[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl and the memberof overlay



Hi,

Has anyone tried using the memberof overlay with syncrepl?

I'm using openldap 2.4.12-7.18.1 on SLES11. I'd like to do multi-master
replication for availability. Most user/group updates will happen only
on one node, but password changes could happen anywhere.

A couple of our apps like to see the memberOf attributes. My first thought 
was that I'd probably only need to run the overlay on one master. Does 
that sound about right?

At first glance it seems that when memberof modifies user entries, it
doesn't update the entryCSN. I'm not sure but I think this might cause
some grief for syncrepl.

If I add "testuser1" and "testgroup1" on ldap1, with testuser1 as
a member of testgroup1, this is what I get on ldap1:

-------
dn: dc=dom
entryCSN: 20091005145613.859492Z#000000#000#000000
contextCSN: 20091005184427.691751Z#000000#000#000000
contextCSN: 20091006133430.568898Z#000000#001#000000
contextCSN: 20091005194750.632855Z#000000#002#000000

dn: uid=testuser1,ou=people,dc=dom
entryCSN: 20091006133430.564578Z#000000#001#000000
memberOf: cn=testgroup1,ou=group,dc=dom

dn: cn=testgroup1,ou=group,dc=dom
member: uid=testuser1,ou=people,dc=dom
entryCSN: 20091006133430.568898Z#000000#001#000000
-------

testuser1's entryCSN is earlier than testgroup1's, but memberof would
have modified testuser1 AFTER testgroup1. This is what shows up
on ldap2:

-------
dn: dc=dom
entryCSN: 20091005145613.859492Z#000000#000#000000
contextCSN: 20091006133430.568898Z#000000#001#000000

dn: uid=testuser1,ou=people,dc=dom
entryCSN: 20091006133430.564578Z#000000#001#000000

dn: cn=testgroup1,ou=group,dc=dom
member: uid=testuser1,ou=people,dc=dom
entryCSN: 20091006133430.568898Z#000000#001#000000
-------

Configuration of ldap1:

-------
dn: cn=config
# ...
olcServerID: 1

dn: olcDatabase={1}hdb,cn=config
# ...
olcAccess: {0}to attrs=userPassword by self write
    by dn.subtree="ou=service,dc=dom" read by * auth
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to attrs=userPKCS12 by self read by * none
olcAccess: {3}to * by * read
olcDbIndex: objectclass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcLimits: {0}dn.subtree="ou=service,dc=dom" time.soft=unlimited
    time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncrepl: {0}rid=002 provider=ldap://ldap2.dom
    binddn="cn=repluser,ou=service,dc=dom" bindmethod=simple
    credentials=xxxxxx searchbase="dc=dom" attrs="*,+"
    type=refreshAndPersist schemachecking=off
    tls_cacert=/etc/openldap/ssl/ca.crt tls_reqcert=demand
    interval=00:00:05:00 retry="60 +"
olcMirrorMode: TRUE

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcSyncProvConfig
olcSpCheckpoint: 100 10
olcSpSessionlog: 1000
olcOverlay: {0}syncprov

dn: olcOverlay={1}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
olcOverlay: {1}memberof
-------


Configuration of ldap2:

-------
dn: cn=config
# ...
olcServerID: 2

dn: olcDatabase={1}hdb,cn=config
# ...
olcAccess: {0}to attrs=userPassword by self write
    by dn.subtree="ou=service,dc=dom" read by * auth
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to attrs=userPKCS12 by self read by * none
olcAccess: {3}to * by * read
olcDbIndex: objectclass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcLimits: {0}dn.subtree="ou=service,dc=dom" time.soft=unlimited
    time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncrepl: {0}rid=001 provider=ldap://ldap1.dom
    binddn="cn=repluser,ou=service,dc=dom" bindmethod=simple
    credentials=xxxxxx searchbase="dc=dom" attrs="*,+"
    type=refreshAndPersist schemachecking=off
    tls_cacert=/etc/openldap/ssl/ca.crt tls_reqcert=demand
    interval=00:00:05:00 retry="60 +"
olcMirrorMode: TRUE

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcSyncProvConfig
olcSpCheckpoint: 100 10
olcSpSessionlog: 1000
olcOverlay: {0}syncprov
-------



Here's the log from ldap1. I have the loglevel set to "stats sync":

-------
conn=23 op=11 ADD dn="uid=testuser1,ou=people,dc=dom"
slap_queue_csn: queing 0x7f4d125ec2c0 20091006133430.564578Z#000000#001#000000
conn=23 op=11 RESULT tag=105 err=0 text=
syncprov_sendresp: cookie=rid=001,sid=002,csn=20091006133430.564578Z#000000#001#000000
slap_graduate_commit_csn: removing 0x7f4d1bca6b60 20091006133430.564578Z#000000#001#000000
conn=23 op=12 ADD dn="cn=testgroup1,ou=group,dc=dom"
slap_queue_csn: queing 0x7f4d13dee2c0 20091006133430.568898Z#000000#001#000000
syncprov_sendresp: cookie=rid=001,sid=002,csn=20091006133430.568898Z#000000#001#000000
slap_graduate_commit_csn: removing 0x7f4d1be955b0 20091006133430.568898Z#000000#001#000000
conn=23 op=12 RESULT tag=105 err=0 text=
syncprov_sendresp: cookie=rid=001,sid=002,csn=20091006133430.568898Z#000000#001#000000
do_syncrep2: cookie=rid=002,sid=001
syncrepl_entry: rid=002 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
dn_callback : entries have identical CSN cn=testgroup1,ou=group,dc=dom 20091006133430.568898Z#000000#001#000000
syncrepl_entry: rid=002 be_search (0)
syncrepl_entry: rid=002 cn=testgroup1,ou=group,dc=dom
syncrepl_entry: rid=002 entry unchanged, ignored (cn=testgroup1,ou=group,dc=dom)
conn=23 op=13 UNBIND
conn=23 fd=29 closed
-------

And here's the log on ldap2. There's a "CSN too old" error at the
bottom.

-------
do_syncrep2: cookie=rid=001,sid=002,csn=20091006133430.564578Z#000000#001#000000
syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
syncrepl_entry: rid=001 be_search (0)
syncrepl_entry: rid=001 uid=testuser1,ou=people,dc=dom
slap_queue_csn: queing 0x7fece57d0860 20091006133430.564578Z#000000#001#000000
slap_graduate_commit_csn: removing 0x7fece57d2480 20091006133430.564578Z#000000#001#000000
syncrepl_entry: rid=001 be_add (0)
slap_queue_csn: queing 0x7fece57d0860 20091006133430.564578Z#000000#001#000000
slap_graduate_commit_csn: removing 0x7fece57d4460 20091006133430.564578Z#000000#001#000000
do_syncrep2: cookie=rid=001,sid=002,csn=20091006133430.568898Z#000000#001#000000
syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
syncrepl_entry: rid=001 be_search (0)
syncrepl_entry: rid=001 cn=testgroup1,ou=group,dc=dom
slap_queue_csn: queing 0x7fece57d2480 20091006133430.568898Z#000000#001#000000
slap_graduate_commit_csn: removing 0x7fece57d0850 20091006133430.568898Z#000000#001#000000
syncrepl_entry: rid=001 be_add (0)
slap_queue_csn: queing 0x7fece57d2480 20091006133430.568898Z#000000#001#000000
syncprov_sendresp: cookie=rid=002,sid=001
slap_graduate_commit_csn: removing 0x7fece57cea20 20091006133430.568898Z#000000#001#000000
do_syncrep2: cookie=rid=001,sid=002,csn=20091006133430.568898Z#000000#001#000000
do_syncrep2: rid=001 CSN too old, ignoring 20091006133430.568898Z#000000#001#000000
-------

Thanks,
Mike