N-Way Multi Master setup missing entries on consumers - openldap-technical

3 Sep 2017


      Hi Folks,
I have 4 servers setup via N-Way multi master using 2.4.44. Updates go to a single provider. We have close to 20 consumers connected to each of the providers via delta syncrepl. Fairly busy system with about 10000 additions, 64000 modifications and 5000 delete on a busy day. Current database is about 15 million entries. We see that some changes are not sent down to the consumers. We miss about 100 entries a day.  These entries appear in all 4 providers, but are randomly missing in the consumers. I am still investigating, but any insight/help will be greatly appreciated.
The providers are on RHEL 6, the consumers are on solaris 10.
configure options...
    --without-cyrus-sasl \
        --disable-bdb \
        --disable-hdb \
        --enable-ldap \
        --enable-mdb \
        --enable-constraint
Regards,
Ping
=========================
one of the provider config files
========================
#
#  FileName: slapd.conf
#
#  Author:   $Author: d639599 $
#  Date:     $Date: 2014-08-22 14:00:37 +1000 (Fri, 22 Aug 2014) $
#  Revision: $Revision: 18625 $
#  CVS Tag:  $Name$
#  CVS ID:   $Id: slapd_master.conf.in 18625 2014-08-22 04:00:37Z d639599 $
#
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /data/openldap24/etc/openldap/schema/core.schema
include /data/openldap24/etc/openldap/schema/cosine.schema
include /data/openldap24/etc/openldap/schema/nis.schema
include /data/openldap24/etc/openldap/schema/radius.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /data/openldap24/var/run/slapd.pid
argsfile /data/openldap24/var/run/slapd.args
#replica-pidfile /data/openldap/var/run/slurpd.pid
loglevel 32768
threads 32
tool-threads 8
allow bind_v2
# The number of results to return in a search
sizelimit unlimited
serverID 02
access to dn=uid=newevdouser@xman.com,ou=users,ou=evdo,ou=data,o=company,c=org
by dn=cn=infranet,ou=applicationusers,o=company,c=org read
by dn=cn=activeorder,ou=applicationusers,o=company,c=org read
by dn=cn=asap,ou=applicationusers,o=company,c=org read
..........
..........
#######################################################################
# monitor database
#######################################################################
database        monitor
rootdn "cn=monitoring,cn=Monitor"
rootpw XXXXXXXXXXXXXXXXXX
access to dn.subtree="cn=Monitor"
        by dn.exact="cn=Manager,o=company,c=org" read
        by * none
#######################################################################
# primary database
#######################################################################
database mdb
suffix "o=company,c=org"
rootdn "cn=Manager,o=company,c=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw XXXXXXXXXXXXXXXXXX
#size of sparse file 64Gb
maxsize 68719476736
#only required to receive data from slurpd
#updatedn cn=directorymaster,ou=applicationusers,ou=radiusdata,o=company,c=org
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /data/openldap24/var/openldap-data
#Allow dirmaster unlimited time for searches
limits dn.exact="cn=directorymaster,ou=applicationusers,ou=radiusdata,o=company,c=org" time=unlimited
# Indices to maintain
index objectClass eq
index uid eq
index cn eq
index macAddress eq
index pinpoid eq
index bpiPoid eq
index target eq
index interceptType eq
index interceptValue eq
index imei eq
index ipHostNumber eq
index homeLocation eq
index sid eq
index   remoteId        eq
index   parentDn        eq
# required for sessionlaog
index entryCSN eq
index entryUUID eq
checkpoint 128 1
dbnosync
# syncrepl directives for each of the other masters for primary db replication
#######################################################################
## Syncrepl entry for 01
syncrepl rid=01
provider=ldap://host1
type=refreshAndPersist
retry="10 +"
searchbase="o=company,c=org"
bindmethod=simple
type=refreshAndPersist
binddn="cn=dirmaster,ou=appusers,a,o=company,c=org"
credentials=YYYYY
retry="60 10 300 +"
schemachecking=on
# Syncrepl entry for 02
syncrepl rid=02
provider=ldap://host3
type=refreshAndPersist
retry="10 +"
searchbase="o=company,c=org"
bindmethod=simple
type=refreshAndPersist
binddn="cn=dirmaster,ou=appusers,a,o=company,c=org"
credentials=YYYYY
retry="60 10 300 +"
schemachecking=on
# Syncrepl entry for 03
syncrepl rid=03
provider=ldap://host4
type=refreshAndPersist
retry="10 +"
searchbase="o=company,c=org"
bindmethod=simple
type=refreshAndPersist
binddn="cn=dirmaster,ou=appusers,a,o=company,c=org"
credentials=YYYYY
retry="60 10 300 +"
schemachecking=on
#need mirror mode to accept writes
mirrormode on
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logbase writes o=company,c=org
# scan the accesslog DB every day, and purge entries older than 14 days
logpurge 14+00:00 01+00:00
#sycrepl provider config
# define the provider to use the syncprov overlay
# (last directives in database section)
overlay syncprov
syncprov-checkpoint 10000 10
# contextCSN saved to database every 10000 updates or ten minutes
syncprov-sessionlog 10000
syncprov-nopresent TRUE
#######################################################################
# accesslog database
#######################################################################
database mdb
suffix "cn=accesslog"
rootdn "cn=Manager,o=company,c=org"
#size of sparse file 16Gb
maxsize 17179869184
directory /data/openldap24/var/openldap-data-accesslog
#Allow dirmaster unlimited time for searches
limits dn.exact="cn=dirmaster,ou=appusers,a,o=company,c=orgg" time=unlimited
index entryCSN eq
index objectClass eq
index reqEnd eq
index reqResult eq
index reqStart eq
#sycrepl provider config
# define the provider to use the syncprov overlay
# (last directives in database section)
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
======================================
consumer config
======================================
#
#  FileName: slapd.conf
#
#  Author:   $Author: d639599 $
#  Date:     $Date: 2014-08-22 14:00:37 +1000 (Fri, 22 Aug 2014) $
#  Revision: $Revision: 18625 $
#  CVS Tag:  $Name$
#  CVS ID:   $Id: slapd_master.conf.in 18625 2014-08-22 04:00:37Z d639599 $
#
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /data/openldap24/etc/openldap/schema/core.schema
include /data/openldap24/etc/openldap/schema/cosine.schema
include /data/openldap24/etc/openldap/schema/nis.schema
include /data/openldap24/etc/openldap/schema/radius.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /data/openldap24/var/run/slapd.pid
argsfile /data/openldap24/var/run/slapd.args
#replica-pidfile /data/openldap/var/run/slurpd.pid
loglevel 32768
#
#threads 64
#
allow bind_v2
#
# The number of results to return in a search
sizelimit unlimited
tool-threads 2
threads 8
# Load dynamic backend modules:
# modulepath /data/openldap/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
access to *
        by cn=dirmaster,ou=appusers,a,o=company,c=org write
        by dn=cn=radiusserver,ou=applicationusers,o=company,c=org read
..........
..........
#######################################################################
# config database
#######################################################################
database config
# NOTE: the suffix is hardcoded as cn=config and
# MUST not have a suffix directive
# normal rules apply - rootdn can be anything you want
# but MUST be under cn=config
rootdn "cn=admin,cn=config"
# use any of the supported password formats e.g. {SSHA} etc
# or plaintext as shown
rootpw XXXXXXXXXXXXXXXXXX
#######################################################################
# monitor database
#######################################################################
database        monitor
rootdn "cn=monitoring,cn=Monitor"
rootpw {SHA}wauZJOzaG+r4u6oeuCOLg+DtjGM=
access to dn.subtree="cn=Monitor"
        by dn.exact="cn=Manager,o=company,c=org" read
        by * none
#######################################################################
# mdb database definitions
#######################################################################
database mdb
suffix "o=company,c=org"
rootdn "cn=Manager,o=company,c=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw XXXXXXXXXXXXXXXX
maxsize         68719476736
# To speedup further - possibly at the expense of data integrity
# Only use for slappadd without slapd running
#envflags nometasync
#envflags writemap
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /data/openldap24/var/openldap-data
# Indices to maintain
index objectClass eq
index uid eq
index cn eq
index macAddress eq
index pinpoid eq
index bpiPoid eq
index target eq
index interceptType eq
index interceptValue eq
index imei eq
index ipHostNumber eq
index homeLocation eq
index sid eq
index   remoteId        eq
index   parentDn        eq
index entryUUID eq
index entryCSN eq
checkpoint 128 1
dbnosync
# syncrepl directives for primary db replication
#######################################################################
## Syncrepl entry for 01
syncrepl rid=01
provider=ldap://provider1
bindmethod=simple
binddn="cn=dirmaster,ou=appusers,a,o=company,c=org"
credentials=XXXXXXX
searchbase="o=company,c=org"
logbase="cn=accesslog"
type=refreshAndPersist
scope=sub
retry="10 +"
schemachecking=off
logfilter="(&(objectClass=auditWriteObject)(reqResult=0)(|(reqDN:dnSubtreeMatch:=ou=radiusdata,o=company,c=org)(reqDN:dnSubtreeMatch:=ou=applicationusers,o=company,c=org)))"
syncdata=accesslog
filter="(|(entrydn:dnSubtreeMatch:=ou=radiusdata,o=company,c=org)(entrydn:dnSubtreeMatch:=ou=applicationusers,o=company,c=org))"