Hi
I have setup a multi master as per the online doco.
When I was checking recently, the 2 DB were out of sync, some record hadn't been transferred over, I force this by setting -c rid=,csn=
But whilst checking this, I noticed that some attributes haven't been moved across pwdFailureTime was on a record on the primary ldap server and not on the secondary master, try what I could I couldn't force it over
is this a feature or a bug ?
Alex
On 02/03/2010 11:51, Alex Samad wrote:
Hi
I have setup a multi master as per the online doco.
When I was checking recently, the 2 DB were out of sync, some record hadn't been transferred over, I force this by setting -c rid=,csn=
But whilst checking this, I noticed that some attributes haven't been moved across pwdFailureTime was on a record on the primary ldap server and not on the secondary master, try what I could I couldn't force it over
is this a feature or a bug ?
The password policy overlay writes updates to the local database only, by default.
As of recent-ish versions of OpenLDAP 2.4.*, an option is available to forward these updates via the frontend. The man page describes it:
ppolicy_forward_updates Specify that policy state changes that result from Bind operations (such as recording failures, lockout, etc.) on a consumer should be forwarded to a master instead of being written directly into the consumer’s local database. This setting is only use‐ ful on a replication consumer, and also requires the updateref setting and chain overlay to be appropriately configured.
This option was clearly designed for read-only slaves.
I'm not sure what the behaviour would be in a multi-master setup. You could try this anyway. Any ideas from someone else?
Regards, Jonathan
Hi all, Me too I am interested in knowing how forward_updates works in a multi-master environment .
If someone could share some experience about this, I would appreciate very much! :-)
Thanks in advance Marco
---------- Forwarded message ---------- From: Jonathan Clarke jonathan@phillipoux.net Date: Tue, Mar 2, 2010 at 12:33 PM Subject: Re: syncrepl not working for pwdFailureTime attribute To: openldap-technical@openldap.org
On 02/03/2010 11:51, Alex Samad wrote:
Hi
I have setup a multi master as per the online doco.
When I was checking recently, the 2 DB were out of sync, some record hadn't been transferred over, I force this by setting -c rid=,csn=
But whilst checking this, I noticed that some attributes haven't been moved across pwdFailureTime was on a record on the primary ldap server and not on the secondary master, try what I could I couldn't force it over
is this a feature or a bug ?
The password policy overlay writes updates to the local database only, by default.
As of recent-ish versions of OpenLDAP 2.4.*, an option is available to forward these updates via the frontend. The man page describes it:
ppolicy_forward_updates
Specify that policy state changes that result from Bindoperations (such as recording failures, lockout, etc.) on a consumer should be forwarded to a master instead of being written directly into the consumer’s local database. This setting is only use‐ ful on a replication consumer, and also requires the updateref setting and chain overlay to be appropriately configured.
This option was clearly designed for read-only slaves.
I'm not sure what the behaviour would be in a multi-master setup. You could try this anyway. Any ideas from someone else?
Regards, Jonathan
On Tuesday, 2 March 2010 11:51:30 Alex Samad wrote:
Hi
I have setup a multi master as per the online doco.
When I was checking recently, the 2 DB were out of sync, some record hadn't been transferred over, I force this by setting -c rid=,csn=
But whilst checking this, I noticed that some attributes haven't been moved across pwdFailureTime was on a record on the primary ldap server and not on the secondary master, try what I could I couldn't force it over
is this a feature or a bug ?
In my experience with 2.3 and some versions of 2.4, pwdFailureTime etc. changes on the provider would be replicated to the consumer, but this does introduce other problems.
Are you sure your consumer is replicating *all* attributes (and not just non- operational attributes)?
Can you post the syncrepl statement on your consumer?
Are you sure your syncrepl binddn has sufficient access to these attributes? If unsure, please test (e.g. with ldapsearch, binding as the syncrepl binddn).
You may also want to provide the version you are running.
Regards, Buchan
Hi
Thanks to everyones replies - I haven't ignored them, but I am on the road for about a month when I get a chance I will
a) updated my slapd b) check permission c) post my syncrepl setup
Alex
On Mon, Mar 08, 2010 at 02:25:47PM +0100, Buchan Milne wrote:
On Tuesday, 2 March 2010 11:51:30 Alex Samad wrote:
Hi
I have setup a multi master as per the online doco.
When I was checking recently, the 2 DB were out of sync, some record hadn't been transferred over, I force this by setting -c rid=,csn=
But whilst checking this, I noticed that some attributes haven't been moved across pwdFailureTime was on a record on the primary ldap server and not on the secondary master, try what I could I couldn't force it over
is this a feature or a bug ?
In my experience with 2.3 and some versions of 2.4, pwdFailureTime etc. changes on the provider would be replicated to the consumer, but this does introduce other problems.
Are you sure your consumer is replicating *all* attributes (and not just non- operational attributes)?
Can you post the syncrepl statement on your consumer?
Are you sure your syncrepl binddn has sufficient access to these attributes? If unsure, please test (e.g. with ldapsearch, binding as the syncrepl binddn).
You may also want to provide the version you are running.
Regards, Buchan
I had this problem with slapd version 2.4.11 in Debian Lenny.
When I upgraded to 2.4.21 slapd Ubuntu Lucid these and other problems are over. Probably you have some bugged version of slapd.
Jarbas
2010/3/2 Alex Samad alex@samad.com.au:
Hi
I have setup a multi master as per the online doco.
When I was checking recently, the 2 DB were out of sync, some record hadn't been transferred over, I force this by setting -c rid=,csn=
But whilst checking this, I noticed that some attributes haven't been moved across pwdFailureTime was on a record on the primary ldap server and not on the secondary master, try what I could I couldn't force it over
is this a feature or a bug ?
Alex
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkuM7a4ACgkQkZz88chpJ2Oj0wCcCJuSVl4zexL2C42bn76op/VH gqcAoK9fz4N7nVa+s38wXKojMXV2V6qE =+P0K -----END PGP SIGNATURE-----
openldap-technical@openldap.org
-
Alex Samad -
Buchan Milne -
Jarbas Peixoto Júnior -
Jonathan Clarke -
Marco Pizzoli