syncrepl for cn=config, changes fail with "tag=103 err=53 text=shadow context; no update referral"
Hi List,
I'm trying to setup a master/master replication scenario, starting with getting cn=config replicated properly using OpenLDAP 2.4.30 on Gentoo.
I've tried to start with a minimal config which is now up and running on both servers.
As long as I start only one of both servers I can edit everything in cn=config just fine, but as soon as they both run at the same time, they get into a state which causes some trouble. Even shutting down one of both doesn't help then, I need to start from scratch again at this point.
Submitting any changes results in this error message: RESULT tag=103 err=53 text=shadow context; no update referral
There are two servers, connected via OpenVPN: ID 1, 10.44.0.1 ID 2, 10.44.0.7
I use the following configuration file to seed the initial online configuration for each server, before bringing them up both, using: slapd -f /tmp/slapd.conf -F /etc/openldap/slapd.d -u ldap -g ldap -d1
moduleload memberof.so moduleload syncprov.so moduleload refint.so
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openssh.schema
TLSCACertificateFile /etc/ssl/slapd/slapd.cacrt TLSCertificateFile /etc/ssl/slapd/slapd.crt TLSCertificateKeyFile /etc/ssl/slapd/slapd.key TLSVerifyClient allow
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
loglevel 256
access to attrs=userPassword by self write by * auth
access to * by * read
ServerID 1 ldap://10.44.0.1 ServerID 2 ldap://10.44.0.7
backend bdb
database config rootdn cn=config rootpw {SSHA}RI/d8i2R7XXlo2+kf2LcYzYOcIry+qaa
syncrepl rid=001 provider="ldap://10.44.0.7" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
syncrepl rid=002 provider="ldap://10.44.0.1" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
overlay syncprov
I don't quite understand the error message, as it somehow indicates the servers would be running in shadow context/MirrorMode, which is set to FALSE.
So does anyone have an idea, what's wrong with my setup?
Thanks a lot!
- Elias
Sent: Sun May 27 2012 13:11:32 GMT-0400 (EDT) From: Elias Probst mail@eliasprobst.eu To: openldap-technical@openldap.org Subject: syncrepl for cn=config, changes fail with "tag=103 err=53 text=shadow context; no update referral"
Hi List,
I'm trying to setup a master/master replication scenario, starting with getting cn=config replicated properly using OpenLDAP 2.4.30 on Gentoo.
I've tried to start with a minimal config which is now up and running on both servers.
As long as I start only one of both servers I can edit everything in cn=config just fine, but as soon as they both run at the same time, they get into a state which causes some trouble. Even shutting down one of both doesn't help then, I need to start from scratch again at this point.
Submitting any changes results in this error message: RESULT tag=103 err=53 text=shadow context; no update referral
There are two servers, connected via OpenVPN: ID 1, 10.44.0.1 ID 2, 10.44.0.7
I use the following configuration file to seed the initial online configuration for each server, before bringing them up both, using: slapd -f /tmp/slapd.conf -F /etc/openldap/slapd.d -u ldap -g ldap -d1
moduleload memberof.so moduleload syncprov.so moduleload refint.so
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openssh.schema
TLSCACertificateFile /etc/ssl/slapd/slapd.cacrt TLSCertificateFile /etc/ssl/slapd/slapd.crt TLSCertificateKeyFile /etc/ssl/slapd/slapd.key TLSVerifyClient allow
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
loglevel 256
access to attrs=userPassword by self write by * auth
access to * by * read
ServerID 1 ldap://10.44.0.1 ServerID 2 ldap://10.44.0.7
backend bdb
database config rootdn cn=config rootpw {SSHA}RI/d8i2R7XXlo2+kf2LcYzYOcIry+qaa
syncrepl rid=001 provider="ldap://10.44.0.7" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
syncrepl rid=002 provider="ldap://10.44.0.1" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
overlay syncprov
I don't quite understand the error message, as it somehow indicates the servers would be running in shadow context/MirrorMode, which is set to FALSE.
So does anyone have an idea, what's wrong with my setup?
Thanks a lot!
- Elias
You need to enable MirrorMode. The official mult-master replication guide covers this, http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master
You are getting the error because the database thinks it is a slave to the other database, so it disallows local writes. MirrorMode is just as it sounds, both servers are 'mirrors'.
-Patrick
On Sunday 27 May 2012 19:49:29 Patrick H. wrote:
You need to enable MirrorMode. The official mult-master replication guide covers this, http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master You are getting the error because the database thinks it is a slave to the other database, so it disallows local writes. MirrorMode is just as it sounds, both servers are 'mirrors'.
Enabling MirrorMode causes my initial cn=config seeding to fail: 4fc26d8c /tmp/slapd.conf: line 31: <MirrorMode> database is not a shadow
I've compared my config to the one in the official N-Way Multi-Master guide but couldn't spot the relevant difference here.
The error message sounds misleading to me, suggesting one of both mirrors should be a shadow DB while I actually want both to be equal.
Any idea? Did I miss something basic?
- Elias
Sent: Sun May 27 2012 14:18:23 GMT-0400 (EDT) From: Elias Probst mail@eliasprobst.eu To: openldap-technical@openldap.org Subject: Re: syncrepl for cn=config, changes fail with "tag=103 err=53 text=shadow context; no update referral"
On Sunday 27 May 2012 19:49:29 Patrick H. wrote:
You need to enable MirrorMode. The official mult-master replication guide covers this, http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master You are getting the error because the database thinks it is a slave to the other database, so it disallows local writes. MirrorMode is just as it sounds, both servers are 'mirrors'.
Enabling MirrorMode causes my initial cn=config seeding to fail: 4fc26d8c /tmp/slapd.conf: line 31:<MirrorMode> database is not a shadow
I've compared my config to the one in the official N-Way Multi-Master guide but couldn't spot the relevant difference here.
The error message sounds misleading to me, suggesting one of both mirrors should be a shadow DB while I actually want both to be equal.
Any idea? Did I miss something basic?
- Elias
Where are you putting the MirrorMode parameter? When I copy/paste your config you provided in the first email into an editor, line 31 is before "database config", which would be the problem. You need to put it after "database config" so that it applies to the config database.
As for the shadow thing, both server's are shadows/consumers. Theyre also both providers.
-Patrick
On Sunday 27 May 2012 21:06:43 Patrick Hemmer wrote:
Where are you putting the MirrorMode parameter? When I copy/paste your config you provided in the first email into an editor, line 31 is before "database config", which would be the problem. You need to put it after "database config" so that it applies to the config database.
As for the shadow thing, both server's are shadows/consumers. Theyre also both providers.
Thanks a lot. This made it finally work.
1. I misunderstood "shadow" as being a completely different mode in which the whole instance runs.
2. I placed the 'MirrorMode' statement at the wrong position. a) It mustn't be set in the global section b) It must be set after the 'syncrepl' statements inside a DB definition
For reference/anyone else fighting with this, a short howto how I got it up and running now:
1. Make sure /etc/openldap/slapd.d/ and the openldap-data directory (here: /var/lib/openldap-data) is emptied
2. Use the basic config (see below) to seed the initial online config of each instance using the command slapd -f /tmp/slapd.conf -F /etc/openldap/slapd.d -u ldap -g ldap -d1
3. Stop the slapd process (Ctrl+C) and start it regularly using the initscript provided by the distribution (e.g. /etc/init.d/slapd start on Gentoo/OpenRC)
4. Now verify whether the replication of cn=config works by removing the 'olcConfigFile' setting from cn=config
Basic slapd.conf for seeding: moduleload memberof.so moduleload syncprov.so moduleload refint.so
moduleload memberof.so moduleload syncprov.so moduleload refint.so
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openssh.schema
TLSCACertificateFile /etc/ssl/slapd/slapd.cacrt TLSCertificateFile /etc/ssl/slapd/slapd.crt TLSCertificateKeyFile /etc/ssl/slapd/slapd.key TLSVerifyClient allow
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
loglevel 256
access to attrs=userPassword by self write by * auth
access to * by * read
ServerID 1 ldap://10.44.0.1 ServerID 2 ldap://10.44.0.7
backend bdb
database config rootdn cn=config rootpw {SSHA}RI/d8i2R7XXlo2+kf2LcYzYOcIry+qaa
syncrepl rid=001 provider="ldap://10.44.0.7" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
syncrepl rid=002 provider="ldap://10.44.0.1" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
overlay syncprov
MirrorMode on
Elias Probst wrote:
On Sunday 27 May 2012 21:06:43 Patrick Hemmer wrote:
Where are you putting the MirrorMode parameter? When I copy/paste your config you provided in the first email into an editor, line 31 is before "database config", which would be the problem. You need to put it after "database config" so that it applies to the config database.
As for the shadow thing, both server's are shadows/consumers. Theyre also both providers.
Thanks a lot. This made it finally work.
Do you believe this or have you verified?
syncrepl rid=001 filter="(!(olcDatabase={0}config))"
syncrepl rid=002 filter="(!(olcDatabase={0}config))"
According rfc4515 you are NOT replicating "(olcDatabase={0}config)"
On Sunday 27 May 2012 23:47:13 harry.jede wrote:
Thanks a lot. This made it finally work.
Do you believe this or have you verified?
I do not only believe it. I have it verified and it is working great so far, replicating config changes in cn=config in both directions.
syncrepl rid=001 filter="(!(olcDatabase={0}config))"
syncrepl rid=002 filter="(!(olcDatabase={0}config))"
According rfc4515 you are NOT replicating "(olcDatabase={0}config)"
Well, I was wondering about this statement, too. It was recommended by the OpenLDAP book which I read. I didn't understand why this should be needed in a master/master setup and I assume this must have slipped through when the book authors copy'n'pasted a configuration example.
This filter actually prevented cn=config,{0}config from bein properly replicated.
I didn't notice this before as I only did modifications to cn=config so far and added cn=config{1}bdb.
Thanks for pointing this out - probably saved me a lot of trouble :)
- Elias
Elias Probst wrote:
On Sunday 27 May 2012 21:06:43 Patrick Hemmer wrote:
Where are you putting the MirrorMode parameter? When I copy/paste your config you provided in the first email into an editor, line 31 is before "database config", which would be the problem. You need to put it after "database config" so that it applies to the config database.
As for the shadow thing, both server's are shadows/consumers. Theyre also both providers.
Thanks a lot. This made it finally work.
- I misunderstood "shadow" as being a completely different mode in which the
whole instance runs.
- I placed the 'MirrorMode' statement at the wrong position.
a) It mustn't be set in the global section b) It must be set after the 'syncrepl' statements inside a DB definition
For reference/anyone else fighting with this, a short howto how I got it up and running now:
- Make sure /etc/openldap/slapd.d/ and the openldap-data directory (here:
/var/lib/openldap-data) is emptied
- Use the basic config (see below) to seed the initial online config of each
instance using the command slapd -f /tmp/slapd.conf -F /etc/openldap/slapd.d -u ldap -g ldap -d1
Your reference is an utter waste of time. If you want to help people do this in the future you should simply provide the output of slapcat -n0, with the schema entries trimmed, and avoid the unnecessary conversion step.
- Stop the slapd process (Ctrl+C) and start it regularly using the initscript
provided by the distribution (e.g. /etc/init.d/slapd start on Gentoo/OpenRC)
And avoid the unnecessary restart step as well.
- Now verify whether the replication of cn=config works by removing the
'olcConfigFile' setting from cn=config
Basic slapd.conf for seeding: moduleload memberof.so moduleload syncprov.so moduleload refint.so
moduleload memberof.so moduleload syncprov.so moduleload refint.so
And avoid redundant moduleload statements.
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openssh.schema
TLSCACertificateFile /etc/ssl/slapd/slapd.cacrt TLSCertificateFile /etc/ssl/slapd/slapd.crt TLSCertificateKeyFile /etc/ssl/slapd/slapd.key TLSVerifyClient allow
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
loglevel 256
access to attrs=userPassword by self write by * auth
access to * by * read
ServerID 1 ldap://10.44.0.1 ServerID 2 ldap://10.44.0.7
backend bdb
database config rootdn cn=config rootpw {SSHA}RI/d8i2R7XXlo2+kf2LcYzYOcIry+qaa
syncrepl rid=001 provider="ldap://10.44.0.7" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
syncrepl rid=002 provider="ldap://10.44.0.1" binddn="cn=config" bindmethod="simple" credentials="nothingtoseehere" searchbase="cn=config" type=refreshAndPersist retry="10 +" filter="(!(olcDatabase={0}config))"
overlay syncprov
MirrorMode on
On Monday 28 May 2012 00:28:59 Howard Chu wrote:
Your reference is an utter waste of time. If you want to help people do this in the future you should simply provide the output of slapcat -n0, with the schema entries trimmed, and avoid the unnecessary conversion step.
So if I understand correctly, the proper way to do all this would be: 1. Create the initial online config using slapadd -F /etc/openldap/slapd.d/ -n 0 -l /tmp/initial-config.ldif 2. Start slapd via initscript
- Stop the slapd process (Ctrl+C) and start it regularly using the
initscript provided by the distribution (e.g. /etc/init.d/slapd start on Gentoo/OpenRC)
And avoid the unnecessary restart step as well.
Well, this step was necessary, as it was just started manually at this point. It won't be needed anymore based on the above steps.
Basic slapd.conf for seeding: moduleload memberof.so moduleload syncprov.so moduleload refint.so
moduleload memberof.so moduleload syncprov.so moduleload refint.so
And avoid redundant moduleload statements.
Oups, must have slipped in when copy'n'pasting my config into the mail. The original doesn't have duplicates :)
openldap-technical@openldap.org
-
Elias Probst -
harry.jede@arcor.de -
Howard Chu -
Patrick H. -
Patrick Hemmer