Hello,
Was setting up replication for our LDAP server, and was following the guide here, https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP#Setti...
I had success with this guide but just a problem with authentication, I could see in the ldap debug log for node1 entries like this:
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 fd=38 ACCEPT from IP=<node1's IP>:34606 (IP=0.0.0.0:389) Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 BIND dn="cn=Manager,dc=genome,dc=arizona,dc=edu" method=128 Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 BIND dn="cn=Manager,dc=genome,dc=arizona,dc=edu" mech=SIMPLE ssf=0 Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 RESULT tag=97 err=0 text= Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 MOD dn="olcDatabase={1}bdb,cn=config" Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 MOD attr=olcSyncrepl Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 RESULT tag=103 err=0 text= Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 MOD dn="olcDatabase={1}bdb,cn=config" Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 MOD attr=olcMirrorMode Jul 20 16:21:22 node1 slapd[10218]: slap_client_connect: URI=ldap://node2.genome.arizona.edu DN="cn=ldapreader,dc=genome,dc=arizona,dc=edu" ldap_sasl_bind_s failed (49) Jul 20 16:21:22 node1 slapd[10218]: do_syncrepl: rid=001 rc 49 retrying Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 RESULT tag=103 err=0 text= Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=3 UNBIND Jul 20 16:21:22 node1 slapd[10218]: conn=3497 fd=38 closed
and in the debug log for node2 entries like this:
Jul 20 16:21:22 node2 slapd[25327]: conn=14036 fd=17 ACCEPT from IP=<node1's IP>:56460 (IP=0.0.0.0:389) Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=0 BIND dn="cn=ldapreader,dc=genome,dc=arizona,dc=edu" method=128 Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=0 RESULT tag=97 err=49 text= Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=1 UNBIND Jul 20 16:21:22 node2 slapd[25327]: conn=14036 fd=17 closed
It turns out i had literally used credentials="secret" in the add-replication-node1/node2.ldif files! So I went back and used slappasswd to generate a new password and put it into the ldapreader.ldif and use ldapmodify instead this time with success on both nodes,
[root@node1 openldap]# cat ldapreader.ldif dn: cn=ldapreader,dc=genome,dc=arizona,dc=edu changetype: modify replace: userPassword userPassword: <hash from slappasswd> [root@node1 openldap]# ldapmodify -x -W -D "cn=Manager,dc=genome,dc=arizona,dc=edu" -f ldapreader.ldif Enter LDAP Password: modifying entry "cn=ldapreader,dc=genome,dc=arizona,dc=edu" [root@node1 openldap]#
[root@node2 openldap]# cat ldapreader.ldif dn: cn=ldapreader,dc=genome,dc=arizona,dc=edu changetype: modify replace: userPassword userPassword: <hash from slappwasswd> [root@node2 openldap]# ldapmodify -x -W -D "cn=Manager,dc=genome,dc=arizona,dc=edu" -f ldapreader.conf Enter LDAP Password: modifying entry "cn=ldapreader,dc=genome,dc=arizona,dc=edu" [root@node2 openldap]#
Then I updated the add-replication-node1/node2.ldif to modify the entry with the actual password instead of "secret"... on node1 i got two success messages,
[root@node1 openldap]# cat add-replication-node1.ldif dn: olcDatabase={1}bdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=001 provider=ldap://node2.genome.arizona.edu binddn="cn=ldapreader,dc=genome,dc=arizona,dc=edu" bindmethod=simple credentials="<actual password>" searchbase="dc=genome,dc=arizona,dc=edu" type=refreshAndPersist timeout=0 network-timeout=0 retry="60 +"
dn: olcDatabase={1}bdb,cn=config changetype: modify replace: olcMirrorMode olcMirrorMode: TRUE [root@node1 openldap]# ldapmodify -x -W -D "cn=Manager,dc=genome,dc=arizona,dc=edu" -f add-replication-node1.ldif Enter LDAP Password: modifying entry "olcDatabase={1}bdb,cn=config"
modifying entry "olcDatabase={1}bdb,cn=config"
[root@node1 openldap]#
However when I went to modify the entries on node2, I now got the error <olcMirrorMode> database is not a shadow,
[root@node2 openldap]# cat add-replication-node2.ldif dn: olcDatabase={1}bdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=002 provider=ldap://node1.genome.arizona.edu binddn="cn=ldapreader,dc=genome,dc=arizona,dc=edu" bindmethod=simple credentials="<actual password>" searchbase="dc=genome,dc=arizona,dc=edu" type=refreshAndPersist timeout=0 network-timeout=0 retry="60 +"
dn: olcDatabase={1}bdb,cn=config changetype: modify replace: olcMirrorMode olcMirrorMode: TRUE [root@node2 openldap]# ldapmodify -x -W -D "cn=Manager,dc=genome,dc=arizona,dc=edu" -f add-replication-node2.ldif Enter LDAP Password: modifying entry "olcDatabase={1}bdb,cn=config"
modifying entry "olcDatabase={1}bdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcMirrorMode> database is not a shadow
[root@node2 openldap]#
Now the replication has stopped and there are no connection entries in the ldap debug logs. So what did i do wrong and how to get replication going again?
Thanks,
--On Thursday, July 26, 2018 2:36 PM -0700 admin@genome.arizona.edu wrote:
Hello,
Now the replication has stopped and there are no connection entries in the ldap debug logs. So what did i do wrong and how to get replication going again?
a) Do you have a unique olcServerID set in cn=config for both masters? b) Have you made sure there is no olcUpdateRef attribute set? c) What version of OpenLDAP are you running? d) I would note that back-bdb is deprecated. You may want to investigate migrating to back-mdb. e) I would suggesting making this a single transaction:
dn: olcDatabase={1}bdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=002 provider=ldap://node1.genome.arizona.edu binddn="cn=ldapreader,dc=genome,dc=arizona,dc=edu" bindmethod=simple credentials="<actual password>" searchbase="dc=genome,dc=arizona,dc=edu" type=refreshAndPersist timeout=0 network-timeout=0 retry="60 +" - replace: olcMirrorMode olcMirrorMode: TRUE
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote on 07/26/2018 01:54 PM:
a) Do you have a unique olcServerID set in cn=config for both masters?
Yes I thought I set that according to the guide. Actually just noticed in the guide that both ldifs use "olcServerID: 1" so perhaps that is a mistake? If I search for that variable on node1, I can see it in the config: slapd.d/cn=config.ldif:olcServerID: 1
I ran a transaction on node2 to set it to 2, and now it is showing up on node1: slapd.d/cn=config.ldif:olcServerID: 2
Actually when I look in the debug log for node1 I am see an entries like this:
Jul 26 16:31:32 node1 slapd[10218]: conn=4826 fd=25 ACCEPT from IP=<node2's IP>:41782 (IP=0.0.0.0:389) Jul 26 16:31:32 node1 slapd[10218]: conn=4826 op=0 BIND dn="cn=Manager,dc=genome,dc=arizona,dc=edu" method=128 Jul 26 16:31:32 node1 slapd[10218]: conn=4826 op=0 BIND dn="cn=Manager,dc=genome,dc=arizona,dc=edu" mech=SIMPLE ssf=0 Jul 26 16:31:32 node1 slapd[10218]: conn=4826 op=0 RESULT tag=97 err=0 text= Jul 26 16:31:32 node1 slapd[10218]: conn=4826 op=1 MOD dn="cn=config" Jul 26 16:31:32 node1 slapd[10218]: conn=4826 op=1 MOD attr=olcServerID Jul 26 16:31:32 node1 slapd[10218]: conn=4826 op=1 RESULT tag=103 err=0 text= Jul 26 16:31:32 node1 slapd[10218]: conn=4826 op=2 UNBIND Jul 26 16:31:32 node1 slapd[10218]: conn=4826 fd=25 closed Jul 26 16:31:50 node1 slapd[10218]: conn=4827 fd=25 ACCEPT from IP=<node2's IP>:41784 (IP=0.0.0.0:389) Jul 26 16:31:50 node1 slapd[10218]: conn=4827 op=0 BIND dn="cn=Manager,dc=genome,dc=arizona,dc=edu" method=128 Jul 26 16:31:50 node1 slapd[10218]: conn=4827 op=0 BIND dn="cn=Manager,dc=genome,dc=arizona,dc=edu" mech=SIMPLE ssf=0 Jul 26 16:31:50 node1 slapd[10218]: conn=4827 op=0 RESULT tag=97 err=0 text= Jul 26 16:31:50 node1 slapd[10218]: conn=4827 op=1 MOD dn="olcDatabase={1}bdb,cn=config" Jul 26 16:31:50 node1 slapd[10218]: conn=4827 op=1 MOD attr=olcSyncrepl olcMirrorMode Jul 26 16:31:50 node1 slapd[10218]: olcMirrorMode: value #0: <olcMirrorMode> database is not a shadow Jul 26 16:31:50 node1 slapd[10218]: olcMirrorMode: value #0: <olcMirrorMode> database is not a shadow Jul 26 16:31:50 node1 slapd[10218]: conn=4827 op=1 RESULT tag=103 err=80 text=<olcMirrorMode> database is not a shadow Jul 26 16:31:50 node1 slapd[10218]: conn=4827 op=2 UNBIND Jul 26 16:31:50 node1 slapd[10218]: conn=4827 fd=25 closed
on node2 there is no setting for olcServerID, am just using 'grep -R olcServerID *' in the /etc/openldap/slapd.d directory
so it seems there is some sort of replication that is already happening... however when I used ldapsearch to search for my uid for example, it is only found when using node1 for the host whereas node2 returns "No such object"
b) Have you made sure there is no olcUpdateRef attribute set?
It does not appear to be set on either node, am just using grep again in the /etc/openldap/slapd.d directory
c) What version of OpenLDAP are you running?
slapd 2.4.40 on both nodes.
d) I would note that back-bdb is deprecated. You may want to investigate migrating to back-mdb.
Actually I'm about the 4th system admin to take over these machines and sadly have little knowledge of LDAP... so please bear with me... our config is maybe very messy! the "database is not a shadow" error, does it mean back-bdb does not support replication? If so, how do migrate everything to back-mdb?
e) I would suggesting making this a single transaction:
Thanks I did try that but still got <olcMirrorMode> database is not a shadow
--On Thursday, July 26, 2018 6:02 PM -0700 admin@genome.arizona.edu wrote:
Quanah Gibson-Mount wrote on 07/26/2018 01:54 PM:
a) Do you have a unique olcServerID set in cn=config for both masters?
Yes I thought I set that according to the guide. Actually just noticed in the guide that both ldifs use "olcServerID: 1" so perhaps that is a mistake? If I search for that variable on node1, I can see it in the config: slapd.d/cn=config.ldif:olcServerID: 1
I ran a transaction on node2 to set it to 2, and now it is showing up on node1: slapd.d/cn=config.ldif:olcServerID: 2
on node2 there is no setting for olcServerID, am just using 'grep -R olcServerID *' in the /etc/openldap/slapd.d directory
Are you replicating cn=config? If you are, the olcServerID value has to include a URI and be multi-valued. For MMR to function, it is mandatory that each have a unique olcServerID configured.
b) Have you made sure there is no olcUpdateRef attribute set?
It does not appear to be set on either node, am just using grep again in the /etc/openldap/slapd.d directory
Ok
c) What version of OpenLDAP are you running?
slapd 2.4.40 on both nodes.
That release is particularly old and known to have many replication related issues. I would strongly advise upgrading to the current release.
d) I would note that back-bdb is deprecated. You may want to investigate migrating to back-mdb.
Actually I'm about the 4th system admin to take over these machines and sadly have little knowledge of LDAP... so please bear with me... our config is maybe very messy! the "database is not a shadow" error, does it mean back-bdb does not support replication? If so, how do migrate everything to back-mdb?
Both backends support replication and the issue you're having is not related to this.
Unfortunately, without having a better idea of what your configuration is or what it's trying to achieve, it's difficult to help you further.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks I think I will start a new thread, to help me to upgrade openldap and get some sort of replication going... the olcMirrorMode setting was preventing modification to our user database and also prevented slapd from starting with the same error "database is not a shadow", so just had to delete it... this thing is a mess
openldap-technical@openldap.org
-
admin@genome.arizona.edu -
Quanah Gibson-Mount