Hi,
We're using a proxied sync-repl installation to populate various consumers from our single master.
For some time now, we've been seeing all kind of strange phenomenons, mostly with missing objects on some (not all consumers). Previously, our consumers and our master hadn't been identical with regards to the OpenLDAP version and the operating system used. While, according to the specs, this should have worked, we decided to rule out one source of trouble and upgrade our infrastructure and so right now, we're using OpenLDAP 2.4.47 on debian buster on all involved boxes:
% dpkg -l slapd [...] ii slapd 2.4.47+dfsg-3+deb10u4 amd64 OpenLDAP server (slapd)
One of the issue we're currently seeing is that memberOf queries don't work as expected. Different consumers yield different results, which again are different from what the master has.
See for example:
# on the master root@minerva:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com memberOf: cn=qube,ou=Group,dc=example,dc=com
# consumer #1 root@demeter:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com
# consumer #2 root@peta:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com
However, when I investigate the group, I see the user listed in every one of them:
# on the master root@minerva:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...]
# on consumer #1 root@demeter:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...]
# on consumer #2 root@peta:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...]
The master only shares the relevant part of the DIT to the consumers, so unfortunately I cannot 1:1 compare them using slapcat. But if I again apply a group filter, slapcat delivers correct results on all instances as well (ie slapcat -a 'cn=qube')
My first idea was an index issue, but running slapindex didn't change anything.
Any ideas what might be wrong and/or how to debug this issue?
Additionally - bear with me - we're not using cn=config, but the old style slapd.conf configuration.
Thanks
Udo
--On Monday, February 1, 2021 5:17 PM +0100 Udo Rader udo.rader@bestsolution.at wrote:
OpenLDAP 2.4.47
You need to run the current release (2.4.57) to have stable replication. Hopefully Debian has it in backports for your release. I strongly advise reading the list of fixes made since 2.4.47.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Am 2021-02-01 18:18, schrieb Quanah Gibson-Mount:
--On Monday, February 1, 2021 5:17 PM +0100 Udo Rader udo.rader@bestsolution.at wrote:
OpenLDAP 2.4.47
You need to run the current release (2.4.57) to have stable replication. Hopefully Debian has it in backports for your release. I strongly advise reading the list of fixes made since 2.4.47.
Thanks. We've been using proxy sync-repl without any real issues for years. Every now and then we had (and have) to fix some "glue" objects that for no apparent reason don't get synced properly, but I am unsure if this is the issue here.
ldapsearch shows that the consumers seem to have all the required information, but for reasons unknown, the memberOf overlay doesn't return all members of a group. Difficult to say if this has to do something with our proxied sync-repl situation, but like I said, we've seen some weird things going on when using this kind of setup.
Nevertheless, thanks for pointing out how far back debian is. If this has indeed something to do with the outdated versions, we will switch back to our previous FreeBSD based instances.
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Udo Rader