Hi list,

I tried to read all information about the subject, both in the mail archives and on the website (admin guide and faq-o-matic), but somehow things are not working as expected.

I have 3 servers, Debian 6 with the distro-version of openldap (2.4.23-7). I use phpldapadmin (PLA for short), version 1.2.0.5. I also use ldapvi and the standard ldap-tools (ldapadd/ldapmodify etc). I use the slapd.d/ config backend. My userdata DIT is empty at the moment, until the issues are resolved.

*) When using n-way multimaster, I understand that the whole DIT is identical on all servers (assuming full read access for the replication DN, which is the case). Because of this, I used a generic name for the certificates, while on each server the content of the files are server-specific. This works as expected. The other difference between the servers is the slapd startup command line: in it is each server's own FQDN. On debian, this is specified in /etc/default/slapd. On server1 this file has:

SLAPD_SERVICES=ldap://127.0.0.1 ldaps://server1.domain.tld ldapi:///"

On server2 the URI changes in ldaps://server2.domain.tld and on server3 it changes likewise. This is al per the admin guide.

For some reason, replication is not working as expected. Some updates go through, others are ignored and stay local on a server. The servers are on different subnets with a firewall in-between, but I can access each server from the other servers using eg 'ldapsearch'.

Question: With n-way multimaster, I understand the DIT should be identical on all servers. Can I just do tar -czf slapd.conf.tgz /etc/ldap/slapd.d on one server, and copy and untar this on the other servers (with slapd stopped) and start slapd? My (anonymized) slapd.d is at the end of this message (I deleted the (default) schema definitions for readability).

Question: Is the above-mentioned method a valid way to add/restore an extra n-way multimaster node in the setup? If so, Do I do the export AFTER adding the extra node to the config, or BEFORE?

Question: I also want to replicate the dc=domain,dc=tld DIT. Can I use the same rid values in de replication statements as for the cn=config DIT, or do they need to be unique within the total config?

Question: I do not like to use the cn=admin,cn=config identity as the replication ID. Yet I do not have content in the dc=domain,dc=tld DIT, and thus no way to specifiy another identity. Can this be solved?

Once the DIT has the identity, I assume I can change the replication ID (as long as ACLs are not blocking things).

Can anyone answer my questions, or point me in the right direction? I tried numerous things with all kind of different results, but I feel I miss some fundamental insight.

Thanks for any help!

Marcel

-------------------------------------------------------------------- Anonymized slapd.d config of server1 (exported using PLA) --------------------------------------------------------------------

# Server: Server1 (ldap://localhost) # Search Scope: sub # Search Filter: (objectClass=*) # Total Entries: 13 # # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on June 29, 2011 8:19 am # Version: 1.2.0.5

version: 1

# Entry 1: cn=config dn: cn=config cn: config contextcsn: 20110621205759.540662Z#000000#000#000000 createtimestamp: 20110429201711Z creatorsname: cn=config entrycsn: 20110621205759.540662Z#000000#000#000000 entrydn: cn=config entryuuid: 690a54f4-06e9-1030-9aec-e9c45301ace2 modifiersname: cn=admin,cn=config modifytimestamp: 20110621205759Z objectclass: olcGlobal olcargsfile: /var/run/slapd/slapd.args olcloglevel: sync olcloglevel: stats olcloglevel: args olcpidfile: /var/run/slapd/slapd.pid olcserverid: 11 ldaps://server1.domain.tld olcserverid: 12 ldaps://server2.domain.tld olcserverid: 13 ldaps://server3.domain.tld olctlscacertificatefile: /etc/ssl/certs/cacert.org.pem olctlscertificatefile: /etc/ssl/certs/thishost.crt olctlscertificatekeyfile: /etc/ssl/private/thishost.key olctlsverifyclient: NEVER olctoolthreads: 1 structuralobjectclass: olcGlobal subschemasubentry: cn=Subschema

# Entry 2: cn=module{0},cn=config dn: cn=module{0},cn=config cn: module{0} createtimestamp: 20110429201711Z creatorsname: cn=admin,cn=config entrycsn: 20110429201711.660046Z#000000#000#000000 entrydn: cn=module{0},cn=config entryuuid: 690b3608-06e9-1030-9af4-e9c45301ace2 modifiersname: cn=admin,cn=config modifytimestamp: 20110429201711Z objectclass: olcModuleList olcmoduleload: {0}back_hdb olcmoduleload: {1}syncprov.la olcmodulepath: /usr/lib/ldap structuralobjectclass: olcModuleList subschemasubentry: cn=Subschema

# Entry 3: cn=schema,cn=config ### DELETED default schema definitions for readability

# Entry 4: cn={0}core,cn=schema,cn=config ### DELETED default schema definitions for readability

# Entry 5: cn={1}cosine,cn=schema,cn=config ### DELETED default schema definitions for readability

# Entry 6: cn={2}nis,cn=schema,cn=config ### DELETED default schema definitions for readability

# Entry 7: cn={3}inetorgperson,cn=schema,cn=config ### DELETED default schema definitions for readability

# Entry 8: olcBackend={0}hdb,cn=config dn: olcBackend={0}hdb,cn=config createtimestamp: 20110429201711Z creatorsname: cn=admin,cn=config entrycsn: 20110429201711.707740Z#000000#000#000000 entrydn: olcBackend={0}hdb,cn=config entryuuid: 69127d0a-06e9-1030-9af5-e9c45301ace2 modifiersname: cn=admin,cn=config modifytimestamp: 20110429201711Z objectclass: olcBackendConfig olcbackend: {0}hdb structuralobjectclass: olcBackendConfig subschemasubentry: cn=Subschema

# Entry 9: olcDatabase={-1}frontend,cn=config dn: olcDatabase={-1}frontend,cn=config createtimestamp: 20110429201711Z creatorsname: cn=config entrycsn: 20110429201711.654507Z#000000#000#000000 entrydn: olcDatabase={-1}frontend,cn=config entryuuid: 690a5da0-06e9-1030-9aed-e9c45301ace2 modifiersname: cn=config modifytimestamp: 20110429201711Z objectclass: olcDatabaseConfig objectclass: olcFrontendConfig olcaccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcaccess: {1}to dn.exact="" by * read olcaccess: {2}to dn.base="cn=Subschema" by * read olcdatabase: {-1}frontend olcsizelimit: 500 structuralobjectclass: olcDatabaseConfig subschemasubentry: cn=Subschema

# Entry 10: olcDatabase={0}config,cn=config dn: olcDatabase={0}config,cn=config createtimestamp: 20110429201711Z creatorsname: cn=config entrycsn: 20110619065612.945749Z#000000#000#000000 entrydn: olcDatabase={0}config,cn=config entryuuid: 690a693a-06e9-1030-9aee-e9c45301ace2 modifiersname: cn=admin,cn=config modifytimestamp: 20110619065612Z objectclass: olcDatabaseConfig olcaccess: {0}to * by dn.exact=cn=admin,cn=config read by dn.exact=gidNumber=0+uidNumber=0,cn=pe ercred,cn=external,cn=auth manage by * break olcdatabase: {0}config olcmirrormode: TRUE olcrootdn: cn=admin,cn=config olcrootpw: {SSHA}deletedforsecurityreasons olcsyncrepl: {0}rid=011 provider=ldaps://server1.domain.tld binddn="cn=admin,cn=config" credentials="mysecretpassword" bindmethod=simple starttls=no searchbase="cn=config" type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0 filter="(objectclass=*)" attrs="*,+" scope=sub olcsyncrepl: {1}rid=012 provider=ldaps://server2.domain.tld binddn="cn=admin,cn=config" credentials="mysecretpassword" bindmethod=simple starttls=no searchbase="cn=config" type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0 filter="(objectclass=*)" attrs="*,+" scope=sub olcsyncrepl: {2}rid=013 provider=ldaps://server3.domain.tld binddn="cn=admin,cn=config" credentials="mysecretpassword" bindmethod=simple starttls=no searchbase="cn=config" type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0 filter="(objectclass=*)" attrs="*,+" scope=sub structuralobjectclass: olcDatabaseConfig subschemasubentry: cn=Subschema

# Entry 11: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config createtimestamp: 20110512150606Z creatorsname: cn=admin,cn=config entrycsn: 20110522201415.682681Z#000000#000#000000 entrydn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config entryuuid: 1ae3191c-10f5-1030-9102-e14c7638455a modifiersname: cn=admin,cn=config modifytimestamp: 20110522201415Z objectclass: olcOverlayConfig objectclass: olcSyncProvConfig objectclass: top olcoverlay: {0}syncprov olcspcheckpoint: 100 10 structuralobjectclass: olcSyncProvConfig subschemasubentry: cn=Subschema

# Entry 12: olcDatabase={1}hdb,cn=config dn: olcDatabase={1}hdb,cn=config createtimestamp: 20110512144416Z creatorsname: cn=admin,cn=config entrycsn: 20110619123128.846982Z#000000#000#000000 entrydn: olcDatabase={1}hdb,cn=config entryuuid: 0e60d5a6-10f2-1030-9d9b-35ce2d01c34c modifiersname: cn=admin,cn=config modifytimestamp: 20110619123128Z objectclass: olcDatabaseConfig objectclass: olcHdbConfig olcaccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by dn="cn=admin,cn=config" write by * none olcaccess: {1}to dn.base="" by * read olcaccess: {2}to * by self write by dn="cn=admin,cn=config" write by * read olcdatabase: {1}hdb olcdbcheckpoint: 512 30 olcdbconfig: {0}set_cachesize 0 2097152 0 olcdbconfig: {1}set_lk_max_objects 1500 olcdbconfig: {2}set_lk_max_locks 1500 olcdbconfig: {3}set_lk_max_lockers 1500 olcdbdirectory: /var/lib/ldap/ olcdbindex: objectClass eq olcdbindex: entryCSN eq olcdbindex: entryUUID eq olclastmod: TRUE olcmirrormode: TRUE olcrootdn: cn=admin,cn=config olcrootpw: {SSHA}s1C7GBjdeletedforsecurityreasons olcsuffix: dc=domain,dc=tld olcsyncrepl: {0}rid=011 provider=ldaps://server1.domain.tld binddn="cn=admin,cn=config" credentials="mysecretpassword" bindmethod=simple starttls=no searchbase="dc=domain,dc=tld" type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0 filter="(objectclass=*)" attrs="*,+" scope=sub olcsyncrepl: {1}rid=012 provider=ldaps://server2.domain.tld binddn="cn=admin,cn=config" credentials="mysecretpassword" bindmethod=simple starttls=no searchbase="dc=domain,dc=tld" type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0 filter="(objectclass=*)" attrs="*,+" scope=sub olcsyncrepl: {2}rid=013 provider=ldaps://server3.domain.tld binddn="cn=admin,cn=config" credentials="mysecretpassword" bindmethod=simple starttls=no searchbase="dc=domain,dc=tld" type=refreshAndPersist retry="5 5 300 +" timeout=0 network-timeout=0 filter="(objectclass=*)" attrs="*,+" scope=sub structuralobjectclass: olcHdbConfig subschemasubentry: cn=Subschema

# Entry 13: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config createtimestamp: 20110522163658Z creatorsname: cn=admin,cn=config entrycsn: 20110522201502.521704Z#000000#000#000000 entrydn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config entryuuid: 74b70896-18dd-1030-94f4-2183161cb5d6 modifiersname: cn=admin,cn=config modifytimestamp: 20110522201502Z objectclass: olcOverlayConfig objectclass: olcSyncProvConfig objectclass: top olcoverlay: {0}syncprov olcspcheckpoint: 100 10 structuralobjectclass: olcSyncProvConfig subschemasubentry: cn=Subschema