[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: (ITS#7608) cn=config with modifiersdn outside cn=config breaks recovery using slapadd

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7608) cn=config with modifiersdn outside cn=config breaks recovery using slapadd
From: ck@cksoft.de
Date: Sun, 26 May 2013 08:21:02 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
Hi,

Summary: it seems having a modifiersdn outside of cn=config in cn=config breaks replication once slapd is restarted.

I have a more elaborate test setup with four servers.

Two masters ldaptest1, ldaptest2 using syncrepl in mirrormode .

Two slaves ldaptest3, ldaptest4 that use syncrepl to slave from the masters.

The masters and the slaves also replicate cn=config between themselves.

Replication config is as follows:

on ldaptest1 and ldaptest2:

 	dn: cn=config
 	...
 	olcServerID: 1 ldap://ldaptest1.cksoft.de
 	olcServerID: 2 ldap://ldaptest2.cksoft.de
 	olcServerID: 3 ldap://ldaptest3.cksoft.de
 	olcServerID: 4 ldap://ldaptest4.cksoft.de

 	dn: olcDatabase={1}mdb,cn=config
 	...
 	olcSyncrepl:
 	  rid=001
 	  provider=ldap://ldaptest1.cksoft.de
 	  bindmethod=simple
 	  binddn="cn=replica,ou=system,dc=test"
 	  credentials="secret"
 	  keepalive=0:0:0
 	  starttls=yes
 	  tls_cert="/usr/local/etc/openldap/certs/server.cert"
 	  tls_key="/usr/local/etc/openldap/certs/server.key"
 	  tls_cacert="/usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert"
 	  tls_reqcert=demand tls_crlcheck=none
 	  filter="(objectclass=*)"
 	  searchbase="dc=test"
 	  scope=sub
 	  type=refreshAndPersist
 	  retry="60 10 300 +"
 	olcSyncrepl:
 	  rid=002
 	  provider=ldap://ldaptest2.cksoft.de
 	  bindmethod=simple
 	  binddn="cn=replica,ou=system,dc=test"
 	  credentials="secret"
 	  keepalive=0:0:0
 	  starttls=yes
 	  tls_cert="/usr/local/etc/openldap/certs/server.cert"
 	  tls_key="/usr/local/etc/openldap/certs/server.key"
 	  tls_cacert="/usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert"
 	  tls_reqcert=demand tls_crlcheck=none
 	  filter="(objectclass=*)"
 	  searchbase="dc=test"
 	  scope=sub
 	  type=refreshAndPersist
 	  retry="60 10 300 +"
 	olcMirrorMode: TRUE


on ldaptest3 and ldaptest4:

 	dn: cn=config
 	...
 	olcServerID: 1 ldap://ldaptest1.cksoft.de
 	olcServerID: 2 ldap://ldaptest2.cksoft.de
 	olcServerID: 3 ldap://ldaptest3.cksoft.de
 	olcServerID: 4 ldap://ldaptest4.cksoft.de

 	dn: olcDatabase={1}mdb,cn=config
 	...
 	olcSyncrepl:
 	  rid=001
 	  provider=ldap://ldaptest1.cksoft.de
 	  bindmethod=simple
 	  binddn="cn=replica,ou=system,dc=test"
 	  credentials="secret"
 	  keepalive=0:0:0
 	  starttls=yes
 	  tls_cert="/usr/local/etc/openldap/certs/server.cert"
 	  tls_key="/usr/local/etc/openldap/certs/server.key"
 	  tls_cacert="/usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert"
 	  tls_reqcert=demand tls_crlcheck=none
 	  filter="(objectclass=*)"
 	  searchbase="dc=test"
 	  scope=sub
 	  type=refreshAndPersist
 	  retry="60 10 300 +"
 	olcSyncrepl:
 	  rid=002
 	  provider=ldap://ldaptest2.cksoft.de
 	  bindmethod=simple
 	  binddn="cn=replica,ou=system,dc=test"
 	  credentials="secret"
 	  keepalive=0:0:0
 	  starttls=yes
 	  tls_cert="/usr/local/etc/openldap/certs/server.cert"
 	  tls_key="/usr/local/etc/openldap/certs/server.key"
 	  tls_cacert="/usr/local/etc/openldap/certs/cksoftware-gmbh-ca-2011-2031.cert"
 	  tls_reqcert=demand tls_crlcheck=none
 	  filter="(objectclass=*)"
 	  searchbase="dc=test"
 	  scope=sub
 	  type=refreshAndPersist
 	  retry="60 10 300 +"
 	olcMirrorMode: FALSE

Once I modify something trivial like olcLogLevel on the slaves using my personal dn, cn=config will have following operational attributes:

 	# config
 	dn: cn=config
 	structuralObjectClass: olcGlobal
 	entryUUID: dc78e00a-461a-1032-9454-cd151c72b364
 	creatorsName: cn=config
 	createTimestamp: 20130430194949Z
 	entryCSN: 20130526075059.867187Z#000000#004#000000
 	modifiersName: uid=ckratzer,ou=people,dc=test
 	modifyTimestamp: 20130526075059Z
 	contextCSN: 20130526074631.636527Z#000000#003#000000
 	contextCSN: 20130526075059.867187Z#000000#004#000000
 	entryDN: cn=config
 	subschemaSubentry: cn=Subschema

I then restart slapd on the first slave ldaptest3 and leave it running on ldaptest4.

A change replicated from the masters will appear on ldaptest4 just fine.

The restarted master on ldaptest3 fails to apply the change

 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_message_to_entry: rid=001 DN: cn=test,dc=test, UUID: 3e48a550-4dd1-1032-9f9f-47169a206073
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=001 inserted UUID 3e48a550-4dd1-1032-9f9f-47169a206073
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=001 be_search (0)
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=001 cn=test,dc=test
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=001 entry unchanged, ignored (cn=test,dc=test,)
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_updateCookie: rid=001 be_modify failed (17)
 	May 26 10:06:13 ldaptest3 slapd[2410]: do_syncrepl: rid=001 rc 17 retrying
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_message_to_entry: rid=002 DN: cn=test,dc=test, UUID: 3e48a550-4dd1-1032-9f9f-47169a206073
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=002 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=002 inserted UUID 3e48a550-4dd1-1032-9f9f-47169a206073
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=002 be_search (0)
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=002 cn=test,dc=test,
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_entry: rid=002 entry unchanged, ignored (cn=test,dc=test,)
 	May 26 10:06:13 ldaptest3 slapd[2410]: syncrepl_updateCookie: rid=002 be_modify failed (17)
 	May 26 10:06:13 ldaptest3 slapd[2410]: do_syncrepl: rid=002 rc 17 retrying

I currently have customer data in above test setup so I had to do some obfuscation in above samples and logs. If required I can setup maximally stripped down case that illustrates the problem.

Would it be possible to mask modifiersName inside cn=config to either a fixed value just append something like cn=proxied,cn=config to dns outside of cn=config.

Greetings
Christian

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer
Prev by Date: Re: (ITS#7607) Assertion triggers during many sequential transaction commits
Next by Date: (ITS#7609) back-meta enhancement: filter patterns for target selection
Index(es):
- Chronological
- Thread