Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can see them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in the log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server.
At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the admin guide to set this up.
Any and all help is appreciated.
Thank you, Eric Speake Web Systems Administrator O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, July 26, 2013 4:18 PM -0500 espeake@oreillyauto.com wrote:
Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can see them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in the log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server.
At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the admin guide to set this up.
Please start by providing your OpenLDAP version. It would also be useful for you to provide your replication configuration between the two servers (minus passwords).
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Thanks we are using 2.4.28 on ubuntu 12.04.
cn=config.ldif:
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 olcServerID: 1 ldap://tntest-ldap-1.oreillyauto.com olcServerID: 2 ldap://tntest-ldap-2.oreillyauto.com structuralObjectClass: olcGlobal entryUUID: f074a7c6-09ed-1030-9529-0bb60fbd91a8 creatorsName: cn=config createTimestamp: 20110503162710Z olcSecurity: simple_bind=0 olcSecurity: ssf=0 olcSecurity: tls=0 olcLocalSSF: 0 olcTLSCACertificateFile: /etc/ldap/wildcard.oreillyauto.com.crt olcTLSCertificateFile: /etc/ldap/wildcard.oreillyauto.com.crt olcTLSCertificateKeyFile: /etc/ldap/wildcard.oreillyauto.com.key olcIdleTimeout: 30 olcLogFIle: /var/log/slapd/ldapsync olcLogLevel: 16384 entryCSN: 20110616153436.707254Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20110616153436Z
olcDatabase{0}config.ldif
dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcRootPW: secret structuralObjectClass: olcDatabaseConfig olcsyncrepl: {0}rid=001 provider=ldap://tntest-ldap-1.oreillyauto.com uri="ldap://tntest-ldap-1.oreillyauto.com" type=refreshAndPersist retry="5 +" searchbase="cn=config" bindmethod=simple binddn="cn=admin,cn=config" credentials=<password> olcsyncrepl: {1}rid=002 provider=ldap://tntest-ldap-2.oreillyauto.com uri="ldap://tntest-ldap-2.oreillyauto.com" type=refreshAndPersist retry="5 +" searchbase="cn=config" bindmethod=simple binddn="cn=admin,cn=config" credentials=<password> olcMirrorMode: TRUE olcAccess: to * by dn="uid=admin,dc=oreillyauto,dc=com" write by dn="uid=ldapadmin,ou=system,dc=oreillyauto,dc=com" write by * none entryUUID: f074ba7c-09ed-1030-952b-0bb60fbd91a8 creatorsName: cn=config createTimestamp: 20110503162710Z entryCSN: 20110503162710.319234Z#000000#000#000000 modifiersName: cn=config ModifyTimestamp: 20110503162710Z
olcDatabase{1}hdb.ldif
olcDbIndex: uid eq olcDbIndex: oreillyGroup eq olcDbIndex: locationEntry eq olcDbIndex: counterNumber eq olcDbIndex: businessCategory eq olcDbIndex: locationNumber eq olcDbIndex: position eq olcDbIndex: title eq,subany olcDbIndex: givenName eq,subany olcDbIndex: functionListing eq olcDbIndex: manager eq olcDbIndex: sn eq,subany olcDbIndex: nickName eq,subany olcDbIndex: employeeNumber eq olcDbIndex: ou eq olcDbIndex: entryUUID eq olcDbIndex: supervisor eq olcDbIndex: entryCSN eq olcSyncRepl: {0}rid=004 provider=ldap://tntest-ldap-1.oreillyauto.com uri="ldap://tntest-ldap-1.oreillyauto.com" bindmethod=simple binddn="uid=admin,dc=oreillyauto,dc=com" credentials=<password>searchbase="dc=oreillyauto,dc=com" logbase="cn=accesslog" type refreshAndPersist retry="50 +" olcSyncRepl: {1}rid=005 provider=ldap://tntest-ldap-2.oreillyauto.com uri="ldap://tntest-ldap-2.oreillyauto.com" bindmethod=simple binddn="uid=admin,dc=oreillyauto,dc=com" credentials=<password>searchbase="dc=oreillyauto,dc=com" logbase="cn=accesslog" type refreshAndPersist retry="50 +" olcMirrorMode: TRUE olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcHdbConfig entryUUID: 5d3c8434-0acd-1030-95eb-4165b688bcbf creatorsName: cn=config createTimestamp: 20110504190630Z olcLimits: {0}dn.exact="uid=admin,ou=System,dc=oreillyauto,dc=com" time.so ft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: {1}dn.exact="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" time .soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=admin,dc=oreillyauto,dc=com" write by dn="uid=ldapadmin,ou-system,dc=oreillyauto,dc=com" read by * none olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueName s/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" wri te by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreil lyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth by s elf write olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="o u=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyau to,dc=com" read by * none olcAccess: {8}to * by self read by users read entryCSN: 20110915141524.047299Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20110915141524Z
olcDatabase{-1}frontend.ldif
dn: olcDatabase={-1}frontend objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcSizeLimit: 500 olcSecurity: ssf=0 olcSecurity: tls=0 olcSecurity: update_ssf=0 olcSecurity: simple_bind=0 structuralObjectClass: olcDatabaseConfig entryUUID: f074b130-09ed-1030-952a-0bb60fbd91a8 creatorsName: cn=config createTimestamp: 20110503162710Z entryCSN: 20110503162710.318995Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110503162710Z
The file metioned in the srror looks like this.
dn: olcOverlay={4}syncprov objectClass: olcSyncProvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig entryUUID: 1b49aa46-263b-1030-8326-f98fc9d5aed6 creatorsName: cn=admin,cn=config createTimestamp: 20110608165005Z entryCSN: 20110608165005.984980Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20110608165005Z
I need to be able to sync both schema and data in this instance. Thank you for your help.
Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com, openldap-technical@openldap.org Date: 07/26/2013 04:44 PM Subject: Re: N-Way Master replication no contextcsn Sent by: openldap-technical-bounces@OpenLDAP.org
--On Friday, July 26, 2013 4:18 PM -0500 espeake@oreillyauto.com wrote:
Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can see them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in the log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server.
At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the admin guide to set this up.
Please start by providing your OpenLDAP version. It would also be useful for you to provide your replication configuration between the two servers (minus passwords).
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: C7650600A36.ADE2D
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
Hi,
On Fri, 26 Jul 2013, espeake@oreillyauto.com wrote:
Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can see them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in the log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server.
At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the admin guide to set this up.
Any and all help is appreciated.
1. You are using an ancient openldap version 2.4.28 compiled by your distribution. Please start by updating to a current 2.4.35 build from sources.
2. You say both servers have the same configuration through puppet ? I see you are using cn=config. How are you distributing this configuration. You should not write any files to slapd.d via puppet or other means. Use slapcat/slapadd -n0 to export and import configurations.
Greetings Christian
The file structure is stored in module definitions and they are then applied to the server in their proper place via the puppet agent. The ldap servers are running and I can write to individual servers. I an just having issues with the replication. The one thing I see is the node identifier in the CSN, the second to last set of numbers, are all zeros. The CSN looks like a date actually Should I take that out of the puppet file and when I do will it regenerate the CSN ? Also, is the modify timestamp some that would be regenerated if I removed them.. The configs I provided are actually from the puppet server.
Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: Christian Kratzer ck-lists@cksoft.de To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 07/29/2013 10:44 AM Subject: Re: N-Way Master replication no contextcsn Sent by: openldap-technical-bounces@OpenLDAP.org
Hi,
On Fri, 26 Jul 2013, espeake@oreillyauto.com wrote:
Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can
see
them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in
the
log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server.
At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the
admin
guide to set this up.
Any and all help is appreciated.
1. You are using an ancient openldap version 2.4.28 compiled by your distribution. Please start by updating to a current 2.4.35 build from sources.
2. You say both servers have the same configuration through puppet ? I see you are using cn=config. How are you distributing this configuration. You should not write any files to slapd.d via puppet or other means. Use slapcat/slapadd -n0 to export and import configurations.
Greetings Christian
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 07A406006FB.AF9AA
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
Hi,
On Mon, 29 Jul 2013, espeake@oreillyauto.com wrote:
The file structure is stored in module definitions and they are then applied to the server in their proper place via the puppet agent. The ldap servers are running and I can write to individual servers. I an just having issues with the replication. The one thing I see is the node identifier in the CSN, the second to last set of numbers, are all zeros. The CSN looks like a date actually Should I take that out of the puppet file and when I do will it regenerate the CSN ? Also, is the modify timestamp some that would be regenerated if I removed them.. The configs I provided are actually from the puppet server.
Modifying cn=config directly via the files under slapd.d is not supported and is bound to get you into trouble.
It is possible some of your definitions are silently not being parsed. Your are bypassing any consistency checks by writing directly to cn=config.
You need to:
1. update to a current openldap-2.4.35 build from source or from on of the rpm packages on the net.
2. dump your cn=config using slapcat -n0 and reimport using slapadd -n0 to be sure it is written correctly.
3. update to a current openldap-2.4.35 build from source or from on of the rpm packages on the net.
Greetings Christian
Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: Christian Kratzer ck-lists@cksoft.de To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 07/29/2013 10:44 AM Subject: Re: N-Way Master replication no contextcsn Sent by: openldap-technical-bounces@OpenLDAP.org
Hi,
On Fri, 26 Jul 2013, espeake@oreillyauto.com wrote:
Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can
see
them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in
the
log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server.
At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the
admin
guide to set this up.
Any and all help is appreciated.
- You are using an ancient openldap version 2.4.28 compiled by your
distribution. Please start by updating to a current 2.4.35 build from sources.
- You say both servers have the same configuration through puppet ? I see
you are using cn=config. How are you distributing this configuration. You should not write any files to slapd.d via puppet or other means. Use slapcat/slapadd -n0 to export and import configurations.
Greetings Christian
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 07A406006FB.AF9AA
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS ? 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Monday, July 29, 2013 10:57 AM -0500 espeake@oreillyauto.com wrote:
The file structure is stored in module definitions and they are then applied to the server in their proper place via the puppet agent. The ldap servers are running and I can write to individual servers. I an just having issues with the replication. The one thing I see is the node identifier in the CSN, the second to last set of numbers, are all zeros. The CSN looks like a date actually Should I take that out of the puppet file and when I do will it regenerate the CSN ? Also, is the modify timestamp some that would be regenerated if I removed them.. The configs I provided are actually from the puppet server.
Please don't top post.
Please upgrade to a current version of OpenLDAP. You can read over http://www.openldap.org/software/release/changes.html for the reasons why.
Please stop using puppet to maintain database files. This is *not* a valid practice, as was already noted to you. You need to learn the proper methods for maintaining your cn=config DB, via slapcat/slapadd and ldapmodify.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
As a noob upgrading appears to easier said than done. I am running on Ubuntu 10.04 on my master and I have tried to create packages from the code I downloaded from the web site and the install just doesn't work. So I found an RPM and and converted it via alien to a deb file and used dpkg to try and install and even with --force it erred out trying to overwrite the slapd.d folder. Is there and easy way to build the package as a deb file so I can install it and also add it to my repo for the other servers.
Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: Christian Kratzer ck-lists@cksoft.de To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 07/29/2013 10:44 AM Subject: Re: N-Way Master replication no contextcsn Sent by: openldap-technical-bounces@OpenLDAP.org
Hi,
On Fri, 26 Jul 2013, espeake@oreillyauto.com wrote:
Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can
see
them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in
the
log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server.
At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the
admin
guide to set this up.
Any and all help is appreciated.
1. You are using an ancient openldap version 2.4.28 compiled by your distribution. Please start by updating to a current 2.4.35 build from sources.
2. You say both servers have the same configuration through puppet ? I see you are using cn=config. How are you distributing this configuration. You should not write any files to slapd.d via puppet or other means. Use slapcat/slapadd -n0 to export and import configurations.
Greetings Christian
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 07A406006FB.AF9AA
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, August 02, 2013 09:54:43 AM -0500 espeake@oreillyauto.com wrote:
As a noob upgrading appears to easier said than done. I am running on Ubuntu 10.04 on my master and I have tried to create packages from the code I downloaded from the web site and the install just doesn't work. So I found an RPM and and converted it via alien to a deb file and used dpkg to try and install and even with --force it erred out trying to overwrite the slapd.d folder. Is there and easy way to build the package as a deb file so I can install it and also add it to my repo for the other servers.
I don't know about an easy way, but here is an overview of how we build OpenLDAP packages for our central LDAP service.
1. Pull the latest source packages from Debian. 2. Use git-import-dsc to create a clone to use with git-buildpackage. This lets us take advantage of the packaging work done by the Debian maintainers. 3. Clone the OpenLDAP repo and use it to generate an tar ball of the lastest source. 4. Use git-import-orig to pull the OpenLDAP tar ball into the Debian clone. 5. Resolve any issues with the Debian patches. This involves running quilt push/pop iteratively and adjusting the patches as needed. This is really where most of the work is. 6. Apply and Stanford specific changes. For us this includes using openssl, increasing the IDL cache, and turning off c optimization. 7. Run git-buildpackage.
I should really move our internal build documenation to an external web server someday. Of course, this assumes that you have an environment that is ready for git-buildpackage.
This seems like many steps, but once you get a build environment it is simple to pickup new releases from OpenLDAP. Generally it just involves starting with a git-import-orig of the latest tarball and small adjustments to patches.
Bill
openldap-technical@openldap.org
-
Bill MacAllister -
Christian Kratzer -
espeake@oreillyauto.com -
Michael Ströder -
Quanah Gibson-Mount