1:26 p.m.
I'm an admitted ldap lightweight but have been able to bring up an ldap server and
populate it with the contents of my /etc/passwd file. Now I want to set up a replica on
another machine using sync replication and am having a few issues getting it to work. My
most recent success was getting simple authentication working because before it was
failing and now it's not so I've at least gotten that far. Here's what my
replication section looks like in ldap.conf:
syncrepl rid=123
provider=ldap://10.99.99.99:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=myldap,dc=com"
filter="(objectClass=account)"
scope=sub
schemachecking=off
updatedn="cn=replica,dc=myldap,dc=com"
bindmethod=simple
binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
credentials=Something
I'm pretty sure I have the search parameters set correctly because if I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I'm on clear on is how to define things on the slave side. For example I
have the main part of the conf set the same on the master, just to make things easy on me
and so I have the following which is exactly how I have the master set up.
database bdb
suffix "dc=myldap,dc=com"
rootdn "cn=Manager,dc=myldap,dc=com"
rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
directory /var/lib/ldap
I'm guessing my problem may be with updatedn="cn=replica,dc=myldap,dc=com",
but I'm not sure what it should be and whether or not I have to prime the replica with
any special authentication to be able to write to it.
If I run "ldapsearch -x -b 'dc=myldap,dc=com'" against the replica it
comes up empty so I'm sure nothing is getting replicated. Further if I run the slave
slapd with -d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128
@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
slapd starting
request done: ld 0x2ac52b507c70 msgid 1
=> bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
do_syncrep2: rid 123got search entry without control
do_syncrepl: rid 123 quitting
but I have no idea where it's looking for the entry, on the master or the slave? But
I do have that entry on the master.
I'm sure I'm doing something wrong but am also hoping it's relatively minor.
-mark
6:15 p.m.
Quoting "Seger, Mark" <mark.seger(a)hp.com>:
I'm an admitted ldap lightweight but have been able to bring up
an
ldap server and populate it with the contents of my /etc/passwd
file. Now I want to set up a replica on another machine using sync
replication and am having a few issues getting it to work. ...
Perhaps you've neglected to configure your provider machine properly,
in particular to modify its ACLs, or to load, activate and configure
the Sync Provider overlay for it. Or, you may have simply made things
too complicated, which can also lead to problems.
This is what I did to get my first test systems to work using simple auth:
* OpenLDAP provider
http://www.rjsystems.nl/en/2100-openldap-provider.php
* OpenLDAP consumer
http://www.rjsystems.nl/en/2100-openldap-consumer.php
Cheers,
Jaap
11:17 p.m.
Seger, Mark wrote:
I’m an admitted ldap lightweight but have been able to bring up an
ldap
server and populate it with the contents of my /etc/passwd file. Now I
want to set up a replica on another machine using sync replication and
am having a few issues getting it to work. My most recent success was
getting simple authentication working because before it was failing and
now it’s not so I’ve at least gotten that far. Here’s what my
replication section looks like in ldap.conf:
Hi,
has 'lsfadmin' access to read whole tree on the master?
And if it's simple Master X N slaves type, which probably is, you can't
write to slave - slapd.conf :: updateref ldaps://mymaster.domain.tld
Regards,
Zdenek
--
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla(a)turnovfree.net
jabber: stybla(a)jabber.turnovfree.net
syncrepl rid=123
provider=ldap://10.99.99.99:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=myldap,dc=com"
filter="(objectClass=account)"
scope=sub
schemachecking=off
updatedn="cn=replica,dc=myldap,dc=com"
bindmethod=simple
binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
credentials=Something
I’m pretty sure I have the search parameters set correctly because if I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I’m on clear on is how to define things on the slave side. For
example I have the main part of the conf set the same on the master,
just to make things easy on me and so I have the following which is
exactly how I have the master set up.
database bdb
suffix "dc=myldap,dc=com"
rootdn "cn=Manager,dc=myldap,dc=com"
rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
directory /var/lib/ldap
I’m guessing my problem may be with
updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it should
be and whether or not I have to prime the replica with any special
authentication to be able to write to it.
If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the replica it
comes up empty so I’m sure nothing is getting replicated. Further if I
run the slave slapd with –d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128
@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
slapd starting
request done: ld 0x2ac52b507c70 msgid 1
=> bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
do_syncrep2: rid 123got search entry without control
do_syncrepl: rid 123 quitting
but I have no idea where it’s looking for the entry, on the master or
the slave? But I do have that entry on the master.
I’m sure I’m doing something wrong but am also hoping it’s relatively minor.
-mark
3 a.m.
On 23/02/2010 22:26, Seger, Mark wrote:
I’m an admitted ldap lightweight but have been able to bring up an
ldap
server and populate it with the contents of my /etc/passwd file. Now I
want to set up a replica on another machine using sync replication and
am having a few issues getting it to work. My most recent success was
getting simple authentication working because before it was failing and
now it’s not so I’ve at least gotten that far. Here’s what my
replication section looks like in ldap.conf:
syncrepl rid=123
provider=ldap://10.99.99.99:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=myldap,dc=com"
filter="(objectClass=account)"
scope=sub
schemachecking=off
updatedn="cn=replica,dc=myldap,dc=com"
bindmethod=simple
binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
credentials=Something
I’m pretty sure I have the search parameters set correctly because if I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I’m on clear on is how to define things on the slave side. For
example I have the main part of the conf set the same on the master,
just to make things easy on me and so I have the following which is
exactly how I have the master set up.
database bdb
suffix "dc=myldap,dc=com"
rootdn "cn=Manager,dc=myldap,dc=com"
rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
directory /var/lib/ldap
I’m guessing my problem may be with
updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it should
be and whether or not I have to prime the replica with any special
authentication to be able to write to it.
If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the replica it
comes up empty so I’m sure nothing is getting replicated. Further if I
run the slave slapd with –d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128
@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
slapd starting
request done: ld 0x2ac52b507c70 msgid 1
=> bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
do_syncrep2: rid 123got search entry without control
do_syncrepl: rid 123 quitting
but I have no idea where it’s looking for the entry, on the master or
the slave? But I do have that entry on the master.
I’m sure I’m doing something wrong but am also hoping it’s relatively minor.
Don't forget that syncrepl is pull-based replication. That is, the slave
connects to the master and gets data.
In light of this, check your configuration for:
- the syncrepl statement above in the *slave* slapd.conf
- a "overlay syncprov" in the *master* slapd.conf (plus any
configuration you may want)
- the "updatedn" element in your syncrepl statement should not be
necessary. As the man page stipulates: "It is only needed in certain
push-mode replication scenarios."
This should get things going, if not, please post back here with more
details on any errors you have (log file extracts).
Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan(a)phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
4:17 a.m.
-----Original Message-----
From: Jonathan Clarke [mailto:jonathan@phillipoux.net]
Sent: Thursday, February 25, 2010 6:00 AM
To: Seger, Mark
Cc: openldap-technical(a)openldap.org
Subject: Re: a newbie trying to get the basics of syncrepl going
On 23/02/2010 22:26, Seger, Mark wrote:
> I’m an admitted ldap lightweight but have been able to bring up an
ldap
> server and populate it with the contents of my /etc/passwd file. Now I
> want to set up a replica on another machine using sync replication and
> am having a few issues getting it to work. My most recent success was
> getting simple authentication working because before it was failing
and
> now it’s not so I’ve at least gotten that far. Here’s what my
> replication section looks like in ldap.conf:
>
> syncrepl rid=123
>
> provider=ldap://10.99.99.99:389
>
> type=refreshOnly
>
> interval=01:00:00:00
>
> searchbase="dc=myldap,dc=com"
>
> filter="(objectClass=account)"
>
> scope=sub
>
> schemachecking=off
>
> updatedn="cn=replica,dc=myldap,dc=com"
>
> bindmethod=simple
>
> binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
>
> credentials=Something
>
> I’m pretty sure I have the search parameters set correctly because if
I run:
>
> ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
>
> it dumps all my uids.
>
> The part I’m on clear on is how to define things on the slave side.
For
> example I have the main part of the conf set the same on the master,
> just to make things easy on me and so I have the following which is
> exactly how I have the master set up.
>
> database bdb
>
> suffix "dc=myldap,dc=com"
>
> rootdn "cn=Manager,dc=myldap,dc=com"
>
> rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
>
> directory /var/lib/ldap
>
> I’m guessing my problem may be with
> updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it
should
> be and whether or not I have to prime the replica with any special
> authentication to be able to write to it.
>
> If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the replica it
> comes up empty so I’m sure nothing is getting replicated. Further if I
> run the slave slapd with –d128 I get:
>
> [root@hpdc3dmgt1 ~]# slapd -d 128
>
> @(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
>
> brewbuilder@hs20-bc1-
5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-
2.3.43/build-servers/servers/slapd
>
> slapd starting
>
> request done: ld 0x2ac52b507c70 msgid 1
>
> => bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
>
> do_syncrep2: rid 123got search entry without control
>
> do_syncrepl: rid 123 quitting
>
> but I have no idea where it’s looking for the entry, on the master or
> the slave? But I do have that entry on the master.
>
> I’m sure I’m doing something wrong but am also hoping it’s relatively
minor.
Don't forget that syncrepl is pull-based replication. That is, the slave
connects to the master and gets data.
In light of this, check your configuration for:
- the syncrepl statement above in the *slave* slapd.conf
- a "overlay syncprov" in the *master* slapd.conf (plus any
configuration you may want)
I've made progress, I finally got my slave authticting with the master, butI'm
confused with your statement about modifying something in the master's slapd.conf. I
don't want to, nor do I think I even can, modify anything with the master. I'm
basing my choice for using syncrepl on http://www.openldap.org/doc/admin22/syncrepl.html,
which says in the first section:
"With syncrepl, a consumer server can create a replica without changing
provider's configurations and without restarting the provider server, if the consumer
server has appropriate access privileges for the DIT fragment to be replicated. The
consumer server can stop the replication also without the need for provider-side changes
and restart."
I'm assuming my replication isn't work, even though I don't see any errors,
because when I run slapd on the slave followed by slapcat, all I see is the original entry
I populated it with, namely: dn: cn=Manager,dc=myldap,dc=com.
Are there some specific debugging switches I can use when running the slave to get some
insight into what's happening? I did try various combinations of the debugging switch
and didn't see anything jump out of the output though I was surprised to see what
looked like a lot of SNMP OIDs.
Is there some explicit way to see the slave send a pull request to the master and see what
the master returns?
Does this mean anything: do_syncrep2: rid 123got search entry without control
-mark
- the "updatedn" element in your syncrepl statement should
not be
necessary. As the man page stipulates: "It is only needed in certain
push-mode replication scenarios."
This should get things going, if not, please post back here with more
details on any errors you have (log file extracts).
Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan(a)phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
4:38 a.m.
On 25/02/2010 13:17, Seger, Mark wrote:
> -----Original Message----- From: Jonathan Clarke
> [mailto:jonathan@phillipoux.net] Sent: Thursday, February 25, 2010
> 6:00 AM To: Seger, Mark Cc: openldap-technical(a)openldap.org
> Subject: Re: a newbie trying to get the basics of syncrepl going
>
> On 23/02/2010 22:26, Seger, Mark wrote:
>> I’m an admitted ldap lightweight but have been able to bring up
>> an
> ldap
>> server and populate it with the contents of my /etc/passwd file.
>> Now I want to set up a replica on another machine using sync
>> replication and am having a few issues getting it to work. My
>> most recent success was getting simple authentication working
>> because before it was failing
> and
>> now it’s not so I’ve at least gotten that far. Here’s what my
>> replication section looks like in ldap.conf:
>>
>> syncrepl rid=123
>>
>> provider=ldap://10.99.99.99:389
>>
>> type=refreshOnly
>>
>> interval=01:00:00:00
>>
>> searchbase="dc=myldap,dc=com"
>>
>> filter="(objectClass=account)"
>>
>> scope=sub
>>
>> schemachecking=off
>>
>> updatedn="cn=replica,dc=myldap,dc=com"
>>
>> bindmethod=simple
>>
>> binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
>>
>> credentials=Something
>>
>> I’m pretty sure I have the search parameters set correctly
>> because if
> I run:
>>
>> ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
>>
>> it dumps all my uids.
>>
>> The part I’m on clear on is how to define things on the slave
>> side.
> For
>> example I have the main part of the conf set the same on the
>> master, just to make things easy on me and so I have the
>> following which is exactly how I have the master set up.
>>
>> database bdb
>>
>> suffix "dc=myldap,dc=com"
>>
>> rootdn "cn=Manager,dc=myldap,dc=com"
>>
>> rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
>>
>> directory /var/lib/ldap
>>
>> I’m guessing my problem may be with
>> updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it
> should
>> be and whether or not I have to prime the replica with any
>> special authentication to be able to write to it.
>>
>> If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the
>> replica it comes up empty so I’m sure nothing is getting
>> replicated. Further if I run the slave slapd with –d128 I get:
>>
>> [root@hpdc3dmgt1 ~]# slapd -d 128
>>
>> @(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
>>
>> brewbuilder@hs20-bc1-
> 5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-
> 2.3.43/build-servers/servers/slapd
>>
>> slapd starting
>>
>> request done: ld 0x2ac52b507c70 msgid 1
>>
>> => bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
>>
>> do_syncrep2: rid 123got search entry without control
>>
>> do_syncrepl: rid 123 quitting
>>
>> but I have no idea where it’s looking for the entry, on the
>> master or the slave? But I do have that entry on the master.
>>
>> I’m sure I’m doing something wrong but am also hoping it’s
>> relatively
> minor.
>
> Don't forget that syncrepl is pull-based replication. That is, the
> slave connects to the master and gets data.
>
> In light of this, check your configuration for: - the syncrepl
> statement above in the *slave* slapd.conf - a "overlay syncprov" in
> the *master* slapd.conf (plus any configuration you may want)
I've made progress, I finally got my slave authticting with the
master, butI'm confused with your statement about modifying something
in the master's slapd.conf. I don't want to, nor do I think I even
can, modify anything with the master. I'm basing my choice for using
syncrepl on http://www.openldap.org/doc/admin22/syncrepl.html, which
says in the first section:
This link is for OpenLDAP 2.2, you should use this for your version of
OpenLDAP :
http://www.openldap.org/doc/admin23/
"With syncrepl, a consumer server can create a replica without
changing provider's configurations and without restarting the
provider server, if the consumer server has appropriate access
privileges for the DIT fragment to be replicated. The consumer server
can stop the replication also without the need for provider-side
changes and restart."
This means that you can add consumer servers to an existing architecture
without having to modify the master's configuration to add each one
(this was not the case with the previous replication system, slurpd).
I'm assuming my replication isn't work, even though I
don't see any
errors, because when I run slapd on the slave followed by slapcat,
all I see is the original entry I populated it with, namely: dn:
cn=Manager,dc=myldap,dc=com.
Are there some specific debugging switches I can use when running the
slave to get some insight into what's happening? I did try various
combinations of the debugging switch and didn't see anything jump out
of the output though I was surprised to see what looked like a lot of
SNMP OIDs.
Is there some explicit way to see the slave send a pull request to
the master and see what the master returns?
Does this mean anything: do_syncrep2: rid 123got search entry without
control
Yes - this means the master doesn't understand the syncrepl protocol,
and returned results without using it (it takes the form of an LDAP
control). This is because you must include the "syncprov" overlay in the
master's configuration, as described here:
You need to modify the master's configuration to use syncrepl. If you
really can't, you cant' use syncrepl, and will have to look into
alternatives to get your data out.
Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan(a)phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
4:42 a.m.
> "With syncrepl, a consumer server can create a replica
without
> changing provider's configurations and without restarting the
> provider server, if the consumer server has appropriate access
> privileges for the DIT fragment to be replicated. The consumer server
> can stop the replication also without the need for provider-side
> changes and restart."
This means that you can add consumer servers to an existing architecture
without having to modify the master's configuration to add each one
(this was not the case with the previous replication system, slurpd).
But then you say:
You need to modify the master's configuration to use syncrepl. If
you
really can't, you cant' use syncrepl, and will have to look into
alternatives to get your data out.
Hope this helps,
I understand what you're saying but doesn't that mean the documentation is wrong
because it says I don't have to change the providers configuration.
-mark
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan(a)phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
4:56 a.m.
On 25/02/2010 13:42, Seger, Mark wrote:
>> "With syncrepl, a consumer server can create a replica
without
>> changing provider's configurations and without restarting the
>> provider server, if the consumer server has appropriate access
>> privileges for the DIT fragment to be replicated. The consumer
>> server can stop the replication also without the need for
>> provider-side changes and restart."
>
> This means that you can add consumer servers to an existing
> architecture without having to modify the master's configuration to
> add each one (this was not the case with the previous replication
> system, slurpd).
But then you say:
> You need to modify the master's configuration to use syncrepl. If
> you really can't, you cant' use syncrepl, and will have to look
> into alternatives to get your data out.
>
> Hope this helps,
I understand what you're saying but doesn't that mean the
documentation is wrong because it says I don't have to change the
providers configuration.
I think the documentation is unclear, possibly confusing.
As I tried to elaborate, what it means is that, given an existing
provider/consumer setup, a new consumer server can be added without
restarting the provider server.
However, initial setup *does* require changing the configuration of the
provider.
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan(a)phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
4:57 a.m.
-----Original Message-----
From: Jonathan Clarke [mailto:jonathan@phillipoux.net]
Sent: Thursday, February 25, 2010 7:56 AM
To: Seger, Mark
Cc: openldap-technical(a)openldap.org
Subject: Re: a newbie trying to get the basics of syncrepl going
On 25/02/2010 13:42, Seger, Mark wrote:
>>> "With syncrepl, a consumer server can create a replica without
>>> changing provider's configurations and without restarting the
>>> provider server, if the consumer server has appropriate access
>>> privileges for the DIT fragment to be replicated. The consumer
>>> server can stop the replication also without the need for
>>> provider-side changes and restart."
>>
>> This means that you can add consumer servers to an existing
>> architecture without having to modify the master's configuration to
>> add each one (this was not the case with the previous replication
>> system, slurpd).
>
> But then you say:
>
>> You need to modify the master's configuration to use syncrepl. If
>> you really can't, you cant' use syncrepl, and will have to look
>> into alternatives to get your data out.
>>
>> Hope this helps,
>
> I understand what you're saying but doesn't that mean the
> documentation is wrong because it says I don't have to change the
> providers configuration.
I think the documentation is unclear, possibly confusing.
As I tried to elaborate, what it means is that, given an existing
provider/consumer setup, a new consumer server can be added without
restarting the provider server.
However, initial setup *does* require changing the configuration of the
provider.
Understood. Adding that statement to the documentation would be a good thing.
-mark
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan(a)phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
7:41 a.m.
Am Donnerstag 25 Februar 2010 13:57:04 schrieb Seger, Mark:
[..]
>I think the documentation is unclear, possibly confusing.
>
>As I tried to elaborate, what it means is that, given an existing
>provider/consumer setup, a new consumer server can be added without
>restarting the provider server.
>
>However, initial setup *does* require changing the configuration of
>the provider.
Understood. Adding that statement to the documentation would be a
good thing. -mark
Please create an enhancement request via the ITS
(http://www.openldap.org/its). Otherwise this might never happen.
--
thanks,
Ralf
4963
days inactive
4965
days old
openldap-technical@openldap.org
9 comments
5 participants
participants (5)
-
Jaap Winius -
Jonathan Clarke -
Ralf Haferkamp -
Seger, Mark -
Zdenek Styblik