Hi guys,
I have the following problem: I have two servers, ldap1 and ldap2 that I am trying to sync both ways using syncrepl. However, when I was entering an 8mb data into ldap1 using ldapadd, the changes were not propagated or was not retrieved by ldap2. What's worse is ldap2 syncrepl gets a "Can't contact server error." However, when doing an ldapsearch from the ldap2 terminal to ldap1, the results are displayed.
Additionally, I was doing an ldapsearch in ldap2 while the syncing was going on. Does this have any effect?
Below is the olcDatabase={2}bdb.ldif files from both ldap1 and ldap2.
dn: olcDatabase={2}bdb objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {2}bdb olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbDirectory: /var/lib/ldap olcDbCacheSize: 1000 olcDbCheckpoint: 1024 15 olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: ou pres,eq,sub olcDbIndex: loginShell pres,eq olcDbIndex: sn pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbIndex: memberUid pres,eq,sub olcDbIndex: nisMapName pres,eq,sub olcDbIndex: nisMapEntry pres,eq,sub olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcBdbConfig entryUUID: 3c9dde1a-f65f-1031-92f3-ef68fd07464c creatorsName: cn=config createTimestamp: 20130119083743Z olcSuffix: dc=myorganization,dc=org olcRootDN: cn=admin,dc=myorganization,dc=org olcRootPW: password olcAccess: {0}to attrs=employeeType by dn="cn=sssd,dc=myorganization,dc=org" read by self read by * none olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {2}to dn.base="" by * none olcAccess: {3}to * by dn="cn=config" write by dn="cn=sssd,dc=myorganization,dc=org" read by self write by * none olcSyncrepl: {0}rid=001 provider=ldaps://ldap1.myorganization.orgbinddn="cn=admin,dc=myorganization,dc=org" bindmethod=simple credentials=password searchbase="dc=myorganization,dc=org" type=refreshOnly interval=00:00:05:00 retry="5 5 300 5" timeout=1 olcSyncRepl: {2}rid=002 provider=ldaps://ldap2.myorganization.orgbinddn="cn=admin,dc=myorganization,dc=org" bindmethod=simple credentials=password searchbase="dc=myorganization,dc=org" type=refreshOnly interval=00:00:05:00 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE
The ldap1 logs show nothing and the ldap2 logs display the following lines:
do_syncrep2: rid=001 (-1) Can't contact LDAP server do_syncrepl: rid=001 rc -1 retrying (4 retries left)
I have tried rebooting both the servers but the problem persists.
I am using OpenLDAP v2.4.23 on a CentOS 6.3 VM.
Carlo,
Carlo Santos schrieb (04.02.2013 09:02 Uhr):
olcSyncRepl: {2}rid=002 provider=ldaps://ldap2.myorganization.org binddn="cn=admin,dc=myorganization,dc=org" bindmethod=simple credentials=password searchbase="dc=myorganization,dc=org" type=refreshOnly interval=00:00:05:00 retry="5 5 300 5" timeout=1
What is the exact ldapsearch you used? Your provider is configured with ldaps, is ldaps started on your servers und did you try ldapsearch with ldaps?
Marc
On Mon, Feb 4, 2013 at 8:28 PM, Marc Patermann < hans.moser@ofd-z.niedersachsen.de> wrote:
Carlo,
Carlo Santos schrieb (04.02.2013 09:02 Uhr):
olcSyncRepl: {2}rid=002 provider=ldaps://ldap2.**myorganization.orghttp://ldap2.myorganization.orgbinddn="cn=admin,dc=
**myorganization,dc=org" bindmethod=simple credentials=password searchbase="dc=myorganization,**dc=org" type=refreshOnly interval=00:00:05:00 retry="5 5 300 5" timeout=1
What is the exact ldapsearch you used?
The ldapsearch command I used is this:
ldapsearch -xLLLD "cn=admin,dc=myorganization,dc=org" -H ldaps:// ldap1.myorganization.org -b "dc=myorganization,dc=org" -W
Your provider is configured with ldaps, is ldaps started on your servers
und did you try ldapsearch with ldaps?
Yes ldaps is enabled on both servers.
Also, I forgot to mention, I got the line do_syncrep2: rid=002 LDAP_RES_INTERMEDIATE - SYNC_ID_SET multiple times before a single do_syncrep2: rid=002 (-1) Can't contact LDAP server is displayed in the slapd logs.
Does this mean anything?
Marc
I tried to remove the contents using ldapdelete but now I'm always getting the Can't contact LDAP server error.
Checking further, it appears that slapd service was stopped. However, in the logs, I keep seeing entry_decode lines even though the service is already stopped (according to service slapd status). Additionally, doing an openssl s_client -connect to ldap1 returns a "Connection Refused" error.
On Mon, Feb 4, 2013 at 8:46 PM, Carlo Santos moonseraph128@gmail.comwrote:
On Mon, Feb 4, 2013 at 8:28 PM, Marc Patermann < hans.moser@ofd-z.niedersachsen.de> wrote:
Carlo,
Carlo Santos schrieb (04.02.2013 09:02 Uhr):
olcSyncRepl: {2}rid=002 provider=ldaps://ldap2.**myorganization.orghttp://ldap2.myorganization.orgbinddn="cn=admin,dc=
**myorganization,dc=org" bindmethod=simple credentials=password searchbase="dc=myorganization,**dc=org" type=refreshOnly interval=00:00:05:00 retry="5 5 300 5" timeout=1
What is the exact ldapsearch you used?
The ldapsearch command I used is this:
ldapsearch -xLLLD "cn=admin,dc=myorganization,dc=org" -H ldaps:// ldap1.myorganization.org -b "dc=myorganization,dc=org" -W
Your provider is configured with ldaps, is ldaps started on your servers
und did you try ldapsearch with ldaps?
Yes ldaps is enabled on both servers.
Also, I forgot to mention, I got the line do_syncrep2: rid=002 LDAP_RES_INTERMEDIATE - SYNC_ID_SET multiple times before a single do_syncrep2: rid=002 (-1) Can't contact LDAP server is displayed in the slapd logs.
Does this mean anything?
Marc
-- Carlo Santos
openldap-technical@openldap.org
-
Carlo Santos -
Marc Patermann