[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CSN too old, ignoring - and therefore not syncing

On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
> Can you post your config somewhere?


allow bind_v2

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include		/etc/ldap/schema/samba.schema
include		/etc/ldap/schema/eduperson-200412.schema
include		/etc/ldap/schema/hdb.schema
include		/etc/ldap/schema/IWU.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

modulepath	/usr/lib/ldap
moduleload	back_hdb
moduleload	back_monitor
moduleload	memberof
moduleload	syncprov
moduleload	smbk5pwd

tool-threads 2
sizelimit 500
idletimeout 7200

TLSCACertificateFile /etc/ldap/ssl/IWU.crt
TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key
TLSVerifyClient allow

localSSF 160
security ssf=1 update_ssf=128 simple_bind=112
sasl-secprops noanonymous

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

backend		hdb
database        hdb

overlay memberof
overlay smbk5pwd
overlay syncprov

smbk5pwd-enable samba
smbk5pwd-enable krb5
smbk5pwd-must-change 0

syncprov-checkpoint 100 10
syncprov-sessionlog 200
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

suffix          "dc=iwu,dc=edu"

rootdn          "cn=admin,dc=iwu,dc=edu"
rootpw		{redacted}

authz-regexp "uidNumber=0\\\
+gidNumber=.*,cn=peercred,cn=external,cn=auth"
          	"cn=ldapi,dc=iwu,dc=edu"
authz-regexp "gidNumber=.*\\\
+uidNumber=0,cn=peercred,cn=external,cn=auth"
          	"cn=ldapi,dc=iwu,dc=edu"

authz-regexp "uid=(.+),cn=.+,cn=auth" "uid=$1,ou=People,dc=iwu,dc=edu"

directory       "/var/lib/ldap/"

dbconfig set_cachesize 0 62914560 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

# Make sure to do a nightly slapcat
dbconfig set_flags DB_LOG_AUTOREMOVE

index   objectClass             eq,pres
index   default                 eq,sub,pres
index   mail                    eq,sub,pres
index   sn                      eq,sub,pres
index   cn                      eq,sub,pres
index   displayName             eq,sub,pres
index   gecos                   eq,sub,pres
index   uid                     eq,sub,pres
index   memberUid               eq,sub,pres
index   uidNumber               eq,pres
index   gidNumber               eq,pres
index   entryCSN                eq,pres
index   entryUUID               eq,pres
index   uniqueMember            eq,pres
index	userPassword		eq,pres
index   krb5PrincipalName       eq,pres
index   krb5PrincipalRealm      eq,pres
index   sambaDomainName         eq,pres
index   sambaSID                eq,pres
index   sambaPrimaryGroupSID    eq,pres
index	sambaSIDList		eq,pres

lastmod         on

checkpoint      256 15

password-hash {SSHA}

limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited

access to dn.sub="dc=iwu,dc=edu"
	by dn.exact="cn=ldapi,dc=iwu,dc=edu" write
	by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write
	by dn.exact="cn=mirror,dc=iwu,dc=edu"  read
	by dn.exact="cn=freeradius,dc=iwu,dc=edu"  read
	by * break

access to dn.sub="dc=iwu,dc=edu"
attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key
        by anonymous auth
        by self write
        by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write
	by users auth
        by * break

access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none
access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none
access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none
access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none
access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none
access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none

access to dn.regex="uid=.*\$,ou=People,dc=iwu,dc=edu" by self read by *
none
access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by * none
access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none
access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by self read
by * none
access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by self
read by * none
access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self read by *
none

access to
dn.regex="krb5PrincipalName=.*@IWU.EDU,ou=People,dc=iwu,dc=edu" by self
read by * none

access to dn.sub="dc=iwu,dc=edu"
attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName
   by self write
   by users read
   by anonymous none
   by * break

access to dn.sub="dc=iwu,dc=edu"
attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber
    by self read
    by anonymous none
    by * break

access to dn.sub="dc=iwu,dc=edu"
attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid
    by * none

access to dn.sub="dc=iwu,dc=edu"
attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength
    by self read
    by anonymous none
    by * break

access to dn.sub="dc=iwu,dc=edu" by * read

serverID 1

syncrepl rid=2
         provider=ldap://ldap2.iwu.edu/
         schemachecking=off
         searchbase="dc=iwu,dc=edu"
         scope=sub
         type=refreshAndPersist 
         binddn="cn=mirror,dc=iwu,dc=edu"
         credentials={redacted}
         bindmethod=simple
         starttls=yes
         tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt
         tls_key=/etc/ldap/ssl/ldap.iwu.edu.key
         tls_cacert=/etc/ldap/ssl/IWU.crt
         tls_reqcert=try
         interval=00:00:00:30
         retry="15 +"
         timeout=1
         timelimit=unlimited
         sizelimit=unlimited

mirrormode on

###############################
database monitor
limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited

access to dn.exact="cn=Monitor"
	by dn.exact="cn=admin,dc=iwu,dc=edu" read
	by * none

access to dn.subtree="cn=Monitor"
	by dn.exact="cn=admin,dc=iwu,dc=edu" read
	by * none


> 
> On 22/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
> > Here is the quick and dirty what I am trying to do:
> >
> > ldap1 and ldap2 are supposed to be in MultiMaster.  They are time synced
> > to pool.ntp.org and each other (if they drift I would rather they sorta
> > drift together, but pool should be keeping that in check).
> >
> > Right now I am just beating them up to see how 2.4.13 performs. (So far
> > VERY well, minus this little problem)
> >
> > I have a rather small ldif (41 entries) that just wont sync (I'm
> > starting small).  Debug gives me
> >
> > ber_scanf fmt (m}) ber:
> > ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62
> >   0000:  00 3c 72 69 64 3d 30 30  31 2c 73 69 64 3d 30
> > 30   .<rid=001,sid=00
> >   0010:  32 2c 63 73 6e 3d 32 30  30 38 31 32 32 32 31 37
> > 2,csn=2008122217
> >   0020:  34 37 32 31 2e 38 35 35  39 30 34 5a 23 30 30 30
> > 4721.855904Z#000
> >   0030:  30 30 30 23 30 30 31 23  30 30 30 30 30 30
> > 000#001#000000
> > do_syncrep2:
> > cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000
> > do_syncrep2: rid=001 CSN too old, ignoring
> > 20081222174721.855904Z#000000#001#000000
> > ldap_msgfree
> >
> > I am not exactly sure how it gotten to be "too old."  The ldif I am
> > importing is not the result of a slapcat or anything that would preserve
> > the CSN or UUID attributes (not that syncrepl uses UUID). I am loading
> > one single file with ldapadd which, in my understanding, sets up the CSN
> > and wouldn't let me import one anyway.
> >
> > Each server has no entries until I load the one, so there shouldn't be
> > any weird stale CSNs causing this.  They are "sync'ed" almost instantly
> > after the one system is loaded - I just don't have everything.
> >
> > After a sync:
> > ldap1 - slapcat |grep dn: |wc -l = 41
> > ldap2 - slapcat |grep dn: |wc -l = 18
> >
> > Right now I can get them in sync with a slapcat/slapadd, but when the go
> > into production I wont be able to say for certain which one is
> > authoritative.  That is the purpose of multi-master....
> >
> > OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu Linux 32 bit
> >
> > Any ideas as to what I can do to stop this from happening?
> >
> > Pat
> >
> >
> >
> >
>