Context CSN not updated on OpenLDAP 2.3.11

[Adrien Futschik <adrien.futschik@atosorigin.com>]

Hy everyone !

I am facing a major issued for the second time with OpenLDAP 2.3.11.
I am aware it is a pretty old version of OpenLDAP, but, it has been working in
production for almost a year now without any problem.

Here is the setup :
Master -> Slave

For some strange reason, the contextCSN stops updating and therefore the Slave is not updated anymore. The strange thing is that the Master continues to successfully update/add data !

We are using a OpenLDAP 2.3.11, Berkeley DB 4.4.16 & OpenSSL 0.9.8a all running on Solaris 10.

Restarting the master solved the problem once, but now that it as failed again, I am very woried, because, restarting isn't a solution, considering that the application is in production.

Please see in attachement the configuration files for Master & Slave.
I have no log on the master, and only "syncrepl logging" on the slave.

We consider restarting the master with "enable all logging" to see if wee can grab some informations....

Is this a bug of OpenLDAP, BerkleyDB or something else ?

Thanks in advance,

Adrien Futschik

# Fichier de configuration slapd.conf DIT

# Directives globales

ucdata-path /appli/projects/ldap-ael/openldap_2.3.11/ucdata/
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/core.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/corba.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/cosine.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/inetorgperson.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/java.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/misc.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/nds.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/nis.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/openldap.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/dit.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/ael.schema

# Directives base de donnees
database bdb

# Support de la replication par syncrepl
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 1000


# Mode lecture seul sur l'annuaire active
#readonly on

suffix  "c=fr"
directory       /appli/projects/ldap-ael/openldap_2.3.11/openldap-data
pidfile         /var/projects/ldap-ael/openldap_2.3.11/run/slapd.pid
argsfile        /var/projects/ldap-ael/openldap_2.3.11/slapd.args
replogfile      /appli/projects/ldap-ael/openldap_2.3.11/openldap-data/audit.ldif

# 15 min d'inactivit eet le serveur ferme la connexion
idletimeout     900

# stats log connexions/operations/result
loglevel 0
password-hash   {SHA}
#referral       ldap://annusec1.edfgdf.fr

# 100 entrees maximum retournees par un search
sizelimit       100

# 10 min max pour une requte LDAP
timelimit       600

# limitation de la taille des buffers de stockage des PDU LDAP, sur des connexions authentifiees ou non.
sockbuf_max_incoming 261143
sockbuf_max_incoming_auth 44194303

# 5 connexions anonymes maximum dans la file d'attente
conn_max_pending 5

# 10 connexions authentifiees maximum dans la file d'attente
conn_max_pending_auth 10

# Positionnement des facteurs de securite
#security ssf=112

# Desactivation des acces anonymes
#disallow bind_anon

# Activation des attributs LDAP d'audit
#lastmod on

#TLSCipherSuite HIGH:MEDIUM
# CA signed certificate and server cert entries: 
#TLSCipherSuite HIGH:MEDIUM:+SSLv2 
#TLSCACertificateFile /appli/projects/ael_qe/openldap_2.3.11/openldap-data/server.pem 
#TLSCertificateFile /appli/projects/ael_qe/openldap_2.3.11/openldap-data/server.pem 
#TLSCertificateKeyFile /appli/projects/ael_qe/openldap_2.3.11/openldap-data/server.pem 

# Use the following if client authentication is required 
#TLSVerifyClient demand 
# ... or not desired at all 
#TLSVerifyClient never 


# Les index
index   default                 eq
index   objectClass,seeAlso
index   cn,sn                   eq,sub
index   mail,givenName,uid      pres,eq,sub
index   aelCompteBloque            eq

# For syncrepl
index   entryCSN,entryUUID         eq


# Specifique au backend bdb
#cachesize 2000
#checkpoint      2000    10
#dbnosync

cachesize 2000000
checkpoint      5000    10
dbnosync
dirtyread

rootdn cn=admin,c=fr
rootpw PASSWORD

# tool-threads=nb processeurs du serveur
#tool-threads    4

#concurrency 64
#threads 64


# Les ACLs
access to attr=userPassword
        by dn="cn=admin,c=fr" write
        by dn="cn=replicator,c=fr" read
	by dn="cn=aelAdmin,c=fr" write
        by self write
        by anonymous auth
        by dn.regex="cn=(.+),ou=administrateurs,o=((edf(gdf)?)|gazdefrance),c=fr" write
        by * none

access to dn="ou=clients,o=edf,c=fr"
        by self write
        by dn.base="cn=aelAdmin,c=fr" write
        by dn="cn=replicator,c=fr" read
        by * read

access to dn="o=edf,c=fr"
        by * read

access to dn="cn=aelAdmin,c=fr"
        by self write
        by anonymous auth
        by dn="cn=replicator,c=fr" read
        by * none

access to *
        by dn="cn=admin,c=fr" write
        by dn="cn=aelAdmin,c=fr" write
        by dn="cn=replicator,c=fr" read
        by * none

# Definition du monitoring
database monitor
access to *
        by dn.exact="cn=admin,c=fr" write
        by dn.children="ou=administrateurs,o=edf,c=fr" read
        by dn.children="ou=administrateurs,o=edfgdf,c=fr" read
        by dn.children="ou=administrateurs,o=gazdefrance,c=fr" read
        by * none

# Fichier de configuration slapd.conf DIT

# Directives globales

ucdata-path /appli/projects/ldap-ael/openldap_2.3.11/ucdata/
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/core.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/corba.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/cosine.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/inetorgperson.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/java.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/misc.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/nds.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/nis.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/openldap.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/dit.schema
include /appli/projects/ldap-ael/openldap_2.3.11/conf/openldap/schema/ael.schema

# Directives base de donnees
database bdb

# Mode lecture seul sur l'annuaire active
#readonly on

suffix  "c=fr"
directory       /appli/projects/ldap-ael/openldap_2.3.11/openldap-data
pidfile         /var/projects/ldap-ael/openldap_2.3.11/run/slapd.pid
argsfile        /var/projects/ldap-ael/openldap_2.3.11/slapd.args
replogfile      /appli/projects/ldap-ael/openldap_2.3.11/openldap-data/audit.ldif

# 15 min d'inactivit eet le serveur ferme la connexion
idletimeout     900

# stats log connexions/operations/result
loglevel 0
password-hash   {SHA}
#referral       ldap://annusec1.edfgdf.fr

# 100 entrees maximum retournees par un search
sizelimit       100

# 10 min max pour une requte LDAP
timelimit       600

# limitation de la taille des buffers de stockage des PDU LDAP, sur des connexions authentifiees ou non.
sockbuf_max_incoming 261143
sockbuf_max_incoming_auth 44194303

# 5 connexions anonymes maximum dans la file d'attente
conn_max_pending 5

# 10 connexions authentifiees maximum dans la file d'attente
conn_max_pending_auth 10

# Positionnement des facteurs de securite
#security ssf=112

# Desactivation des acces anonymes
#disallow bind_anon

# Activation des attributs LDAP d'audit
#lastmod on

#TLSCipherSuite HIGH:MEDIUM
# CA signed certificate and server cert entries: 
#TLSCipherSuite HIGH:MEDIUM:+SSLv2 
#TLSCACertificateFile /appli/projects/ael_qe/openldap_2.3.11/openldap-data/server.pem 
#TLSCertificateFile /appli/projects/ael_qe/openldap_2.3.11/openldap-data/server.pem 
#TLSCertificateKeyFile /appli/projects/ael_qe/openldap_2.3.11/openldap-data/server.pem 

# Use the following if client authentication is required 
#TLSVerifyClient demand 
# ... or not desired at all 
#TLSVerifyClient never 


# Les index
index   default                 eq
index   objectClass,seeAlso
index   cn,sn                   eq,sub
index   mail,givenName,uid      pres,eq,sub
index   aelCompteBloque            eq

# For syncrepl
index   entryCSN,entryUUID         eq


# Specifique au backend bdb
#cachesize 2000
#checkpoint      2000    10
#dbnosync

cachesize 2000000
checkpoint      5000    10
dbnosync
dirtyread

rootdn cn=admin,c=fr
rootpw PASSWD

# tool-threads=nb processeurs du serveur
#tool-threads    4

#concurrency 64
#threads 64


# Les ACLs
access to attr=userPassword
        by dn="cn=admin,c=fr" write
        by dn="cn=aelAdmin,c=fr" write
        by self write
        by anonymous auth
        by dn.regex="cn=(.+),ou=administrateurs,o=((edf(gdf)?)|gazdefrance),c=fr" write
        by * none

access to dn="ou=clients,o=edf,c=fr"
        by self write
        by dn.base="cn=aelAdmin,c=fr" write
        by * read

access to dn="o=edf,c=fr"
        by * read

access to dn="cn=aelAdmin,c=fr"
        by self write
        by anonymous auth
        by * none

access to *
        by dn="cn=admin,c=fr" write
        by dn="cn=aelAdmin,c=fr" write
        by * none

syncrepl
   rid=1
       provider=ldap://pcyfz02asp.edfgdf.fr:2390
       binddn="cn=replicator,c=fr"
       bindmethod=simple
       credentials=replicator
       searchbase="c=fr"
       filter="(objectClass=*)"
       attrs="*"
       schemachecking=off
       scope=sub
       type=refreshOnly
       retry="30 20 300 24"
       interval=00:00:00:30

# Definition du monitoring
database monitor
access to *
        by dn.exact="cn=admin,c=fr" write
        by dn.children="ou=administrateurs,o=edf,c=fr" read
        by dn.children="ou=administrateurs,o=edfgdf,c=fr" read
        by dn.children="ou=administrateurs,o=gazdefrance,c=fr" read
        by * none