OpenLDAP 2.4.40
Syncrepl configuration:
olcSyncUseSubentry: FALSE
olcSyncrepl: {0}rid=101 provider=ldap://server1 searchbase="o=xxx,dc=yyy, dc=zzz" type=refreshOnly bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/openldap/certs/xxxxx.crt tls_key=/etc/openldap/certs/xxxxx.key tls_cacert=/etc/openldap/certs/cacert.pem interval=00:00:00:10 retry="5 10 10 10 30 +" timeout=1 starttls=critical olcSyncrepl: {1}rid=102 provider=ldap://server2 searchbase="o=xxx,dc=yyyy, dc=zzz" type=refreshOnly bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/openldap/certs/ldapadmin.crt tls_key=/etc/openldap/certs/xxxxx.key tls_cacert=/etc/openldap/certs/cacert.pem interval=00:00:00:10 retry="5 10 10 10 30 +" timeout=1 starttls=critical olcMirrorMode: TRUE
BTW, I just tried addinging:
dn: olcOverly={3}syncprov,olcDatabase={2},cn=config
changetype: modify replace: olcSpCheckpoint olcSpCheckpoint: 1024
add: olcSpSessionlog olcSpSessionlog: 1024
add: olcSpReloadhint olcSpReloadhint: TRUE
And that seemed to fix it! Maybe it was just the checkpoint being "1 1" that was messing it up? Or maybe I needed the session log. I realize that this is the deprecated approach. I probably put in cn=changelog instead if there's a good reason to do so.
-Frank
On Tue, Apr 12, 2016 at 6:26 PM, Frank Crow fjcrow2008@gmail.com wrote:
OK, if I do a backup with slapcat, I still would want to wipe the existing contents of the DIT first, right?
Also, I just tried doing a list of deleted uid entries using "ldapdelete -ZZ -f /file.ldif" and although the command did not complain, not all of the entries in the file.ldif were deleted from all replicas. I really think there is something wrong with my configuration! I suppose that I'll try cn=changelog next.
Thanks, Frank
On Tue, Apr 12, 2016 at 5:47 PM, Michael Ströder michael@stroeder.com wrote:
Frank Crow wrote:
I'm trying to create backup and restore scripts using LDAP command line tools.
For various reasons backup and restore should be done with command-line tools slapcat and slapadd which operate directly on the database files.
And yes, with recent backend modules like back-mdb and back-hdb you can do hot backup while slapd is running.
Of course, before a restore you have to stop slapd and remove the DB files. After using slapadd you should check whether ownership/permissions are still correct.
Ciao, Michael.
-- Frank
--On Tuesday, April 12, 2016 7:33 PM -0400 Frank Crow fjcrow2008@gmail.com wrote:
OpenLDAP 2.4.40
Upgrade. There are serious MMR issues in that release.
Syncrepl configuration:
olcSyncUseSubentry: FALSE olcSyncrepl: {0}rid=101 provider=ldap://server1 searchbase="o=xxx,dc=yyy, dc=zzz" type=refreshOnly bindmethod=sasl saslmech=EXTERNAL
I strongly advise against using refreshOnly. There's virtually no instance where that is the correct option.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
openldap-technical@openldap.org
-
Frank Crow -
Quanah Gibson-Mount