on the filesystem prior to this, however.'
hth
On 28.12.2012 09:14, fal patel wrote:
Hi Dieter,
Thank you very much, but even though I spent all day trying to figure out the problem I could not make any progress at all.
The mmr_servers.ldif file I provided is an *exact* copy of the OpenLDAP 2.4 Administrator's Guide Section 18.3.3 "N-Way Multi-Master", so if it is not working it has to be a documentation error/bug in that section of the Administrator's Guide itself. Or is it the case that the variables I'm setting therein are wrong?
Here are the variable values I'm setting:
# Also, replace all ${} variables with whatever is applicable to your setup: BACKEND=bdb BASEDN="dc=ldapservice,dc=hq,dc=mycompany,dc=com" MANAGERDN="cn=admin,$BASEDN" PASSWD=secret
The slapd.conf file also is the *exact* same one that gets created at install-time in /usr/local/etc/openldap/ , with the only change being my "BDB database definitions" customisations as follows: ####################################################################### # BDB database definitions #######################################################################
## added for multimaster replication (prior to running slapadd to create db): database bdb # suffix <DN of root of subtree you are trying to create> suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" rootpw secret # directory for index files directory /usr/local/var/openldap-data # specify which indices you want to build index objectClass eq # loglevel 64
Whatever I try, however, slapadd gives the same error:
ubuntu11@ubuntu11:~$ sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d 50dd4b2a bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=practicefusion,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 3.25% eta none elapsed none spd 833.5 k/s Closing DB...
I didn't quite understand your instructions either:
"cn=config has to be database number 0, that is, the first database declaration must be cn=config."
In mmr_servers.ldif, the very first line is dn: cn=config
How do I cause cn=config to be database number 0 , please?
And why should I have to, unless the text in OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 "N-Way Multi-Master" has a bug?
Could you please advise? I am completely stuck.
Thank you very much.
Fal
On Thu, Dec 27, 2012 at 3:54 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Thu, 27 Dec 2012 02:22:18 -0800 schrieb fal patel fal0patel@gmail.com:
Oops -- forgot to enter subject-line!
On Thu, Dec 27, 2012 at 2:11 AM, fal patel fal0patel@gmail.com wrote:
Hello,
I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, but it's not working.
[...]
(1) The slapadd command, I execute, and the error message I get:
sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d [sudo] password for ubuntu11: 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) not configured to hold "cn=config"; did you mean to use database #0 (cn=config)? _ 2.58% eta none elapsed none
This error is quite clear, cn=config has to be database number 0, that is, the first database declaration must be cn=config. This is probably due to including a slapd.conf file with a database declaration.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
openldap-technical@openldap.org