I am working in a test environment to construct a SAMBA / LDAP domain for windows clients. There is a PDC with OpenLDAP server 2.3.35 and SAMBA 3.026 running on ubuntu server 7.10.
The PDC is functioning; I am able to create users and login with them, as well as join workstations to the domain. The slave slapd was populated with an output from an ldif file that was exported from the master via:
slapcat -l >> master.ldif
I had entered the 'replica' line in the master-slapd, and the updatedn and updateref lines in the slave-slapd as stated in 14.4 in the OpenLDAP 2.3 admin's guide. The 'openldap' user has rights to the replog file.
Problem 1) The master (dc01-ubuntu.example.local) is not updating the replog file with either a success or failure.
Problem 2) The slave (bdc01-ubuntu.example.local) is not getting updates from the master when changes occur.
I am relatively new to LDAP and I might be missing something core. I have the OpenLDAP admin guide printed out and I am referring to it, but I believe I had entered the lines as the book instructed.
Attached are my master-slapd.conf and slave-slapd.conf files. Again, this is a test environment for now. I understand the current setup is not secure. What I would like to achieve is a working PDC -> BDC replication.
When I start slapd on the master i get:Starting OpenLDAP: slapd slurpd. with no errors.
When I start slapd on the slave I get : Starting OpenLDAP: slapd with no errors.
master-slapd.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb
suffix "dc=example,dc=local" rootdn "cn=admin,dc=example,dc=local" rootpw 12345
replica uri=ldap://bdc01-ubuntu.example.local:389 binddn="cn=admin,dc=example,dc=local" credentials=12345 bindmethod=simple tls=no
replogfile /var/log/replog.bdc01-ubuntu.example.local
directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=example,dc=local" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by dn="cn=admin,dc=example,dc=local" write by * read
------------------------- slave slapd.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap moduleload back_bdb
operation sizelimit 500
tool-threads 1
backend bdb checkpoint 512 30
database bdb
### slurpd updatedn "cn=admin,dc=example,dc=local" updateref ldap://dc01-ubuntu.example.local
suffix dc=example,dc=local rootdn cn=admin,dc=example,dc=local rootpw 12345
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=example,dc=local" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by dn="cn=admin,dc=example,dc=local" write by * read
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--On Friday, April 18, 2008 10:39 AM -0700 brad davison gh0t1@yahoo.com wrote:
I am working in a test environment to construct a SAMBA / LDAP domain for windows clients. There is a PDC with OpenLDAP server 2.3.35 and SAMBA 3.026 running on ubuntu server 7.10.
The PDC is functioning; I am able to create users and login with them, as well as join workstations to the domain. The slave slapd was populated with an output from an ldif file that was exported from the master via:
slapcat -l >> master.ldif
Interseting syntax, since the *option* to -l is a file. Why not just slapcat -l master.ldif?
I had entered the 'replica' line in the master-slapd, and the updatedn and updateref lines in the slave-slapd as stated in 14.4 in the OpenLDAP 2.3 admin's guide. The 'openldap' user has rights to the replog file.
Problem 1) The master (dc01-ubuntu.example.local) is not updating the replog file with either a success or failure.
Is slurpd running on the master? I will note that slurpd is deprecated with 2.3 (I.e., it is suggested that you DO NOT USE IT). It has been deleted from OpenLDAP 2.4. You should be using syncrepl or delta-syncrepl instead.
What options is slurpd running with if it is running?
Problem 2) The slave (bdc01-ubuntu.example.local) is not getting updates from the master when changes occur.
See questions in comment #1.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--- On Fri, 4/18/08, Quanah Gibson-Mount quanah@zimbra.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com Subject: Re: OpenLDAP: slave is not being updated by master and replog is empty To: brad@lucidcomputer.com, openldap-technical@openldap.org Date: Friday, April 18, 2008, 9:37 PM --On Friday, April 18, 2008 10:39 AM -0700 brad davison gh0t1@yahoo.com wrote:
I am working in a test environment to construct a
SAMBA / LDAP domain for
windows clients. There is a PDC with OpenLDAP server
2.3.35 and SAMBA
3.026 running on ubuntu server 7.10.
The PDC is functioning; I am able to create users and
login with them, as
well as join workstations to the domain. The slave
slapd was populated
with an output from an ldif file that was exported
from the master via:
slapcat -l >> master.ldif
Interseting syntax, since the *option* to -l is a file. Why not just slapcat -l master.ldif?
I had entered the 'replica' line in the
master-slapd, and the updatedn
and updateref lines in the slave-slapd as stated in
14.4 in the OpenLDAP
2.3 admin's guide. The 'openldap' user has
rights to the replog file.
Problem 1) The master (dc01-ubuntu.example.local) is
not updating the
replog file with either a success or failure.
Is slurpd running on the master? I will note that slurpd is deprecated with 2.3 (I.e., it is suggested that you DO NOT USE IT). It has been deleted from OpenLDAP 2.4. You should be using syncrepl or delta-syncrepl instead.
What options is slurpd running with if it is running?
Problem 2) The slave (bdc01-ubuntu.example.local) is
not getting updates
from the master when changes occur.
See questions in comment #1.
--Quanah
--
Thank you for your reply.
Is slurpd running on the master? I will note that slurpd is deprecated with 2.3 (I.e., it is suggested that you DO NOT USE IT). It has been deleted from OpenLDAP 2.4. You should be using syncrepl or delta-syncrepl instead.
What options is slurpd running with if it is running?
Yes, slurpd is running on the master with the -f option as root user root 10258 0.0 0.0 12428 728 ? Ssl Apr18 0:00 slurpd -f /etc/ldap/slapd.conf
I was not aware that slurpd is being depreciated. I will stop the slurpd and remove the replica lines from the master and slave slapd.conf files and research more on syncrepl and delta-syncrepl.
Thank you
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--- On Mon, 4/21/08, brad davison gh0t1@yahoo.com wrote:
From: brad davison gh0t1@yahoo.com Subject: Re: OpenLDAP: slave is not being updated by master and replog is empty To: brad@lucidcomputer.com, openldap-technical@openldap.org, "Quanah Gibson-Mount" quanah@zimbra.com Date: Monday, April 21, 2008, 8:29 AM --- On Fri, 4/18/08, Quanah Gibson-Mount quanah@zimbra.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com Subject: Re: OpenLDAP: slave is not being updated by
master and replog is empty
To: brad@lucidcomputer.com,
openldap-technical@openldap.org
Date: Friday, April 18, 2008, 9:37 PM --On Friday, April 18, 2008 10:39 AM -0700 brad
davison
gh0t1@yahoo.com wrote:
I am working in a test environment to construct a
SAMBA / LDAP domain for
windows clients. There is a PDC with OpenLDAP
server
2.3.35 and SAMBA
3.026 running on ubuntu server 7.10.
The PDC is functioning; I am able to create users
and
login with them, as
well as join workstations to the domain. The
slave
slapd was populated
with an output from an ldif file that was
exported
from the master via:
slapcat -l >> master.ldif
Interseting syntax, since the *option* to -l is a
file.
Why not just slapcat -l master.ldif?
I had entered the 'replica' line in the
master-slapd, and the updatedn
and updateref lines in the slave-slapd as stated
in
14.4 in the OpenLDAP
2.3 admin's guide. The 'openldap'
user has
rights to the replog file.
Problem 1) The master (dc01-ubuntu.example.local)
is
not updating the
replog file with either a success or failure.
Is slurpd running on the master? I will note that
slurpd
is deprecated with 2.3 (I.e., it is suggested that you DO NOT USE
IT).
It has been deleted from OpenLDAP 2.4. You should be using
syncrepl or
delta-syncrepl instead.
What options is slurpd running with if it is running?
Problem 2) The slave (bdc01-ubuntu.example.local)
is
not getting updates
from the master when changes occur.
See questions in comment #1.
--Quanah
--
Thank you for your reply.
Is slurpd running on the master? I will note that
slurpd
is deprecated with 2.3 (I.e., it is suggested that you DO NOT USE
IT).
It has been deleted from OpenLDAP 2.4. You should be using
syncrepl or
delta-syncrepl instead.
What options is slurpd running with if it is running?
Yes, slurpd is running on the master with the -f option as root user root 10258 0.0 0.0 12428 728 ? Ssl Apr18 0:00 slurpd -f /etc/ldap/slapd.conf
I was not aware that slurpd is being depreciated. I will stop the slurpd and remove the replica lines from the master and slave slapd.conf files and research more on syncrepl and delta-syncrepl.
Thank you
Is there a particular order that the overlay syncprov directive needs to be at? I added the following lines to my master slapd.conf (after removing the replica and replog entries):
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
under the 'database bdb' section, then further down, modified index for:
index objectClass,entryCNS,entryUUID eq
as the OpenLDAP Software 2.3 admin's guide suggested.
but when I run slapd on the master I get: -------------------------------- Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
Below, you can find the command line options used by this script to run slapd and slurpd. Do not forget to specify those options if you want to look to debugging output: slapd -g openldap -u openldap --------------------------------
so i ran the 'slapd -d 16383' and I get: ...... ...... line 72 (overlay syncprov) overlay "syncprov" not found /etc/ldap/slapd.conf: line 72: <overlay> handler exited with 1! slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. ---------------------
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--On Monday, April 21, 2008 7:12 AM -0700 brad davison gh0t1@yahoo.com wrote:
Is there a particular order that the overlay syncprov directive needs to be at? I added the following lines to my master slapd.conf (after removing the replica and replog entries):
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
under the 'database bdb' section, then further down, modified index for:
index objectClass,entryCNS,entryUUID eq
as the OpenLDAP Software 2.3 admin's guide suggested.
but when I run slapd on the master I get:
Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output).
Below, you can find the command line options used by this script to run slapd and slurpd. Do not forget to specify those options if you want to look to debugging output: slapd -g openldap -u openldap
so i ran the 'slapd -d 16383' and I get: ...... ...... line 72 (overlay syncprov) overlay "syncprov" not found /etc/ldap/slapd.conf: line 72: <overlay> handler exited with 1! slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.
Make sure syncprov was included with the build of OpenLDAP you are running. Make sure if they use modular builds that you load it first. And yes, overlay statements must *always* come last in the OpenLDAP 2.3 release series inside a given database definition if they apply to a database.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Make sure syncprov was included with the build of OpenLDAP you are running. Make sure if they use modular builds that you load it first. And yes, overlay statements must *always* come last in the OpenLDAP 2.3 release series inside a given database definition if they apply to a database.
--Quanah
--
I was able to load syncprov as a module. It is right after the includes. The 'provider' is now running with the following syncrepl directives:
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
Here is what I added to my 'consumer' server:
syncrepl rid=123 provider=ldap://dc01-ubuntu.example.local:389 type=refreshOnly interval=00:00:00:10 searchbase="dc=example,dc=local" schemachecking=off bindmethod=simple bindn="cn=admin,dc=example,dc=local" credentials=secret
However, although I am no longer getting any errors, it still does not appear to be replicating. The 'provider' had a new user added, but the 'consumer' did not get the change. Where are the syncrepl log files specified? I did not see any entries in syslog, or messages.
Thank you again for your help.
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
--On Tuesday, April 22, 2008 5:52 AM -0700 brad davison gh0t1@yahoo.com wrote:
Make sure syncprov was included with the build of OpenLDAP you are running. Make sure if they use modular builds that you load it first. And yes, overlay statements must *always* come last in the OpenLDAP 2.3 release series inside a given database definition if they apply to a database.
--Quanah
--
I was able to load syncprov as a module. It is right after the includes. The 'provider' is now running with the following syncrepl directives:
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
Here is what I added to my 'consumer' server:
syncrepl rid=123 provider=ldap://dc01-ubuntu.example.local:389 type=refreshOnly interval=00:00:00:10 searchbase="dc=example,dc=local" schemachecking=off bindmethod=simple bindn="cn=admin,dc=example,dc=local" credentials=secret
However, although I am no longer getting any errors, it still does not appear to be replicating. The 'provider' had a new user added, but the 'consumer' did not get the change. Where are the syncrepl log files specified? I did not see any entries in syslog, or messages.
Thank you again for your help.
Why are you using refreshOnly? refreshAndPersist is substantially better.
Have you compared the CSN's of the master & replica? Did you verify the replica DB matched the master DB? IIRC, you were having replication problems prior to using syncrepl. Your best bet would likely to be to slapcat the master and then use that to reload the replica, and then see whether or not replication works after that point.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Make sure syncprov was included with the build of
OpenLDAP
you are running. Make sure if they use modular builds that you load
it
first. And yes, overlay statements must *always* come last in the
OpenLDAP
2.3 release series inside a given database definition if they
apply to
a database.
--Quanah
--
I was able to load syncprov as a module. It is right
after the includes.
The 'provider' is now running with the
following syncrepl directives:
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
Here is what I added to my 'consumer' server:
syncrepl rid=123 provider=ldap://dc01-ubuntu.example.local:389 type=refreshOnly interval=00:00:00:10 searchbase="dc=example,dc=local" schemachecking=off bindmethod=simple bindn="cn=admin,dc=example,dc=local" credentials=secret
However, although I am no longer getting any errors,
it still does not
appear to be replicating. The 'provider' had
a new user added, but the
'consumer' did not get the change. Where are
the syncrepl log files
specified? I did not see any entries in syslog, or
messages.
Thank you again for your help.
Why are you using refreshOnly? refreshAndPersist is substantially better.
Have you compared the CSN's of the master & replica? Did you verify the replica DB matched the master DB? IIRC, you were having replication problems prior to using syncrepl. Your best bet would likely to be to slapcat the master and then use that to reload the replica, and then see whether or not replication works after that point.
--Quanah
--
Thank you for your help. I was able to get delta-syncprov working (and I would not have known that was the 'right' way to do it without your advice). I had to make a great deal of changes to the overall setup so posting the 'changes' would be cumbersome, and would most likely contradict my previous configs. Thank you again for pointing me in the right direction as my understanding of LDAP has matured.
My issue had to do with LDAP as the backed for SAMBA, and I was able to use the samba-wiki to help with my problem.
http://wiki.samba.org/index.php/2.0._Configuring_LDAP
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
openldap-technical@openldap.org
-
brad davison -
Quanah Gibson-Mount