Re: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing

[fal patel <fal0patel@gmail.com>]

Hey Quanah,

Oh no, my question was whether an arbitrary external variable (eg. URI1) could be set (eg. to ldap://host1.hq.mycompany.com:389/) inside an LDIF file and used in subsequent places in the file. 

(to avoid having to type in the value in multiple places).
I suppose not?

Assuming not, I typed in each value into all its relevant places in my LDIF file and re-ran slapadd.
Now it gives me the following error (on latest redhat 64bit):

loaded module syncprov.la
module syncprov.la: null module registered

Surely the above message signifies an error?

Anyway, processing continues until it gives the following final error:
>>> dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>,  <cn=config>
<= str2entry: str2ad(changetype): attribute type undefined
slapadd: could not parse entry (line=48)

Could you please advise?  I have no clue as to what is going wrong.
I have attached the LDIF file "nwaymmr2s.ldif" and the debug output from running the command slapadd -d -1 -v -F /etc/openldap/slapd.d -n 0 -l /etc/openldap/nwaymmr2s.ldif >& output.txt.

Also, do I need to run slappasswd and copy the hash value from it into my LDIF' file's olcRootPW field value?
Or can I just keep the original value, "secret"?

And a final question, please:
Why does the data replication (unlike the config replication, which does operate in refreshAndPersist mode) have to operate in refreshOnly mode?

Why can't it operate in refreshAndPersist mode?

Thank you very much.

Fal

On Mon, Dec 31, 2012 at 12:49 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:

--On Monday, December 31, 2012 9:49 AM -0800 fal patel <fal0patel@gmail.com> wrote:

Hey Quanah,

Thank you very much for the debugging tip!  -- Using it I got further in.
Now I get an error "<= str2entry: str2ad(UR1): attribute type undefined".
I must be setting my external variables (such as UR1) incorrectly in my
LDIF file.
What is the correct syntax for setting them, please?
I tried each of the following sentences, none of which worked:
URI1: ldap://host1.hq.mycompany.com:389/
URI1: ldap://host1.hq.mycompany.com:389
URI1: "ldap://host1.hq.mycompany.com:389/"
URI1="ldap://host1.hq.mycompany.com:389/"
URI1="ldap://host1.hq.mycompany.com:389"
URI1 ldap://host1.hq.mycompany.com:389/

There is no URI bit in the admin guide.  I highly advise you go re-read it. What you posted is clearly invalid.

>From the admin guide:

-----------------------------------------------------

Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):

    dn: cn=config
    changetype: modify
    replace: olcServerID
    olcServerID: 1 $URI1
    olcServerID: 2 $URI2
    olcServerID: 3 $URI3

-----------------------------------------------------

I.e. the attribute name is "olcServerID".

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

slapadd init: initiated tool.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.7.25: (April  4, 2012)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Berkeley DB 4.7.25: (April  4, 2012)
null_back_initialize: initialize null backend
backend_startup_one: starting "cn=config"
ldif_read_file: no entry file "/etc/openldap/slapd.d/cn=config.ldif"
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=32 matched="" text=""
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig ) )
    2.5.13.39 (certificateListMatch):     2.5.13.38 (certificateListExactMatch):     2.5.13.35 (certificateMatch):     2.5.13.34 (certificateExactMatch):     2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax ) )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
    2.5.13.24 (protocolInformationMatch):     2.5.13.23 (uniqueMemberMatch):     2.5.13.22 (presentationAddressMatch):     2.5.13.20 (telephoneNumberMatch):     2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
    2.5.13.16 (bitStringMatch):     2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcChainMaxReferralDepth $ olcDbProtocolVersion $ olcDbConnectionPoolMax ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcChainCacheURI $ olcChainReturnError $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $ olcDbNoRefs $ olcDbNoUndefFilter ) )
    2.5.13.11 (caseIgnoreListMatch):     2.5.13.8 (numericStringMatch):     2.5.13.7 (caseExactSubstringsMatch):     2.5.13.6 (caseExactOrderingMatch):     2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcChainingBehavior $ olcDbURI $ olcDbStartTLS $ olcDbNetworkTimeout $ olcDbQuarantine $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbCancel $ olcDbIDAssertPassThru $ olcDbSocketPath $ olcDbSocketExtensions ) )
    2.5.13.4 (caseIgnoreSubstringsMatch):     2.5.13.3 (caseIgnoreOrderingMatch):     2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcChainingBehavior $ olcDbURI $ olcDbStartTLS $ olcDbNetworkTimeout $ olcDbQuarantine $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbCancel $ olcDbIDAssertPassThru $ olcDbSocketPath $ olcDbSocketExtensions ) )
    1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ olcRelay ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures ) )
slapadd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
Backend ACL: access to *
	by * none

config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
=> str2entry: "####################################
# nwaymmr2s.ldif
####################################
# This sets up the config database:
# for OpenLDAP server 1:
# dn: cn=config
# objectClass: olcGlobal
# cn: config
# olcServerID: 1
#
# dn: olcDatabase={0}config,cn=config
# objectClass: olcDatabaseConfig
# olcDatabase: {0}config
# olcRootPW: secret
#
# second and third servers will have a different olcServerID obviously:
# for OpenLDAP server 2:
dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 2
"
>>> dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>, <cn=config>
<= str2entry(cn=config) -> 0x7f02dcd5c2f8
oc_check_required entry (cn=config), objectClass "olcGlobal"
oc_check_allowed type "objectClass"
oc_check_allowed type "cn"
oc_check_allowed type "olcServerID"
oc_check_allowed type "structuralObjectClass"
olcServerID: value #0: SID=0x002
ldif_write_entry: wrote entry "cn=config"
added: "cn=config" (00000001)
=> str2entry: "dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: secret
#
# for OpenLDAP server 3:
# dn: cn=config
# objectClass: olcGlobal
# cn: config
# olcServerID: 3
#
# dn: olcDatabase={0}config,cn=config
# objectClass: olcDatabaseConfig
# olcDatabase: {0}config
# olcRootPW: secret
#
"
>>> dnPrettyNormal: <olcDatabase={0}config,cn=config>
<<< dnPrettyNormal: <olcDatabase={0}config,cn=config>, <olcDatabase={0}config,cn=config>
<= str2entry(olcDatabase={0}config,cn=config) -> 0x7f02dcd5c2f8
oc_check_required entry (olcDatabase={0}config,cn=config), objectClass "olcDatabaseConfig"
oc_check_allowed type "objectClass"
oc_check_allowed type "olcDatabase"
oc_check_allowed type "olcRootPW"
oc_check_allowed type "structuralObjectClass"
config_build_entry: "olcDatabase={-1}frontend"
ldif_read_file: read entry file: "/etc/openldap/slapd.d/cn=config.ldif"
=> str2entry: "dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 2
structuralObjectClass: olcGlobal
entryUUID: 0dba7296-e8fb-1031-93f5-b37179e0df9e
creatorsName: cn=config
createTimestamp: 20130102073749Z
entryCSN: 20130102073749.857806Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20130102073749Z
"
>>> dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>, <cn=config>
>>> dnPretty: <cn=config>
<<< dnPretty: <cn=config>
>>> dnNormalize: <cn=config>
<<< dnNormalize: <cn=config>
>>> dnPretty: <cn=config>
<<< dnPretty: <cn=config>
>>> dnNormalize: <cn=config>
<<< dnNormalize: <cn=config>
<= str2entry(cn=config) -> 0x7f02dcd5c3e8
ldif_write_entry: wrote entry "olcDatabase={-1}frontend,cn=config"
ldif_write_entry: wrote entry "olcDatabase={0}config,cn=config"
added: "olcDatabase={0}config,cn=config" (00000001)
=> str2entry: "# This sets up syncrepl as a provider (since these are all masters):
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
# olcModulePath: /usr/local/libexec/openldap
olcModulePath: /usr/lib64/openldap
olcModuleLoad: syncprov.la
"
>>> dnPrettyNormal: <cn=module,cn=config>
<<< dnPrettyNormal: <cn=module,cn=config>, <cn=module,cn=config>
<= str2entry(cn=module,cn=config) -> 0x7f02dcd5c2f8
oc_check_required entry (cn=module,cn=config), objectClass "olcModuleList"
oc_check_allowed type "objectClass"
oc_check_allowed type "cn"
oc_check_allowed type "olcModulePath"
oc_check_allowed type "olcModuleLoad"
oc_check_allowed type "structuralObjectClass"
>>> dnNormalize: <cn=module{0}>
<<< dnNormalize: <cn=module{0}>
loaded module syncprov.la
module syncprov.la: null module registered
ldif_write_entry: wrote entry "cn=module{0},cn=config"
added: "cn=module{0},cn=config" (00000001)
=> str2entry: "# Now we setup the first Master Node
# (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
# URI1=ldap://10.12.223.10:389/
# URI2=ldap://10.12.223.11:389/
# URI3=ldap://10.12.223.12:389/
# olcServerID: 1 $URI1
# olcServerID: 2 $URI2 
# olcServerID: 3 $URI3
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://10.12.223.10:389/
olcServerID: 2 ldap://10.12.223.11:389/
olcServerID: 3 ldap://10.12.223.12:389/
"
>>> dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>, <cn=config>
<= str2entry: str2ad(changetype): attribute type undefined
slapadd: could not parse entry (line=48)
slapadd shutdown: initiated
slapadd destroy: freeing system resources.

Attachment: nwaymmr2s.ldif
Description: Binary data