[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: modify dn while replication



Things are getting worst :-( ,
Although a simple replication from master to slave through a proxy ldap for a MODification of an existing entry worked, I realized that an ADD (add en entry) doesn't work, even without all the rewrite things. :-(
I keep getting on the proxy and slave logs: "no structuralObjectClass operational attribute" cf sample operation and logs below ...
However, I do have an structuralObjectClass op-attr on my sample entry which I am testing with:


$ ldapsearch -D "cn=admin,dc=int-evry,dc=fr" -x -W -h localhost -p 389 uid=sample + | grep structuralObjectClass
Enter LDAP Password:
structuralObjectClass: inetOrgPerson


For the second pb I had while playing with rewrite rules: (err=53 referral missing) see conversation below:

Feb 19 16:22:50 corbeau slapd[9136]: conn=0 op=2 RESULT tag=105 err=53
text=referral missing



looks like part of the tree does not exist on the
slave, so the slave is informing you that there's
no default referral to return...

I stopped playing with partial replication, now from master to slave (through proxy!) I use all the way long the same suffix (dc=int-evry,dc=fr and not suffix: ou=people,dc=int-evry,dc=fr for slave) to simplify ! however I keep getting the error .


Sample operation and logs on adding an entry (same suffix dc=int-evry,dc=fr on master, slave, proxy)

Add an entry to the master:

$ ldapadd -f sample.ldif -D "cn=admin,dc=int-evry,dc=fr" -x -W -h localhost -p 389
Enter LDAP Password:
adding new entry "uid=sample,ou=People,dc=int-evry,dc=fr"


Proxy (no rewrite stuff in proxy) full logs (loglevel = -1):

Feb 25 09:29:10 corbeau slapd[2758]: daemon: activity on 1 descriptors
Feb 25 09:29:10 corbeau slapd[2758]: daemon: activity on:
Feb 25 09:29:10 corbeau slapd[2758]: 7r
Feb 25 09:29:10 corbeau slapd[2758]:
Feb 25 09:29:10 corbeau slapd[2758]: daemon: read activity on 7
Feb 25 09:29:10 corbeau slapd[2758]: connection_get(7)
Feb 25 09:29:10 corbeau slapd[2758]: connection_get(7): got connid=0
Feb 25 09:29:10 corbeau slapd[2758]: connection_read(7): checking for input on id=0
Feb 25 09:29:10 corbeau slapd[2758]: ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
Feb 25 09:29:10 corbeau slapd[2758]: do_add
Feb 25 09:29:10 corbeau slapd[2758]: >>> dnPrettyNormal: <uid=sample,ou=People,dc=int-evry,dc=fr>
Feb 25 09:29:10 corbeau slapd[2758]: <<< dnPrettyNormal: <uid=sample,ou=People,dc=int-evry,dc=fr>, <uid=sample,ou=people,dc=int-evry,dc=fr>
Feb 25 09:29:10 corbeau slapd[2758]: do_add: dn (uid=sample,ou=People,dc=int-evry,dc=fr)
Feb 25 09:29:10 corbeau slapd[2758]: => get_ctrls
Feb 25 09:29:10 corbeau slapd[2758]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
Feb 25 09:29:10 corbeau slapd[2758]: <= get_ctrls: n=1 rc=0 err=""
Feb 25 09:29:10 corbeau slapd[2758]: conn=0 op=2 ADD dn="uid=sample,ou=People,dc=int-evry,dc=fr"
Feb 25 09:29:10 corbeau slapd[2758]: >>> dnPretty: <cn=admin,dc=int-evry,dc=fr>
Feb 25 09:29:10 corbeau slapd[2758]: <<< dnPretty: <cn=admin,dc=int-evry,dc=fr>
Feb 25 09:29:10 corbeau slapd[2758]: >>> dnPretty: <cn=admin,dc=int-evry,dc=fr>
Feb 25 09:29:10 corbeau slapd[2758]: <<< dnPretty: <cn=admin,dc=int-evry,dc=fr>
Feb 25 09:29:10 corbeau slapd[2758]: ==> ldap_back_add: uid=sample,ou=People,dc=int-evry,dc=fr
Feb 25 09:29:10 corbeau slapd[2758]: =>ldap_back_getconn: conn 0 fetched
Feb 25 09:29:10 corbeau slapd[2758]: rw> addDn: "uid=sample,ou=People,dc=int-evry,dc=fr" -> "uid=sample,ou=People,dc=int-evry,dc=fr"
Feb 25 09:29:10 corbeau slapd[2758]: daemon: select: listen=6 active_threads=1 tvp=NULL
Feb 25 09:29:10 corbeau slapd[2758]: send_ldap_result: conn=0 op=2 p=3
Feb 25 09:29:10 corbeau slapd[2758]: send_ldap_result: err=80 matched="" text="no structuralObjectClass operational attribute"
Feb 25 09:29:10 corbeau slapd[2758]: send_ldap_response: msgid=3 tag=105 err=80
Feb 25 09:29:10 corbeau slapd[2758]: conn=0 op=2 RESULT tag=105 err=80 text=no structuralObjectClass operational attribute


Slave logs:
Feb 25 09:29:10 corbeau slapd[2740]: conn=0 op=2 ADD dn="uid=sample,ou=People,dc=int-evry,dc=fr"
Feb 25 09:29:10 corbeau slapd[2740]: No structuralObjectClass for entry (uid=sample,ou=People,dc=int-evry,dc=fr)
Feb 25 09:29:10 corbeau slapd[2740]: conn=0 op=2 RESULT tag=105 err=80 text=no structuralObjectClass operational attribute


Proxy slapd_proxy.conf
database ldap
suffix          "dc=int-evry,dc=fr"
uri             "ldap://127.0.0.1:9006";
updatedn  "cn=replicator,ou=people,dc=int-evry,dc=fr"
lastmod on
#rewriteEngine on
#rewriteContext default
#binddn "cn=replicator,ou=System,dc=int-evry,dc=fr"
#bindpw replica
binddn cn=admin,ou=people,dc=int-evry,dc=fr
bindpw {crypt}secret6

What wrong with the structuralObjectClass op-attr here ??

By the way in slapd_slave.conf I put the master to be the updateref:
updateref       "ldap://127.0.0.1:389";
Is this correct ? or should it be the proxy ?
updateref      "ldap://127.0.0.1:8006";

For my 3rd request, the rewrite debugging, I did find the rewrite binary :-)

[root@corbeau /usr/src/redhat/BUILD/openldap-2.1.25/build-servers/libraries/librewrite]
$ ./rewrite -f rules.conf uid=sample,ou=people,dc=int-evry,dc=fr IntEPersUserPTM:test
uid=sample,ou=people,dc=int-evry,dc=fr -> uid=sample,ou=people,dc=int-evry,dc=fr


Nothing changed ! how in the rules do you set the value of an attribute of the dn you want to rewrite ? here to satisfy the rewriteMap on the attribute IntEPersUserPTM : I would like to change uid=sample,ou=people,dc=int-evry,dc=fr to uid=sample-value-of-attribute-IntEPersUserPTM,ou=people,dc=int-evry,dc=fr.

$ cat rules.conf
rewriteEngine on
rewriteContext default
rewriteMap      ldap uidMap "ldap:///dc=int-evry,dc=fr?IntEPersUserPTM?one";
rewriteRule     "^(uid=[^,]+)(,.*)$$" "%1-%{uidMap(%1)}%2" ":@I"

If I change the latest line above removing the Map: rewriteRule "^(uid=[^,]+)(,.*)$$" "%1-%2" ":@I"
there seems to be some rewriting going on ( I get the "-" sign added at least :-) )
$ ./rewrite -f rules.conf uid=sample,ou=people,dc=int-evry,dc=fr
uid=sample,ou=people,dc=int-evry,dc=fr -> uid=sample-,ou=people,dc=int-evry,dc=fr


Finally (If you got that far :-) ! ), should I keep testing all this rewrite stuff in openldap 2.1.X (actullay 2.1.25 !) or should I go a step further to 2.2.X ? I remember that you told me that adding an updatedn to the proxy ldap was a "Hack". All these unsuccessful test are very frustating and time consuming, so if I am on the wrong way with 2.1.X just let me know ...

Thanks a lot.

PS: to prevent others to spent time on stupid things, I 'd like to signal that adding a comments (#) in a replica section in slapd.conf trash the replication! It took me half a day to realize that a replication didn"t worked because of that silly thing !
replica host=127.0.0.1:8006
# suffix="ou=people,dc=int-evry,dc=fr"
suffix="dc=int-evry,dc=fr"
binddn="cn=replicator,ou=people,dc=int-evry,dc=fr"
bindmethod=simple credentials=secret



Pierangelo Masarati wrote:

I would like to replicate to a slave, but I need to change the dn.
Here's a typical dn from the master:
dn: uid=test,ou=People,dc=int-evry,dc=fr

The slave should receive dn like this:
dn: uid=test-ei0205,ou=People,dc=int-evry,dc=fr

the "ei0205" appended here comming from the test user entry attribute:
IntEPersUserPTM: ei0205



I must have missed this; then the rule should look like

rewriteMap  ldap uidMap
   "ldap:///ou=People,dc=int-evry,dc=fr?IntEPersUserPTM?one";
rewriteRule "^(uid=[^,]+)(,.*)$$" "%1-%{uidMap(%1)}%2" ":@I"

the ldap rewriteMap works as follows:
the URI's host, port, naming context and scope
are used as is; the attribute(s) part is used
to select the attribute that is returned;
the filter is rerpesented by the string between
brackets at map invocation; in the example,
by %1 which expands to the "uid=[^,]+" portion
of the regexp.

So, assumbing that the filter "(uid=test)"
matches the entry

"id=test-ei0205,ou=People,dc=int-evry,dc=fr"

on the master, and that entry's "IntEPersUserPTM"
attribute contains the value "ei0205", then
the map would return exactly "ei0205"; in the
rightmost part of the rewriteRule, the parts

"uid=test" "-" "ei0205" ",ou=People,dc=int-evry,dc=fr"

are glued together into

"uid=test-ei0205,ou=People,dc=int-evry,dc=fr"

The same process will apply to the DN slurpd
is using to bind to the proxy (in the "replica"
line of the master's slapd.conf), so find out
what it expands to, and use that string as
"updatedn" in the proxy; the same updatedn
will be required at the slave's side.

Otherwise, you may want to intercept that
DN at the proxy side, e.g. use a rule
of the form

rewriteRule "^cn=replicator,ou=people,dc=int-evry,dc=fr$$" "%0" "@"

right before the rewrite rule that expands
the uid.  Maybe this is better for naming
uniformity of administrative entries
between the master and the slave ...

p.



Anyway, I'am far from this now ... , I just want to succeed in rewriting
"something" a least :-)
So again I blindly set my updatedn to:

updatedn  "cn=replicator-replicator,ou=people,dc=int-evry,dc=fr"

Now while adding my new entry , logs on on proxy says:

Feb 19 16:22:50 corbeau slapd[9136]: conn=0 op=2 ADD
dn="uid=maisel,ou=People,dc=int-evry,dc=fr"
Feb 19 16:22:50 corbeau slapd[9136]: conn=0 op=2 RESULT tag=105 err=53
text=referral missing



looks like part of the tree does not exist on the slave, so the slave is informing you that there's no default referral to return...

You may need to increase the log level to see what
rewrite does; rewrite logging occurs at different
levels, however it is usually prefixed with "[rw]"



either my upadtedn is wrong, or I'am facing a new pb ? just let me know
which way to go , change the rewrite rule, understand rewrite rules !



the latter could be an option, since at some point you might need to some more elaborate rewriting :)



by
the way, is there a way to test rules directly ( shell script or ...)
for debug purpose ?, or thing are OK now for rewrite rules, I 'am just
facing a new problem ?



Yes. In libraries/librewrite there's a "rewrite" command-line tool:

./rewrite -f rules.conf -r rule1[,rule2[,...]]]

rules are executed in sequence.

I'm afraid it parses strings a bit differently
from slapd (I'll have to fix it some time) so you
don't need to double '$' and few other quirks, but
you may not need most of them.