[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Slurpd/Slapd question - issue (LONG)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
I have a RHEL 3 server running openldap-2.2.24/db-4.2.52/openssl-0.9.7c and
all appears to be running fine. I'm replicating the db to two other servers,
FC1 and rh9 with the same packages.
I'm able to replicate fine from the primary server to the two slaves but the
contents of the 3 databases doesn't match up.
I stopped the primary server, ran a slapcat on it, ran slapadd on the slaves,
started the slaves and then started the server. When I change the password
via our web interface, which modifies shadowLastChange, I can watch the
slurpd.replog and see the changes are pushed out to the slaves.
Here are my slaves slapd.conf files:
Slave 1:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/ldap/etc/openldap/schema/core.schema
include /opt/ldap/etc/openldap/schema/cosine.schema
include /opt/ldap/etc/openldap/schema/inetorgperson.schema
include /opt/ldap/etc/openldap/schema/nis.schema
include /opt/ldap/etc/openldap/schema/misc.schema
include /opt/ldap/etc/openldap/schema/solaris.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_dn
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral ldap://konldap1.cellnet.com
loglevel 256
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile /opt/ldap/etc/openldap/slapd-cert.pem
TLSCertificateKeyFile /opt/ldap/etc/openldap/slapd-key.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#password-hash {CRYPT}
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
readonly off
suffix "dc=cellnet,dc=com"
rootdn "cn=replica,dc=cellnet,dc=com"
updatedn "cn=replica,dc=cellnet,dc=com"
updateref "ldap://148.80.158.218";
rootpw {SSHA}o+DILbBGHbxPDrzEJjkglivhEPw0FQI9
directory /var/lib/ldap
mode 0700
cachesize 10000
sizelimit 10000
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index nisNetgroupTriple pres
#Restrict userPassword to be used for authentications only
access to
attrs=userPassword,telephoneNumber,mobile,mail,shadowLastChange,shadowMax,shadowMin,shadowWarning,shadowInactive
by self write
by anonymous auth
by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
by * none
#ACL allowing read access to everyone
access to *
by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
by * read
Here is the other slaves slapd.conf:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/ldap/etc/openldap/schema/core.schema
include /opt/ldap/etc/openldap/schema/cosine.schema
include /opt/ldap/etc/openldap/schema/inetorgperson.schema
include /opt/ldap/etc/openldap/schema/nis.schema
include /opt/ldap/etc/openldap/schema/misc.schema
include /opt/ldap/etc/openldap/schema/solaris.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_dn
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral ldap://konldap1.cellnet.com
loglevel 256
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
TLSCipherSuite HIGH:MEDIUM
TLSCertificateFile /opt/ldap/etc/openldap/slapd-cert.pem
TLSCertificateKeyFile /opt/ldap/etc/openldap/slapd-key.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#password-hash {CRYPT}
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
readonly off
suffix "dc=cellnet,dc=com"
rootdn "cn=replica,dc=cellnet,dc=com"
updatedn "cn=replica,dc=cellnet,dc=com"
updateref "ldap://148.80.158.218";
rootpw {SSHA}o+DILbBGHbxPDrzEJjkglivhEPw0FQI9
directory /var/lib/ldap
mode 0700
cachesize 10000
sizelimit 10000
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index nisNetgroupTriple pres
#Restrict userPassword to be used for authentications only
access to
attrs=userPassword,telephoneNumber,mobile,mail,shadowLastChange,shadowMax,shadowMin,shadowWarning,shadowInactive
by self write
by anonymous auth
by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
by * none
#ACL allowing read access to everyone
access to *
by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
by * read
Here is the servers slapd.conf:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/ldap/etc/openldap/schema/core.schema
include /opt/ldap/etc/openldap/schema/cosine.schema
include /opt/ldap/etc/openldap/schema/inetorgperson.schema
include /opt/ldap/etc/openldap/schema/nis.schema
include /opt/ldap/etc/openldap/schema/misc.schema
include /opt/ldap/etc/openldap/schema/solaris.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_dn
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 256
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
TLSCipherSuite HIGH:MEDIUM
TLSCACertificateFile /opt/ldap/etc/openldap/cacert.pem
TLSCertificateFile /opt/ldap/etc/openldap/slapd-cert.pem
TLSCertificateKeyFile /opt/ldap/etc/openldap/slapd-key.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
#password-hash {CRYPT}
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=cellnet,dc=com"
rootdn "cn=Manager,dc=cellnet,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}kzivzqK4M9JX9sj0g+waiJwNMQ/gl6xI
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
mode 700
cachesize 10000
sizelimit 10000
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index nisNetgroupTriple pres
#Restrict userPassword to be used for authentications only
access to
attrs=userPassword,telephoneNumber,mobile,mail,shadowLastChange,shadowMax,shadowMin,shadowWarning,shadowInactive
by self write
by anonymous auth
by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
by * none
#ACL allowing read access to everyone
access to *
by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
by * read
replogfile /var/log/slapd.replog
replica host=konldap2.cellnet.com:389
suffix="dc=cellnet,dc=com"
binddn="cn=replica,dc=cellnet,dc=com"
bindmethod=simple
credentials=password
tls=yes
replica host=scarecrow.cellnet.com:389
suffix="dc=cellnet,dc=com"
binddn="cn=replica,dc=cellnet,dc=com"
bindmethod=simple
credentials=password
tls=yes
Does anyone know why the db's wouldn't be in sync and why when I manually add
in shadowLastChange it isn't reflected into the db?
Here's an example of just one instance where the db's differ:
(Slave 1)
/opt/ldap/bin/ldapsearch -x -h 148.80.180.6 -b
"ou=office,ou=projects,dc=cellnet,dc=com" uid=ahirsch
# extended LDIF
#
# LDAPv3
# base <ou=office,ou=projects,dc=cellnet,dc=com> with scope sub
# filter: uid=ahirsch
# requesting: ALL
#
# ahirsch, office, projects, cellnet.com
dn: uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com
uid: ahirsch
cn: Aaron Hirsch
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uidNumber: 1008
gidNumber: 3
homeDirectory: /home/ahirsch
gecos: Aaron Hirsch
loginShell: /bin/bash
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
(Slave 2)
/opt/ldap/bin/ldapsearch -x -h 148.80.158.219 -b
"ou=office,ou=projects,dc=cellnet,dc=com" uid=ahirsch
# extended LDIF
#
# LDAPv3
# base <ou=office,ou=projects,dc=cellnet,dc=com> with scope sub
# filter: uid=ahirsch
# requesting: ALL
#
# ahirsch, office, projects, cellnet.com
dn: uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com
cn: ahirsch
gidNumber: 3
homeDirectory: /home/ahirsch
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
sn: Hirsch
uid: ahirsch
uidNumber: 1008
shadowExpire: 12641
# ahirsch, people, office, projects, cellnet.com
dn: uid=ahirsch,ou=people,ou=office,ou=projects,dc=cellnet,dc=com
cn: ahirsch
gidNumber: 3
homeDirectory: /home/ahirsch
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
shadowExpire: 12641
sn: Hirsch
uid: ahirsch
uidNumber: 1008
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
(Server)
/opt/ldap/bin/ldapsearch -x -h 148.80.158.218 -b
"ou=office,ou=projects,dc=cellnet,dc=com" uid=ahirsch
# extended LDIF
#
# LDAPv3
# base <ou=office,ou=projects,dc=cellnet,dc=com> with scope sub
# filter: uid=ahirsch
# requesting: ALL
#
# ahirsch, office, projects, cellnet.com
dn: uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com
cn: ahirsch
gidNumber: 3
homeDirectory: /home/ahirsch
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
sn: Hirsch
uid: ahirsch
uidNumber: 1008
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So, as you can see slave 2 has information that is not contained in slave 1 or
the master server. The extra entry was in the db and deleted but it's still
showing up! There are no slurpd locks so I would have thought that the
information should have been removed from the replica.
Any ideas why the db's are out of sync?
- --
Aaron M. Hirsch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iQCVAwUBQIbzRDt2cqYtCmgKAQINIQP9F/lCpfoeT9xI5AsN/3LkrL7UpfdToyKJ
74cO5fWxS55FB+XUHhImFmRPDT/zbvmVJrBY92MDIauj5q8Ht8gX9eQ1YKXpg9Gy
DMh9mSmJWZFhRDXTNpcliK5V3LIqb65uJ7tLeGtknStAtzLrhXO8gbklE89X3k1Y
2cwV2/yfb/s=
=IJaq
-----END PGP SIGNATURE-----