Okay, I changed olcSyncrepl type to refreshAndPersist, and remove
interval settings.
It seems to work now, although I don't really understand why.
Thanks for your help on ACLs
Regards,
Vincent
Le 15/01/2020 à 17:27, Vincent Ducot a écrit :
Hi,
You can find below my full config.
To be more precise, my problem is :
- I add a user on node1, it's replicated on node2
- I add a second user (or group) on node2, it's not replicated on node2.
In the logs, I get
Jan 15 16:11:21 node2 slapd[2465]: do_syncrep2: rid=102
LDAP_RES_SEARCH_RESULT
Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101
LDAP_RES_SEARCH_RESULT
Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101
cookie=rid=101,csn=20200115102817.516155Z#000000#000#000000
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101
present UUID 90915624-c578-1039-97ac-bb4be13c2c82, dn dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101
present UUID 90952132-c578-1039-8aef-6f411f63000a, dn
cn=admin,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101
present UUID 909a0760-c578-1039-8af0-6f411f63000a, dn
ou=people,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101
present UUID 909b4666-c578-1039-8af1-6f411f63000a, dn
ou=groups,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101
present UUID 9a1f5e84-c578-1039-918d-7129ec86f31a, dn
uid=appadmin,ou=people,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101
present UUID 9a48db24-c578-1039-918e-7129ec86f31a, dn
cn=admins-for-app,ou=groups,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101
present UUID 3032f6b0-cbcd-1039-952e-fb0cd8c5af02, dn
uid=testuser,dc=foo,dc=bar
Jan 15 16:11:22 node2 slapd[2465]: slap_queue_csn: queueing
0x7f4628103420 20200115102817.516155Z#000000#000#000000
Jan 15 16:11:22 node2 slapd[2465]: slap_graduate_commit_csn: removing
0x7f4628103420 20200115102817.516155Z#000000#000#000000
What means "nonpresent_callback" ?
I also tested with replication user in a different database, as
suggested in this mailing list, but the result is the same.
Regards,
Vincent
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcDisallows: bind_anon
olcLogLevel: any
olcPidFile: /var/run/slapd/slapd.pid
olcRequires: authc
olcToolThreads: 1
olcServerID: 0 ldap:///
olcServerID: 1 ldap://node1-vpn
olcServerID: 2 ldap://node2-vpn
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
# module{1}, config
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModuleLoad: {0}syncprov.la
# {0}mdb, config
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
* none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRequires: authc
olcRootDN: cn=admin,dc=nodomain
olcRootPW: {SSHA}HdZbPd66TxCjeYEIAASbAQTnvFh3GOTw
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
# {2}mdb, config
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/foobar/ldap
olcSuffix: dc=foo,dc=bar
olcAccess: {0}to attrs=userPassword by anonymous auth by self write
by dn.exact="cn=rpuser,dc=foo,dc=bar" read
olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self write
by users read by * none
olcLastMod: TRUE
olcLimits: {0}dn.exact="uid=rpuser,dc=foo,dc=bar" time.soft=unlimited
time.h
ard=unlimited size.soft=unlimited size.hard=unlimited
olcRequires: authc
olcRootDN: cn=admin,dc=foo,dc=bar
olcRootPW: {SSHA}zL8CSrnkBacsebLUsJ+dzva6eQ7xcyZJ
olcSyncrepl: {0}rid=101 provider=ldap://node1-vpn
binddn="uid=rpuser,dc=foo,
dc=bar" bindmethod=simple credentials=rppwd
searchbase="dc=foo,dc=bar" type=r
efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1
olcSyncrepl: {1}rid=102 provider=ldap://node2-vpn
binddn="uid=rpuser,dc=foo,
dc=bar" bindmethod=simple credentials=rppwd
searchbase="dc=foo,dc=bar" type=r
efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbMaxSize: 1073741824
# {0}syncprov, {2}mdb, config
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
Le 13/01/2020 à 20:31, Quanah Gibson-Mount a écrit :
>
>
> --On Monday, January 13, 2020 6:32 PM +0100 Vincent Ducot
> <vincent.ducot(a)rubycat.eu> wrote:
>
>>
>> Ok, I thought the rule matched if "by" also matched. Thanks to light
>> it.
>>
>> I apply the olcAccess you proposed.
>>
>> I still have the problem of deletion of "dc=foo,dc=bar" tree on node2,
>> for example when I add a user on node1. Any idea why ?
>
> Not off the top of my head. Without full configs for both servers or
> an understanding of the state of the replicated databases on each
> server, it would all be random speculation.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <
http://www.symas.com>