Hi all. Kind of an odd issue that I was hoping to get your advice with.
I'm currently running a pair of rhel6 servers (hostnames: ldap1 & ldap2) w/ openldap-2.4.23 in multi-master. I also have a pair of rhel6 servers running keepalived & haproxy to act as loadbalancers (floating ip resolves to hostname: ldap) to direct ldap queries from some of our less documented/older services from the days before we had 2 ldap servers or from services that can't natively handle failover ldap providers.
This setup has been working without issue (from what I could tell) for over 2 years. I noticed today that we have an issue with 2x of our users ldap entries. They went from being students to being staff, which necessitated a uid change (username09 for student to username for staff).
We have a script that was written years ago for handling these uid changes. Apparently, when this script was run on these two users, the uid change happened only on one of the ldap servers. The other still contains the old uid information.
Here is a sanitized version of the script: http://pastebin.com/UiDJgWKA
Would love some advice on why this might not have replicated and what I might be able to do to prevent this in the future.
Brian Gold wrote:
I'm currently running a pair of rhel6 servers (hostnames: ldap1 & ldap2) w/ openldap-2.4.23 in multi-master.
I would not use 2.4.23 in a MMR setup. There have been many syncrepl fixes since then.
=> upgrade OpenLDAP
I also have a pair of rhel6 servers running keepalived & haproxy to act as loadbalancers (floating ip resolves to hostname: ldap) to direct ldap queries from some of our less documented/older services from the days before we had 2 ldap servers or from services that can’t natively handle failover ldap providers.
Note that with such a HA/LB setup there is a possible issue with LDAP clients doing read-after-write.
Ciao, Michael.
--On Thursday, April 25, 2013 9:50 AM -0400 Brian Gold bgold@simons-rock.edu wrote:
Hi all. Kind of an odd issue that I was hoping to get your advice with…
I'm currently running a pair of rhel6 servers (hostnames: ldap1 & ldap2) w/ openldap-2.4.23 in multi-master. I also have a pair of rhel6 servers running keepalived & haproxy to act as loadbalancers (floating ip resolves to hostname: ldap) to direct ldap queries from some of our less documented/older services from the days before we had 2 ldap servers or from services that can't natively handle failover ldap providers.
I would note that the current release of OpenLDAP is 2.4.35. I would note that OpenLDAP 2.4.23 is nearly 3 years old. I would note that numerous significant fixes to MMR and syncrepl have been made to OpenLDAP since 2.4.23. I would note that the version of OpenLDAP 2.4.23 shipped by Redhat is known to have various issues. I would give my usual advice of using a current OpenLDAP release. If you are unable to build it yourself, you may wish to use the packages from the LTB project:
http://ltb-project.org/wiki/download#openldap
Or to put it more succinctly: You are expected to have issues with the 2.4.23 version, even if it may take some time to encounter them. If you truly want help resolving issues with the 2.4.23 build as provided by Redhat, then the proper support channel for their packages is to contact Redhat and to ask them to fix the version they have released to their customers. Otherwise, use a current build of OpenLDAP on your servers.
Hope that helps!
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Brian Gold -
Michael Ströder -
Quanah Gibson-Mount