[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OL 2.3.18 syncrepl vs slurpd

On 1/23/06 12:59 PM, Quanah Gibson-Mount wrote:

--On Monday, January 23, 2006 9:04 AM -0500 Francis Swasey <Frank.Swasey@uvm.edu> wrote:

Now, I have discovered three things.

1) delta-syncrepl doesn't seem to have any way to filter the amount of
what is sent -- so, it has the same issues that I'm fighting with slurpd
of sending every update to all the replicas and perhaps I do not want all
the updates on all the replicas (this was the reason for me going to

You could, of course, have more than one accesslog database, each with what you wanted going to the different replicas. Or, alternately, you should be able to use a filter similar to what you configured for syncRepl for use with delta-syncrepl on the accesslog DB.

Yes, I suppose I could, but I don't seem to be intelligent enough to figure out how to filter what gets put into the accesslog based on whether or not the DN is in the correct branch of the DIT.

I've probably allowed too much in a single database, and now I want to send all the updates to one class of replicas and everything except the sendmail access control entries to another class of replicas -- of course, this is because slurpd is getting behind from time to time -- perhaps delta-syncrepl will be fast enough that this will not be an issue.

2) There is a DOS against the master server if the consumer codes a bad
logfilter.  You will see a bad filter indication in the log on the master
(with loglevel stats) when the consumer starts up.  The first update to
the master after that will cause slapd to end with nothing going into the
syslog at all, but suddenly, it's not running anymore. Given that anyone
could fire up a syncrepl consumer and point it at my master... that's a
rather nasty one...  Has anyone else noticed it (I honestly just found it
and have not searched in the ITS yet)?

I'm not really sure this is a DOS attack. It certainly causes a segfault on the master. However, I assume that it requires a replica that can bind with valid credentials to the master, implying the administrator would have to be the one initiating such an attack on themselves... In any case, I imagine it'll be fixed fairly soon. :P

Well, I suppose, if you force me to think it all the way through that yes, you have to authenticate with the correct DN to be able to get to the accesslog database.... but it's still a nasty surprise ;-)

3) loglevel sync on the syncrepl consumer doesn't log anything with
delta-syncrepl.  Did I miss something in the slapd.conf(5) man page about
the loglevel to get delta-syncrepl actions logged?  Or is it in a
different man page, that I didn't think to look at?

This one I haven't played with, but it sounds like a bug.

Hmmm, if it sounds like a bug to you, I guess I better file an ITS.

Frank Swasey                    | http://www.uvm.edu/~fcs
Senior IT Professional          | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
  "I am not young enough to know everything." - Oscar Wilde (1854-1900)