Hi,
I have a setup with two CentOS 5 machines running OpenLDAP 2.3.x, right now the primary uses slurpd to send the updates to the second server, and the second server is using "updatedn" to allow updates (from what I understand! I'm no OpenLDAP guru here.) Clients are using pam_ldap and nss_ldap to get the users and authenticate them in LDAP. Right now hosts query only the primary LDAP server, that is the address set on the "host" variable of /etc/ldap.conf. Changing password with "passwd" works fine, and the password is correctly replicated to the secondary server.
Now, first thing, I wanted to load balance between the two servers. The way I did it was to register a Round-Robin DNS record, with one A entry for each server IP, and I used that entry in the "host" variable of /etc/ldap.conf. Everything worked. Queries going each time to a different server. I was expecting to have problems changing passwords, but amazingly it worked. Apparently when a password change request goes to the second server, that server will do a query on the first server to do the password change, and then (through slurpd) the change gets replicated on the second one. Everything great. (Is there a better configuration for pam_ldap and nss_ldap on /etc/ldap.conf for load balancing other than round-robin DNS?)
Now, I was reading that syncrepl is superior to slurpd, and that syncrepl is the preferred method of replication. I actually saw that it's true when I saw that it actually replicated the master without having to stop it and copy the dbs (which is necessary with slurpd.) I even saw that in OpenLDAP 2.4.x slurpd is deprecated/discontinued and only syncrepl is supported.
So I'm trying to migrate from slurpd to syncrepl.
And so far everything is working fine in my test environments.
This is what I have configured on the master:
overlay syncprov syncprov-checkpoint 1 10 syncprov-sessionlog 100
And on the slave:
syncrepl rid=1 provider=ldap://ldap1.mydomain.com type=refreshAndPersist searchbase="dc=mydomain,dc=com" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=mydomain,dc=com" credentials=xxxxxxxxxxx updateref ldap://ldap1.mydomain.com/
It works with queries, and when I do an update on the master, it replicates fine to the slave.
But when I try to do some change on the slave, that's what I get:
$ ldapdelete -H ldap://ldap2.mydomain.com/ -D cn=Manager,dc=mydomain,dc=com \ -w XXXXXXX -x uid=usertodelete,ou=Users,dc=mydomain,dc=com
ldap_delete: Referral (10) referrals:
ldap://ldap1.mydomain.com/uid=usertodelete,ou=Users,dc=mydomain,dc=com
I would like to have something closer to what happens when using slurpd, which seems to be more transparent to clients. I tried to set "updatedn" but slapd complained that it is supported when using slurpd.
I also tried to start configuring overlay on the slave and syncrepl on the master, but when I do that I can't run updates on either side, both of them end up being read-only. I read that on OpenLDAP 2.4.x Administration Guide, on the section about multi-master replication, but I then saw that multi-master replication is supposed to work only on 2.4.x, and not on 2.3.x, so that's apparently not an option.
So I ask: is there a way to configure OpenLDAP so that the slave (running syncrepl) can send updates to the master when receives from a client?
Or (not as good but still an option): If I use "updateref" to send Referral, how can I make sure the tools (ldapdelete, ldapmodify, ldapadd, ...) actually *follow* the referral (I looked for that in man pages and didn't find any obvious options for that)? And more important, will pam_ldap and nss_ldap follow those referrals when changing the password? Do I have to set something on /etc/ldap.conf for that?
Upgrade to 2.4.x is something I would like to avoid, since I would rather stick with what is supported by CentOS 5.
Sorry for the long e-mail! Any help and advices will be appreciated.
Thanks a lot! Filipe
--On Monday, June 16, 2008 9:23 AM -0400 Filipe Brandenburger filipe.brandenburger@idilia.com wrote:
I would like to have something closer to what happens when using slurpd, which seems to be more transparent to clients. I tried to set "updatedn" but slapd complained that it is supported when using slurpd.
I'm not sure what you mean. You would get a referral using slurpd replication too, unless you did something brain dead like use the slurpd updatedn to modify data on the slave, which would then make your replica and master be out of sync.
You can of course force updates to the slave to chain up to the master so they get written to the correct place, see the test suite.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
I would like to have something closer to what happens when using slurpd, which seems to be more transparent to clients. I tried to set "updatedn" but slapd complained that it is supported when using slurpd.
I'm not sure what you mean. You would get a referral using slurpd replication too,
It's true. I hadn't realised that, and I somehow when I tested that I got the wrong impression.
So, my questions are:
1. How do I get ldapmodify, ldapdelete, ... to follow referrals?
2. Will pam_ldap (when changing passwords) follow referrals?
You can of course force updates to the slave to chain up to the master so they get written to the correct place, see the test suite.
I believe you're talking about "overlay chain", I looked at the documentation but it seemed to be far more complex than what I want (I just want to nss_ldap/pam_ldap load balance the queries between the two machines.) I will try to see if referrals will work first, then I'll start going down that route.
Thanks! Filipe
--On Monday, June 16, 2008 1:54 PM -0400 Filipe Brandenburger filipe.brandenburger@idilia.com wrote:
So, my questions are:
- How do I get ldapmodify, ldapdelete, ... to follow referrals?
You set up the chain overlay.
- Will pam_ldap (when changing passwords) follow referrals?
See answer to #1.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Monday, June 16, 2008 1:54 PM -0400 Filipe Brandenburger filipe.brandenburger@idilia.com wrote:
So, my questions are:
- How do I get ldapmodify, ldapdelete, ... to follow referrals?
You set up the chain overlay.
That answer glosses over the details.
A better answer is that the OpenLDAP ldapmodify and ldapdelete tools will not follow referrals. If you're working in a setup that uses referrals, and you need the ldapmodify tool to work, then you need to use chaining.
- Will pam_ldap (when changing passwords) follow referrals?
See answer to #1.
Howard Chu wrote:
- How do I get ldapmodify, ldapdelete, ... to follow referrals?
You set up the chain overlay.
That answer glosses over the details.
A better answer is that the OpenLDAP ldapmodify and ldapdelete tools will not follow referrals. If you're working in a setup that uses referrals, and you need the ldapmodify tool to work, then you need to use chaining.
What about "passwd" over "pam_ldap"? Will it follow referrals? That's the one I *need* to keep working.
I'm just building my mini test environment to test that, but if you can give me some advice here it would be great.
Otherwise, would there be another way to load balance the queries from nss_ldap/pam_ldap, but still have them always update the master when writing?
Thanks! Filipe
Filipe Brandenburger wrote:
A better answer is that the OpenLDAP ldapmodify and ldapdelete tools will not follow referrals. If you're working in a setup that uses referrals, and you need the ldapmodify tool to work, then you need to use chaining.
What about "passwd" over "pam_ldap"? Will it follow referrals? That's the one I *need* to keep working.
I just tested this, and it works: pam_ldap follows referrals.
I had tcpdump running on the client and the debug logs running on both the master and slave servers. The client was configured to query the slave only.
Then I ran "passwd" and watched as it tried to run the update on the slave, getting a referral, then updating the master. tcpdump got all the updates, and showed it connecting to the right machines. I could clearly see the referral URL and the passwords old and new.
So, I guess having a "host" entry that points to a RR DNS will be the way I'll go on this one.
I'll just have to take care of the other scripts that insert/delete users to ignore /etc/ldap.conf and point to the master directly.
Thanks a lot! Filipe
On Monday 16 June 2008 20:43:35 Filipe Brandenburger wrote:
Filipe Brandenburger wrote:
A better answer is that the OpenLDAP ldapmodify and ldapdelete tools will not follow referrals. If you're working in a setup that uses referrals, and you need the ldapmodify tool to work, then you need to use chaining.
What about "passwd" over "pam_ldap"? Will it follow referrals? That's the one I *need* to keep working.
I just tested this, and it works: pam_ldap follows referrals.
Yes, this is a feature that has worked for quite some time (keeping start_tls over a referral however was fixed in the past two years).
So, I guess having a "host" entry that points to a RR DNS will be the way I'll go on this one.
I'll just have to take care of the other scripts that insert/delete users to ignore /etc/ldap.conf and point to the master directly.
Uh, most other mature tools already support master/slave operation, ones that don't should have bugs filed against them.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Filipe Brandenburger -
Howard Chu -
Quanah Gibson-Mount