I'm an admitted ldap lightweight but have been able to bring up an ldap server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. My most recent success was getting simple authentication working because before it was failing and now it's not so I've at least gotten that far. Here's what my replication section looks like in ldap.conf:
syncrepl rid=123 provider=ldap://10.99.99.99:389 type=refreshOnly interval=01:00:00:00 searchbase="dc=myldap,dc=com" filter="(objectClass=account)" scope=sub schemachecking=off updatedn="cn=replica,dc=myldap,dc=com" bindmethod=simple binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com" credentials=Something
I'm pretty sure I have the search parameters set correctly because if I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I'm on clear on is how to define things on the slave side. For example I have the main part of the conf set the same on the master, just to make things easy on me and so I have the following which is exactly how I have the master set up.
database bdb suffix "dc=myldap,dc=com" rootdn "cn=Manager,dc=myldap,dc=com" rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R directory /var/lib/ldap
I'm guessing my problem may be with updatedn="cn=replica,dc=myldap,dc=com", but I'm not sure what it should be and whether or not I have to prime the replica with any special authentication to be able to write to it.
If I run "ldapsearch -x -b 'dc=myldap,dc=com'" against the replica it comes up empty so I'm sure nothing is getting replicated. Further if I run the slave slapd with -d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128 @(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $ brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd slapd starting request done: ld 0x2ac52b507c70 msgid 1 => bdb_entry_get: cannot find entry: "dc=myldap,dc=com" do_syncrep2: rid 123got search entry without control do_syncrepl: rid 123 quitting
but I have no idea where it's looking for the entry, on the master or the slave? But I do have that entry on the master.
I'm sure I'm doing something wrong but am also hoping it's relatively minor.
-mark
Quoting "Seger, Mark" mark.seger@hp.com:
I'm an admitted ldap lightweight but have been able to bring up an ldap server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. ...
Perhaps you've neglected to configure your provider machine properly, in particular to modify its ACLs, or to load, activate and configure the Sync Provider overlay for it. Or, you may have simply made things too complicated, which can also lead to problems.
This is what I did to get my first test systems to work using simple auth:
* OpenLDAP provider http://www.rjsystems.nl/en/2100-openldap-provider.php
* OpenLDAP consumer http://www.rjsystems.nl/en/2100-openldap-consumer.php
Cheers,
Jaap
Seger, Mark wrote:
I’m an admitted ldap lightweight but have been able to bring up an ldap server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. My most recent success was getting simple authentication working because before it was failing and now it’s not so I’ve at least gotten that far. Here’s what my replication section looks like in ldap.conf:
Hi,
has 'lsfadmin' access to read whole tree on the master? And if it's simple Master X N slaves type, which probably is, you can't write to slave - slapd.conf :: updateref ldaps://mymaster.domain.tld
Regards, Zdenek
On 23/02/2010 22:26, Seger, Mark wrote:
I’m an admitted ldap lightweight but have been able to bring up an ldap server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. My most recent success was getting simple authentication working because before it was failing and now it’s not so I’ve at least gotten that far. Here’s what my replication section looks like in ldap.conf:
syncrepl rid=123
provider=ldap://10.99.99.99:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=myldap,dc=com"
filter="(objectClass=account)"
scope=sub
schemachecking=off
updatedn="cn=replica,dc=myldap,dc=com"
bindmethod=simple
binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
credentials=Something
I’m pretty sure I have the search parameters set correctly because if I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I’m on clear on is how to define things on the slave side. For example I have the main part of the conf set the same on the master, just to make things easy on me and so I have the following which is exactly how I have the master set up.
database bdb
suffix "dc=myldap,dc=com"
rootdn "cn=Manager,dc=myldap,dc=com"
rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
directory /var/lib/ldap
I’m guessing my problem may be with updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it should be and whether or not I have to prime the replica with any special authentication to be able to write to it.
If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the replica it comes up empty so I’m sure nothing is getting replicated. Further if I run the slave slapd with –d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128
@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
slapd starting
request done: ld 0x2ac52b507c70 msgid 1
=> bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
do_syncrep2: rid 123got search entry without control
do_syncrepl: rid 123 quitting
but I have no idea where it’s looking for the entry, on the master or the slave? But I do have that entry on the master.
I’m sure I’m doing something wrong but am also hoping it’s relatively minor.
Don't forget that syncrepl is pull-based replication. That is, the slave connects to the master and gets data.
In light of this, check your configuration for: - the syncrepl statement above in the *slave* slapd.conf - a "overlay syncprov" in the *master* slapd.conf (plus any configuration you may want) - the "updatedn" element in your syncrepl statement should not be necessary. As the man page stipulates: "It is only needed in certain push-mode replication scenarios."
This should get things going, if not, please post back here with more details on any errors you have (log file extracts).
Hope this helps, Jonathan
-----Original Message----- From: Jonathan Clarke [mailto:jonathan@phillipoux.net] Sent: Thursday, February 25, 2010 6:00 AM To: Seger, Mark Cc: openldap-technical@openldap.org Subject: Re: a newbie trying to get the basics of syncrepl going
On 23/02/2010 22:26, Seger, Mark wrote:
I’m an admitted ldap lightweight but have been able to bring up an
ldap
server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. My most recent success was getting simple authentication working because before it was failing
and
now it’s not so I’ve at least gotten that far. Here’s what my replication section looks like in ldap.conf:
syncrepl rid=123
provider=ldap://10.99.99.99:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=myldap,dc=com"
filter="(objectClass=account)"
scope=sub
schemachecking=off
updatedn="cn=replica,dc=myldap,dc=com"
bindmethod=simple
binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
credentials=Something
I’m pretty sure I have the search parameters set correctly because if
I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I’m on clear on is how to define things on the slave side.
For
example I have the main part of the conf set the same on the master, just to make things easy on me and so I have the following which is exactly how I have the master set up.
database bdb
suffix "dc=myldap,dc=com"
rootdn "cn=Manager,dc=myldap,dc=com"
rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
directory /var/lib/ldap
I’m guessing my problem may be with updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it
should
be and whether or not I have to prime the replica with any special authentication to be able to write to it.
If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the replica it comes up empty so I’m sure nothing is getting replicated. Further if I run the slave slapd with –d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128
@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-
5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap- 2.3.43/build-servers/servers/slapd
slapd starting
request done: ld 0x2ac52b507c70 msgid 1
=> bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
do_syncrep2: rid 123got search entry without control
do_syncrepl: rid 123 quitting
but I have no idea where it’s looking for the entry, on the master or the slave? But I do have that entry on the master.
I’m sure I’m doing something wrong but am also hoping it’s relatively
minor.
Don't forget that syncrepl is pull-based replication. That is, the slave connects to the master and gets data.
In light of this, check your configuration for:
- the syncrepl statement above in the *slave* slapd.conf
- a "overlay syncprov" in the *master* slapd.conf (plus any
configuration you may want)
I've made progress, I finally got my slave authticting with the master, butI'm confused with your statement about modifying something in the master's slapd.conf. I don't want to, nor do I think I even can, modify anything with the master. I'm basing my choice for using syncrepl on http://www.openldap.org/doc/admin22/syncrepl.html, which says in the first section:
"With syncrepl, a consumer server can create a replica without changing provider's configurations and without restarting the provider server, if the consumer server has appropriate access privileges for the DIT fragment to be replicated. The consumer server can stop the replication also without the need for provider-side changes and restart."
I'm assuming my replication isn't work, even though I don't see any errors, because when I run slapd on the slave followed by slapcat, all I see is the original entry I populated it with, namely: dn: cn=Manager,dc=myldap,dc=com.
Are there some specific debugging switches I can use when running the slave to get some insight into what's happening? I did try various combinations of the debugging switch and didn't see anything jump out of the output though I was surprised to see what looked like a lot of SNMP OIDs.
Is there some explicit way to see the slave send a pull request to the master and see what the master returns?
Does this mean anything: do_syncrep2: rid 123got search entry without control
-mark
- the "updatedn" element in your syncrepl statement should not be
necessary. As the man page stipulates: "It is only needed in certain push-mode replication scenarios."
This should get things going, if not, please post back here with more details on any errors you have (log file extracts).
Hope this helps, Jonathan
--
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
On 25/02/2010 13:17, Seger, Mark wrote:
-----Original Message----- From: Jonathan Clarke [mailto:jonathan@phillipoux.net] Sent: Thursday, February 25, 2010 6:00 AM To: Seger, Mark Cc: openldap-technical@openldap.org Subject: Re: a newbie trying to get the basics of syncrepl going
On 23/02/2010 22:26, Seger, Mark wrote:
I’m an admitted ldap lightweight but have been able to bring up an
ldap
server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. My most recent success was getting simple authentication working because before it was failing
and
now it’s not so I’ve at least gotten that far. Here’s what my replication section looks like in ldap.conf:
syncrepl rid=123
provider=ldap://10.99.99.99:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=myldap,dc=com"
filter="(objectClass=account)"
scope=sub
schemachecking=off
updatedn="cn=replica,dc=myldap,dc=com"
bindmethod=simple
binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
credentials=Something
I’m pretty sure I have the search parameters set correctly because if
I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I’m on clear on is how to define things on the slave side.
For
example I have the main part of the conf set the same on the master, just to make things easy on me and so I have the following which is exactly how I have the master set up.
database bdb
suffix "dc=myldap,dc=com"
rootdn "cn=Manager,dc=myldap,dc=com"
rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
directory /var/lib/ldap
I’m guessing my problem may be with updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it
should
be and whether or not I have to prime the replica with any special authentication to be able to write to it.
If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the replica it comes up empty so I’m sure nothing is getting replicated. Further if I run the slave slapd with –d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128
@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-
5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap- 2.3.43/build-servers/servers/slapd
slapd starting
request done: ld 0x2ac52b507c70 msgid 1
=> bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
do_syncrep2: rid 123got search entry without control
do_syncrepl: rid 123 quitting
but I have no idea where it’s looking for the entry, on the master or the slave? But I do have that entry on the master.
I’m sure I’m doing something wrong but am also hoping it’s relatively
minor.
Don't forget that syncrepl is pull-based replication. That is, the slave connects to the master and gets data.
In light of this, check your configuration for: - the syncrepl statement above in the *slave* slapd.conf - a "overlay syncprov" in the *master* slapd.conf (plus any configuration you may want)
I've made progress, I finally got my slave authticting with the master, butI'm confused with your statement about modifying something in the master's slapd.conf. I don't want to, nor do I think I even can, modify anything with the master. I'm basing my choice for using syncrepl on http://www.openldap.org/doc/admin22/syncrepl.html, which says in the first section:
This link is for OpenLDAP 2.2, you should use this for your version of OpenLDAP : http://www.openldap.org/doc/admin23/
"With syncrepl, a consumer server can create a replica without changing provider's configurations and without restarting the provider server, if the consumer server has appropriate access privileges for the DIT fragment to be replicated. The consumer server can stop the replication also without the need for provider-side changes and restart."
This means that you can add consumer servers to an existing architecture without having to modify the master's configuration to add each one (this was not the case with the previous replication system, slurpd).
I'm assuming my replication isn't work, even though I don't see any errors, because when I run slapd on the slave followed by slapcat, all I see is the original entry I populated it with, namely: dn: cn=Manager,dc=myldap,dc=com.
Are there some specific debugging switches I can use when running the slave to get some insight into what's happening? I did try various combinations of the debugging switch and didn't see anything jump out of the output though I was surprised to see what looked like a lot of SNMP OIDs.
Is there some explicit way to see the slave send a pull request to the master and see what the master returns?
Does this mean anything: do_syncrep2: rid 123got search entry without control
Yes - this means the master doesn't understand the syncrepl protocol, and returned results without using it (it takes the form of an LDAP control). This is because you must include the "syncprov" overlay in the master's configuration, as described here:
http://www.openldap.org/doc/admin23/syncrepl.html#Set%20up%20the%20provider%...
You need to modify the master's configuration to use syncrepl. If you really can't, you cant' use syncrepl, and will have to look into alternatives to get your data out.
Hope this helps, Jonathan
"With syncrepl, a consumer server can create a replica without changing provider's configurations and without restarting the provider server, if the consumer server has appropriate access privileges for the DIT fragment to be replicated. The consumer server can stop the replication also without the need for provider-side changes and restart."
This means that you can add consumer servers to an existing architecture without having to modify the master's configuration to add each one (this was not the case with the previous replication system, slurpd).
But then you say:
You need to modify the master's configuration to use syncrepl. If you really can't, you cant' use syncrepl, and will have to look into alternatives to get your data out.
Hope this helps,
I understand what you're saying but doesn't that mean the documentation is wrong because it says I don't have to change the providers configuration. -mark
Jonathan
--
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
On 25/02/2010 13:42, Seger, Mark wrote:
"With syncrepl, a consumer server can create a replica without changing provider's configurations and without restarting the provider server, if the consumer server has appropriate access privileges for the DIT fragment to be replicated. The consumer server can stop the replication also without the need for provider-side changes and restart."
This means that you can add consumer servers to an existing architecture without having to modify the master's configuration to add each one (this was not the case with the previous replication system, slurpd).
But then you say:
You need to modify the master's configuration to use syncrepl. If you really can't, you cant' use syncrepl, and will have to look into alternatives to get your data out.
Hope this helps,
I understand what you're saying but doesn't that mean the documentation is wrong because it says I don't have to change the providers configuration.
I think the documentation is unclear, possibly confusing.
As I tried to elaborate, what it means is that, given an existing provider/consumer setup, a new consumer server can be added without restarting the provider server.
However, initial setup *does* require changing the configuration of the provider.
Jonathan
-----Original Message----- From: Jonathan Clarke [mailto:jonathan@phillipoux.net] Sent: Thursday, February 25, 2010 7:56 AM To: Seger, Mark Cc: openldap-technical@openldap.org Subject: Re: a newbie trying to get the basics of syncrepl going
On 25/02/2010 13:42, Seger, Mark wrote:
"With syncrepl, a consumer server can create a replica without changing provider's configurations and without restarting the provider server, if the consumer server has appropriate access privileges for the DIT fragment to be replicated. The consumer server can stop the replication also without the need for provider-side changes and restart."
This means that you can add consumer servers to an existing architecture without having to modify the master's configuration to add each one (this was not the case with the previous replication system, slurpd).
But then you say:
You need to modify the master's configuration to use syncrepl. If you really can't, you cant' use syncrepl, and will have to look into alternatives to get your data out.
Hope this helps,
I understand what you're saying but doesn't that mean the documentation is wrong because it says I don't have to change the providers configuration.
I think the documentation is unclear, possibly confusing.
As I tried to elaborate, what it means is that, given an existing provider/consumer setup, a new consumer server can be added without restarting the provider server.
However, initial setup *does* require changing the configuration of the provider.
Understood. Adding that statement to the documentation would be a good thing. -mark
Jonathan
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
Am Donnerstag 25 Februar 2010 13:57:04 schrieb Seger, Mark: [..]
I think the documentation is unclear, possibly confusing.
As I tried to elaborate, what it means is that, given an existing provider/consumer setup, a new consumer server can be added without restarting the provider server.
However, initial setup *does* require changing the configuration of the provider.
Understood. Adding that statement to the documentation would be a good thing. -mark
Please create an enhancement request via the ITS (http://www.openldap.org/its). Otherwise this might never happen.
openldap-technical@openldap.org
-
Jaap Winius -
Jonathan Clarke -
Ralf Haferkamp -
Seger, Mark -
Zdenek Styblik