Hi There,
We are in the middle of implementing OpenLDAP into our network. We are testing our implementation and facing the below error in our logs after a node has either been powered off or the slapd service has been stopped (and subsequently brought back online):
syncprov_sendresp: cookie=rid=001,sid=001,csn=20200813144529.184309Z#000000#001#000000 do_syncrep2: rid=002 got search entry without Sync State control (dc=domain,dc=local) do_syncrepl: rid=002 rc -1 retrying syncprov_sendresp: cookie=rid=001,sid=001,csn=20200813144529.378496Z#000000#001#000000
This error is only encountered on the node that had been brought offline. Prior to this replication had/has been working without issue - as far as we can tell.
Below are the configuration LDIFs we used to enable replication:
dn: cn=config changetype: modify add: olcServerID olcServerID: 1 ldap://ldap1.domain.local/ olcServerID: 2 ldap://ldap2.domain.local/
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov.la
dn: olcOverlay=syncprov,olcDatabase={3}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={3}mdb,cn=config changetype:modify add: olcSyncrepl olcSyncrepl: rid=001 provider=ldap://ldap1.domain.local/ binddn="cn=manager,dc=domain,dc=local" bindmethod=simple credentials=ldap_pw searchbase="dc=domain,dc=local" type=refreshAndPersist retry="5 5 300 +" timeout=1 olcSyncrepl: rid=002 provider=ldap://ldap2.domain.local/ binddn="cn=manager,dc=domain,dc=local" bindmethod=simple credentials=ldap_pw searchbase="dc=domain,dc=local" type=refreshAndPersist retry="5 5 300 +" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE
I have seen other posts about this error that mention the overlay not being properly configured, however, I don't think this is the case for us since replication does work as expected until a node is brought offline.
It also seems that any changes made to online nodes are not replicated to the offline node when it is brought back online. However, any changes made after that node has been brought back online are replicated. I am sure this is probably a configuration issue but not sure where to go from here.
Any help is greatly appreciated.
Thanks!
--On Monday, August 17, 2020 8:30 PM +0000 alexander.jarrard@pfizer.com wrote:
Hi There,
We are in the middle of implementing OpenLDAP into our network. We are testing our implementation and facing the below error in our logs after a node has either been powered off or the slapd service has been stopped (and subsequently brought back online):
What version of OpenLDAP are you using?
Replication in OpenLDAP is only safe when using delta-syncrepl and avoiding fallback due to ITS#8125. This does not appear to be a delta-sync MMR configuration.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah,
My apologies, I left the version out. We are using 2.4.44. This is not delta-syncrepl and looking through this thread based on ITS#8125:
https://bugs.openldap.org/show_bug.cgi?id=8125;page=15
it seems like that would be the issue.
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, August 17, 2020 3:46 PM To: Jarrard, Alex Alexander.Jarrard@pfizer.com; openldap-technical@openldap.org Subject: [EXTERNAL] Re: Multi Master Replication Error - Got Search Entry Without Sync State Control
--On Monday, August 17, 2020 8:30 PM +0000 alexander.jarrard@pfizer.com wrote:
Hi There,
We are in the middle of implementing OpenLDAP into our network. We are testing our implementation and facing the below error in our logs after a node has either been powered off or the slapd service has been stopped (and subsequently brought back online):
What version of OpenLDAP are you using?
Replication in OpenLDAP is only safe when using delta-syncrepl and avoiding fallback due to ITS#8125. This does not appear to be a delta-sync MMR configuration.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, August 17, 2020 8:53 PM +0000 "Jarrard, Alex" Alexander.Jarrard@pfizer.com wrote:
Hi Quanah,
My apologies, I left the version out. We are using 2.4.44. This is not delta-syncrepl and looking through this thread based on ITS#8125:
2.4.44 is 4.5 years old. I *strongly* advise reading the change log:
https://www.openldap.org/software/release/changes.html
and then promptly scheduling an upgrade to the latest release while implementing delta-sycnrepl.
You didn't note the underlying OS, but if building OpenLDAP yourself is not something you're interested in, there are a variety of options:
For Ubuntu, Ryan Tandy keeps a backports PPA:
https://launchpad.net/~rtandy/+archive/ubuntu/openldap-backports
or the LTB project has builds which also include Debian:
https://ltb-project.org/documentation/openldap-deb
For RHEL/Centos, my company Symas provides free builds (with optional paid support) that is a drop in for the RHEL packages:
We additionally have a paid version of OpenLDAP that has additional features and includes support known as Symas OpenLDAP (https://symas.com/symasopenldap/).
The LTB project also has free builds for RHEL/CentOS at:
https://ltb-project.org/documentation/openldap-rpm#yum_repository
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, August 17, 2020 2:24 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, August 17, 2020 8:53 PM +0000 "Jarrard, Alex" Alexander.Jarrard@pfizer.com wrote:
Also, if you use SLES based systems, Michael Stroeder has updated builds:
https://build.opensuse.org/package/show/home:stroeder:iam/openldap2
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 8/17/20 10:27 PM, Quanah Gibson-Mount wrote:
Also, if you use SLES based systems, Michael Stroeder has updated builds:
https://build.opensuse.org/package/show/home:stroeder:iam/openldap2
The above are stripped down builds.
The official openSUSE packages (also built for SLE) are here:
https://build.opensuse.org/package/show/network:ldap/openldap2
If you're scared of packages replacing the system-wide libldap I also maintain a package which installs in a separate prefix:
https://build.opensuse.org/package/show/home:stroeder:openldap/openldap-ms
Ciao, Michael.
Thanks! We are deploying on Amazon Linux 2, which is essentially RHEL. We are still in dev for the environment we are deploying in, so we are able to make changes as needed. We will look into upgrading during the delta-sync change. I really appreciate the help, it looks like the Symas packages will be our best bet.
Thank you for all of your help!
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, August 17, 2020 4:25 PM To: Jarrard, Alex Alexander.Jarrard@pfizer.com; openldap-technical@openldap.org Subject: RE: [EXTERNAL] Re: Multi Master Replication Error - Got Search Entry Without Sync State Control
--On Monday, August 17, 2020 8:53 PM +0000 "Jarrard, Alex" Alexander.Jarrard@pfizer.com wrote:
Hi Quanah,
My apologies, I left the version out. We are using 2.4.44. This is not delta-syncrepl and looking through this thread based on ITS#8125:
2.4.44 is 4.5 years old. I *strongly* advise reading the change log:
https://www.openldap.org/software/release/changes.html
and then promptly scheduling an upgrade to the latest release while implementing delta-sycnrepl.
You didn't note the underlying OS, but if building OpenLDAP yourself is not something you're interested in, there are a variety of options:
For Ubuntu, Ryan Tandy keeps a backports PPA:
https://launchpad.net/~rtandy/+archive/ubuntu/openldap-backports
or the LTB project has builds which also include Debian:
https://ltb-project.org/documentation/openldap-deb
For RHEL/Centos, my company Symas provides free builds (with optional paid support) that is a drop in for the RHEL packages:
We additionally have a paid version of OpenLDAP that has additional features and includes support known as Symas OpenLDAP (https://symas.com/symasopenldap/).
The LTB project also has free builds for RHEL/CentOS at:
https://ltb-project.org/documentation/openldap-rpm#yum_repository
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org