[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CSN too old, ignoring - and therefore not syncing



Do us a favour and start a new thread with all this info in one email.
It's annoying to put this all together over your two emails and
burried in another thread.

It will help others this way too.

Thanks.

On 24/12/2008, Adrien Futschik <adrien.futschik@atosorigin.com> wrote:
> You're right I might have forgotten the most essential :)
>
> You'll find in attachment the script I'm using to set up the replication
> (modified version of test050-syncrepl-multimaster).
>
> Here is the config :
> initialization of m1 :
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcServerID: 1
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcRootPW: ${PASSWD}
>
> initialization of m2 :
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcServerID: 2
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcRootPW: ${PASSWD}
>
> syncprov overlay on m1 :
> dn: cn=config
> changetype: modify
> replace: olcServerID
> olcServerID: 1 $URI1
> olcServerID: 2 $URI2
>
> dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
> changetype: add
> objectClass: olcOverlayConfig
> objectClass: olcSyncProvConfig
> olcOverlay: syncprov
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcSyncRepl
> olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
>   credentials=secret searchbase="cn=config" type=refreshAndPersist
>   retry="5 5 300 5" timeout=3
> olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
>   credentials=secret searchbase="cn=config" type=refreshAndPersist
>   retry="5 5 300 5" timeout=3
> -
> add: olcMirrorMode
> olcMirrorMode: TRUE
>
>
> syncrepl on m2:
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcSyncRepl
> olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
>   credentials=secret searchbase="cn=config" type=refreshAndPersist
>   retry="5 5 300 5" timeout=3
> olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
>   credentials=secret searchbase="cn=config" type=refreshAndPersist
>   retry="5 5 300 5" timeout=3
> -
> add: olcMirrorMode
> olcMirrorMode: TRUE
>
> schema on m1:
> include: file://$ABS_SCHEMADIR/core.ldif
> include: file://$ABS_SCHEMADIR/cosine.ldif
> include: file://$ABS_SCHEMADIR/inetorgperson.ldif
> include: file://$ABS_SCHEMADIR/openldap.ldif
> include: file://$ABS_SCHEMADIR/nis.ldif
> include: file://$ABS_SCHEMADIR/corba.ldif
> include: file://$ABS_SCHEMADIR/java.ldif
> include: file://$ABS_SCHEMADIR/misc.ldif
> include: file://$ABS_SCHEMADIR/nds.ldif
> include: file://$ABS_SCHEMADIR/dit.ldif
>
> database en m1:
> dn: olcDatabase={1}$BACKEND,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olc${BACKEND}Config
> olcDatabase: {1}$BACKEND
> olcSuffix: $BASEDN
> olcDbDirectory: ./openldap-data
> olcRootDN: $MANAGERDN
> olcRootPW: ${PASSWD}
> olcDbIndex: default pres,eq
> olcDbIndex: cn,sn pres,eq,sub
> olcDbIndex: objectClass,seeAlso,entryUUID eq
> olcDbIndex: mail,givenName,uid pres,eq,sub
> olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
>   credentials=secret searchbase="$BASEDN" type=refreshOnly
>   interval=$INTERVAL retry="5 5 300 5" timeout=3
> olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
>   credentials=secret searchbase="$BASEDN" type=refreshOnly
>   interval=$INTERVAL retry="5 5 300 5" timeout=3
> olcMirrorMode: TRUE
>
> dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
> changetype: add
> objectClass: olcOverlayConfig
> objectClass: olcSyncProvConfig
> olcOverlay: syncprov
>
> After that I populate m1 with attached arbre.ldif.
>
> Thanks in advance.
>
> Adrien
>
> ========================================
>  Message date : Dec 24 2008, 03:23 PM
>  From : "Gavin Henry" <gavin.henry@gmail.com>
>  To : adrien.futschik@atosorigin.com, openldap-technical@openldap.org
>  Copy to :
>  Subject : Re: CSN too old, ignoring - and therefore not syncing
>
>  Config?
>
>  On 24/12/2008, Adrien Futschik <adrien.futschik@atosorigin.com> wrote:
>  > I'm facing a similar problem.
>  > I'm testing N-way multimaster replication with OpenLDAP 2.4.13.
>  >
>  > I'm able to successfully import data into an instance and have my two
>  > masters to sync correctly but then when I try to add a new entry in one
> of
>  > the two masters, I'm getting strange messages :
>  >
>  > let's say we have m1 & m2 (m1 & m2 are on the same server):
>  > I initial import data into m1, it is successfully imported into m2 (at
> least
>  > it looks like it).
>  > Then I'm trying to add an entry on m2
>  > (cn=adrien-externe.futschik@edfgdf.fr,ou=personnes,o=edfgdf,c=fr). I'm
>  > getting strange message on m1 & m2 :
>  >
>  > m1 log :(repetitively)
>  > [...]
>  > Entry ou=administrateurs,o=gazdefrance,c=fr CSN
>  > 20081224125950.481561Z#000000#001#000000 older or equal to ctx
>  > 20081224125950.481561Z#000000#001#000000
>  > Entry cn=adrien-externe.futschik@edfgdf.fr,ou=personnes,o=edfgdf,c=fr
>  > changed by peer, ignored
>  > syncprov_search_response:
>  >
> cookie=rid=004,sid=002,csn=20081224125950.481561Z#000000#001#000000;20081224130148.522455Z#000000#002#000000
>  > do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT
>  > [...]
>  >
>  >
>  > m2 log : (repetitively)
>  > [...]
>  > master where I added an entry :
>  > do_syncrep2: rid=004 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
>  > do_syncrep2: rid=004 LDAP_RES_SEARCH_RESULT
>  > do_syncrep2:
>  >
> cookie=rid=004,sid=002,csn=20081224125950.481561Z#000000#001#000000;20081224130148.522455Z#000000#002#000000
>  > [...]
>  >
>  > Is this a bug ? Am-I doing something wrong ?
>  >
>  > If I add the same entry to m1 and not m2 I get the following messages :
>  >
>  > on m2 :
>  > syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
>  > syncrepl_entry: rid=004 be_search (0)
>  > syncrepl_entry: rid=004
>  > cn=adrien-externe.futschik@edfgdf.fr,ou=personnes,o=edfgdf,c=fr
>  > <= bdb_equality_candidates: (entryCSN) not indexed
>  > <= bdb_inequality_candidates: (entryCSN) not indexed
>  > <= bdb_inequality_candidates: (entryCSN) not indexed
>  > syncprov_search_response:
>  > cookie=rid=005,sid=001,csn=20081224132158.749532Z#000000#001#000000
>  > syncrepl_entry: rid=004 be_add (0)
>  > do_syncrep2: rid=004 LDAP_RES_SEARCH_RESULT
>  > do_syncrep2:
>  > cookie=rid=004,sid=002,csn=20081224132238.790862Z#000000#001#000000
>  > <= bdb_inequality_candidates: (entryCSN) not indexed
>  > nonpresent_callback: rid=004 present UUID
>  > 96268508-6609-102d-9d8e-9742e72db399, dn c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962af700-6609-102d-9d8f-9742e72db399, dn o=edfgdf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962bd698-6609-102d-9d90-9742e72db399, dn ou=personnes,o=edfgdf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962c00b4-6609-102d-9d91-9742e72db399, dn ou=appli,o=edfgdf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962c2634-6609-102d-9d92-9742e72db399, dn ou=groupes,o=edfgdf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962ca492-6609-102d-9d93-9742e72db399, dn ou=administrateurs,o=edfgdf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962cce90-6609-102d-9d94-9742e72db399, dn o=edf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962d7138-6609-102d-9d95-9742e72db399, dn ou=personnes,o=edf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962d96f4-6609-102d-9d96-9742e72db399, dn ou=appli,o=edf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962deafa-6609-102d-9d97-9742e72db399, dn ou=groupes,o=edf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962ef026-6609-102d-9d98-9742e72db399, dn ou=administrateurs,o=edf,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962f156a-6609-102d-9d99-9742e72db399, dn o=gazdefrance,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962fca8c-6609-102d-9d9a-9742e72db399, dn ou=personnes,o=gazdefrance,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 962fef76-6609-102d-9d9b-9742e72db399, dn ou=appli,o=gazdefrance,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 9630106e-6609-102d-9d9c-9742e72db399, dn ou=groupes,o=gazdefrance,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > 9630bfa0-6609-102d-9d9d-9742e72db399, dn
>  > ou=administrateurs,o=gazdefrance,c=fr
>  > nonpresent_callback: rid=004 present UUID
>  > ae0e93d6-6609-102d-9d9e-9742e72db399, dn
>  > cn=adrien-externe.futschik@edfgdf.fr,ou=personnes,o=edfgdf,c=fr
>  > slap_queue_csn: queing 0x843fef0 20081224132238.790862Z#000000#001#000000
>  > slap_graduate_commit_csn: removing 0x83d6410
>  > 20081224132238.790862Z#000000#001#000000
>  >
>  > on m1 :
>  > slap_queue_csn: queing 0x1df3860 20081224132238.790862Z#000000#001#000000
>  > slap_graduate_commit_csn: removing 0x9703700
>  > 20081224132238.790862Z#000000#001#000000
>  > <= bdb_equality_candidates: (entryCSN) not indexed
>  > <= bdb_inequality_candidates: (entryCSN) not indexed
>  > Entry ou=administrateurs,o=gazdefrance,c=fr CSN
>  > 20081224132158.749532Z#000000#001#000000 older or equal to ctx
>  > 20081224132158.749532Z#000000#001#000000
>  > syncprov_search_response:
>  > cookie=rid=004,sid=002,csn=20081224132238.790862Z#000000#001#000000
>  > do_syncrep2: rid=005 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
>  > do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT
>  > do_syncrep2:
>  > cookie=rid=005,sid=001,csn=20081224132158.749532Z#000000#001#000000
>  >
>  > Here is the entry I'm adding :
>  >
>  > dn: cn=adrien-externe.futschik@edfgdf.fr,ou=personnes,o=edfgdf, c=fr
>  > objectclass: top
>  > objectclass: person
>  > objectclass: organizationalPerson
>  > objectclass: inetorgPerson
>  > objectclass: ditPerson
>  > cn: adrien-externe.futschik@edfgdf.fr
>  > sn: Futschik
>  > givenName: Adrien
>  > uid: adrien-externe.futschik@edfgdf.fr
>  > mail: adrien-externe.futschik@edfgdf.fr
>  > telephonenumber: 0123456789
>  > userpassword: {SSHA}GuU6CMRoOxp9EA1ANafzuRUXADKlBA0r
>  > allowedServices: appli20
>  >
>  > pretty simple isn't it ? What's going wrong ?
>  >
>  > Adrien
>  >
>  > ========================================
>  >  Message date : Dec 23 2008, 07:39 PM
>  >  From : "Gavin Henry" <gavin.henry@gmail.com>
>  >  To : openldap-technical@openldap.org
>  >  Copy to :
>  >  Subject : Fwd: CSN too old, ignoring - and therefore not syncing
>  >
>  >  ---------- Forwarded message ----------
>  >  From: Pat Riehecky <prieheck@iwu.edu>
>  >  Date: Tue, 23 Dec 2008 12:34:33 -0600
>  >  Subject: Re: CSN too old, ignoring - and therefore not syncing
>  >  To: Gavin Henry <gavin.henry@gmail.com>
>  >
>  >  On Tue, 2008-12-23 at 18:28 +0000, Gavin Henry wrote:
>  >  > Where did you read that those were needed anyway? If it was the admin
>  >  > guide then I need to fix it ;-)
>  >  >
>  >  > Gavin.
>  >
>  >  I have no idea where I found those at... I know it wasn't the (recent)
>  >  admin guide.  It may have been from around the 2.4.8 release, but that
>  >  is long gone...
>  >
>  >  Pat
>  >
>  >  >
>  >  > On 23/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>  >  > > On Tue, 2008-12-23 at 15:55 +0000, Gavin Henry wrote:
>  >  > >> Try dropping nopresent and reloadhint relating to ITS5669. You only
>  >  > >> need these two syncprov settings on an accesslog db.
>  >  > >>
>  >  > >> Gavin.
>  >  > >
>  >  > > Thanks, that did the job!
>  >  > >
>  >  > > Pat
>  >  > >
>  >  > >>
>  >  > >> On 23/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>  >  > >> > On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
>  >  > >> >> Can you post your config somewhere?
>  >  > >> >
>  >  > >> >
>  >  > >> > allow bind_v2
>  >  > >> >
>  >  > >> > include         /etc/ldap/schema/core.schema
>  >  > >> > include         /etc/ldap/schema/cosine.schema
>  >  > >> > include         /etc/ldap/schema/nis.schema
>  >  > >> > include         /etc/ldap/schema/inetorgperson.schema
>  >  > >> > include		/etc/ldap/schema/samba.schema
>  >  > >> > include		/etc/ldap/schema/eduperson-200412.schema
>  >  > >> > include		/etc/ldap/schema/hdb.schema
>  >  > >> > include		/etc/ldap/schema/IWU.schema
>  >  > >> >
>  >  > >> > pidfile         /var/run/slapd/slapd.pid
>  >  > >> > argsfile        /var/run/slapd/slapd.args
>  >  > >> >
>  >  > >> > modulepath	/usr/lib/ldap
>  >  > >> > moduleload	back_hdb
>  >  > >> > moduleload	back_monitor
>  >  > >> > moduleload	memberof
>  >  > >> > moduleload	syncprov
>  >  > >> > moduleload	smbk5pwd
>  >  > >> >
>  >  > >> > tool-threads 2
>  >  > >> > sizelimit 500
>  >  > >> > idletimeout 7200
>  >  > >> >
>  >  > >> > TLSCACertificateFile /etc/ldap/ssl/IWU.crt
>  >  > >> > TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt
>  >  > >> > TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key
>  >  > >> > TLSVerifyClient allow
>  >  > >> >
>  >  > >> > localSSF 160
>  >  > >> > security ssf=1 update_ssf=128 simple_bind=112
>  >  > >> > sasl-secprops noanonymous
>  >  > >> >
>  >  > >> > access to dn.base="" by * read
>  >  > >> > access to dn.base="cn=Subschema" by * read
>  >  > >> >
>  >  > >> > backend		hdb
>  >  > >> > database        hdb
>  >  > >> >
>  >  > >> > overlay memberof
>  >  > >> > overlay smbk5pwd
>  >  > >> > overlay syncprov
>  >  > >> >
>  >  > >> > smbk5pwd-enable samba
>  >  > >> > smbk5pwd-enable krb5
>  >  > >> > smbk5pwd-must-change 0
>  >  > >> >
>  >  > >> > syncprov-checkpoint 100 10
>  >  > >> > syncprov-sessionlog 200
>  >  > >> > syncprov-nopresent TRUE
>  >  > >> > syncprov-reloadhint TRUE
>  >  > >> >
>  >  > >> > suffix          "dc=iwu,dc=edu"
>  >  > >> >
>  >  > >> > rootdn          "cn=admin,dc=iwu,dc=edu"
>  >  > >> > rootpw		{redacted}
>  >  > >> >
>  >  > >> > authz-regexp "uidNumber=0\\\
>  >  > >> > +gidNumber=.*,cn=peercred,cn=external,cn=auth"
>  >  > >> >           	"cn=ldapi,dc=iwu,dc=edu"
>  >  > >> > authz-regexp "gidNumber=.*\\\
>  >  > >> > +uidNumber=0,cn=peercred,cn=external,cn=auth"
>  >  > >> >           	"cn=ldapi,dc=iwu,dc=edu"
>  >  > >> >
>  >  > >> > authz-regexp "uid=(.+),cn=.+,cn=auth"
>  > "uid=$1,ou=People,dc=iwu,dc=edu"
>  >  > >> >
>  >  > >> > directory       "/var/lib/ldap/"
>  >  > >> >
>  >  > >> > dbconfig set_cachesize 0 62914560 0
>  >  > >> > dbconfig set_lk_max_objects 1500
>  >  > >> > dbconfig set_lk_max_locks 1500
>  >  > >> > dbconfig set_lk_max_lockers 1500
>  >  > >> >
>  >  > >> > # Make sure to do a nightly slapcat
>  >  > >> > dbconfig set_flags DB_LOG_AUTOREMOVE
>  >  > >> >
>  >  > >> > index   objectClass             eq,pres
>  >  > >> > index   default                 eq,sub,pres
>  >  > >> > index   mail                    eq,sub,pres
>  >  > >> > index   sn                      eq,sub,pres
>  >  > >> > index   cn                      eq,sub,pres
>  >  > >> > index   displayName             eq,sub,pres
>  >  > >> > index   gecos                   eq,sub,pres
>  >  > >> > index   uid                     eq,sub,pres
>  >  > >> > index   memberUid               eq,sub,pres
>  >  > >> > index   uidNumber               eq,pres
>  >  > >> > index   gidNumber               eq,pres
>  >  > >> > index   entryCSN                eq,pres
>  >  > >> > index   entryUUID               eq,pres
>  >  > >> > index   uniqueMember            eq,pres
>  >  > >> > index	userPassword		eq,pres
>  >  > >> > index   krb5PrincipalName       eq,pres
>  >  > >> > index   krb5PrincipalRealm      eq,pres
>  >  > >> > index   sambaDomainName         eq,pres
>  >  > >> > index   sambaSID                eq,pres
>  >  > >> > index   sambaPrimaryGroupSID    eq,pres
>  >  > >> > index	sambaSIDList		eq,pres
>  >  > >> >
>  >  > >> > lastmod         on
>  >  > >> >
>  >  > >> > checkpoint      256 15
>  >  > >> >
>  >  > >> > password-hash {SSHA}
>  >  > >> >
>  >  > >> > limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
>  >  > >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>  >  > >> > limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited
>  >  > >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>  >  > >> > limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited
>  >  > >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>  >  > >> > limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited
>  >  > >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>  >  > >> > limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited
>  >  > >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>  >  > >> >
>  >  > >> > access to dn.sub="dc=iwu,dc=edu"
>  >  > >> > 	by dn.exact="cn=ldapi,dc=iwu,dc=edu" write
>  >  > >> > 	by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write
>  >  > >> > 	by dn.exact="cn=mirror,dc=iwu,dc=edu"  read
>  >  > >> > 	by dn.exact="cn=freeradius,dc=iwu,dc=edu"  read
>  >  > >> > 	by * break
>  >  > >> >
>  >  > >> > access to dn.sub="dc=iwu,dc=edu"
>  >  > >> >
>  >
> attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key
>  >  > >> >         by anonymous auth
>  >  > >> >         by self write
>  >  > >> >         by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write
>  >  > >> > 	by users auth
>  >  > >> >         by * break
>  >  > >> >
>  >  > >> > access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none
>  >  > >> > access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none
>  >  > >> > access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none
>  >  > >> > access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none
>  >  > >> > access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none
>  >  > >> > access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none
>  >  > >> >
>  >  > >> > access to dn.regex="uid=.*\$,ou=People,dc=iwu,dc=edu" by self
> read
>  > by *
>  >  > >> > none
>  >  > >> > access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by *
> none
>  >  > >> > access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none
>  >  > >> > access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by
> self
>  > read
>  >  > >> > by * none
>  >  > >> > access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by
>  > self
>  >  > >> > read by * none
>  >  > >> > access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self
> read
>  > by *
>  >  > >> > none
>  >  > >> >
>  >  > >> > access to
>  >  > >> > dn.regex="krb5PrincipalName=.*@IWU.EDU,ou=People,dc=iwu,dc=edu"
> by
>  > self
>  >  > >> > read by * none
>  >  > >> >
>  >  > >> > access to dn.sub="dc=iwu,dc=edu"
>  >  > >> >
>  >
> attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName
>  >  > >> >    by self write
>  >  > >> >    by users read
>  >  > >> >    by anonymous none
>  >  > >> >    by * break
>  >  > >> >
>  >  > >> > access to dn.sub="dc=iwu,dc=edu"
>  >  > >> >
>  >
> attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber
>  >  > >> >     by self read
>  >  > >> >     by anonymous none
>  >  > >> >     by * break
>  >  > >> >
>  >  > >> > access to dn.sub="dc=iwu,dc=edu"
>  >  > >> >
>  > attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid
>  >  > >> >     by * none
>  >  > >> >
>  >  > >> > access to dn.sub="dc=iwu,dc=edu"
>  >  > >> >
>  >
> attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength
>  >  > >> >     by self read
>  >  > >> >     by anonymous none
>  >  > >> >     by * break
>  >  > >> >
>  >  > >> > access to dn.sub="dc=iwu,dc=edu" by * read
>  >  > >> >
>  >  > >> > serverID 1
>  >  > >> >
>  >  > >> > syncrepl rid=2
>  >  > >> >          provider=ldap://ldap2.iwu.edu/
>  >  > >> >          schemachecking=off
>  >  > >> >          searchbase="dc=iwu,dc=edu"
>  >  > >> >          scope=sub
>  >  > >> >          type=refreshAndPersist
>  >  > >> >          binddn="cn=mirror,dc=iwu,dc=edu"
>  >  > >> >          credentials={redacted}
>  >  > >> >          bindmethod=simple
>  >  > >> >          starttls=yes
>  >  > >> >          tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt
>  >  > >> >          tls_key=/etc/ldap/ssl/ldap.iwu.edu.key
>  >  > >> >          tls_cacert=/etc/ldap/ssl/IWU.crt
>  >  > >> >          tls_reqcert=try
>  >  > >> >          interval=00:00:00:30
>  >  > >> >          retry="15 +"
>  >  > >> >          timeout=1
>  >  > >> >          timelimit=unlimited
>  >  > >> >          sizelimit=unlimited
>  >  > >> >
>  >  > >> > mirrormode on
>  >  > >> >
>  >  > >> > ###############################
>  >  > >> > database monitor
>  >  > >> > limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
>  >  > >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>  >  > >> >
>  >  > >> > access to dn.exact="cn=Monitor"
>  >  > >> > 	by dn.exact="cn=admin,dc=iwu,dc=edu" read
>  >  > >> > 	by * none
>  >  > >> >
>  >  > >> > access to dn.subtree="cn=Monitor"
>  >  > >> > 	by dn.exact="cn=admin,dc=iwu,dc=edu" read
>  >  > >> > 	by * none
>  >  > >> >
>  >  > >> >
>  >  > >> >>
>  >  > >> >> On 22/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>  >  > >> >> > Here is the quick and dirty what I am trying to do:
>  >  > >> >> >
>  >  > >> >> > ldap1 and ldap2 are supposed to be in MultiMaster.  They are
> time
>  >  > >> >> > synced
>  >  > >> >> > to pool.ntp.org and each other (if they drift I would rather
> they
>  >  > >> >> > sorta
>  >  > >> >> > drift together, but pool should be keeping that in check).
>  >  > >> >> >
>  >  > >> >> > Right now I am just beating them up to see how 2.4.13
> performs.
>  > (So
>  >  > >> >> > far
>  >  > >> >> > VERY well, minus this little problem)
>  >  > >> >> >
>  >  > >> >> > I have a rather small ldif (41 entries) that just wont sync
> (I'm
>  >  > >> >> > starting small).  Debug gives me
>  >  > >> >> >
>  >  > >> >> > ber_scanf fmt (m}) ber:
>  >  > >> >> > ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62
>  >  > >> >> >   0000:  00 3c 72 69 64 3d 30 30  31 2c 73 69 64 3d 30
>  >  > >> >> > 30   .<rid=001,sid=00
>  >  > >> >> >   0010:  32 2c 63 73 6e 3d 32 30  30 38 31 32 32 32 31 37
>  >  > >> >> > 2,csn=2008122217
>  >  > >> >> >   0020:  34 37 32 31 2e 38 35 35  39 30 34 5a 23 30 30 30
>  >  > >> >> > 4721.855904Z#000
>  >  > >> >> >   0030:  30 30 30 23 30 30 31 23  30 30 30 30 30 30
>  >  > >> >> > 000#001#000000
>  >  > >> >> > do_syncrep2:
>  >  > >> >> >
>  > cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000
>  >  > >> >> > do_syncrep2: rid=001 CSN too old, ignoring
>  >  > >> >> > 20081222174721.855904Z#000000#001#000000
>  >  > >> >> > ldap_msgfree
>  >  > >> >> >
>  >  > >> >> > I am not exactly sure how it gotten to be "too old."  The ldif
> I
>  > am
>  >  > >> >> > importing is not the result of a slapcat or anything that
> would
>  >  > >> >> > preserve
>  >  > >> >> > the CSN or UUID attributes (not that syncrepl uses UUID). I am
>  >  > >> >> > loading
>  >  > >> >> > one single file with ldapadd which, in my understanding, sets
> up
>  > the
>  >  > >> >> > CSN
>  >  > >> >> > and wouldn't let me import one anyway.
>  >  > >> >> >
>  >  > >> >> > Each server has no entries until I load the one, so there
>  > shouldn't
>  >  > >> >> > be
>  >  > >> >> > any weird stale CSNs causing this.  They are "sync'ed" almost
>  >  > >> >> > instantly
>  >  > >> >> > after the one system is loaded - I just don't have everything.
>  >  > >> >> >
>  >  > >> >> > After a sync:
>  >  > >> >> > ldap1 - slapcat |grep dn: |wc -l = 41
>  >  > >> >> > ldap2 - slapcat |grep dn: |wc -l = 18
>  >  > >> >> >
>  >  > >> >> > Right now I can get them in sync with a slapcat/slapadd, but
> when
>  > the
>  >  > >> >> > go
>  >  > >> >> > into production I wont be able to say for certain which one is
>  >  > >> >> > authoritative.  That is the purpose of multi-master....
>  >  > >> >> >
>  >  > >> >> > OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu
> Linux
>  > 32
>  >  > >> >> > bit
>  >  > >> >> >
>  >  > >> >> > Any ideas as to what I can do to stop this from happening?
>  >  > >> >> >
>  >  > >> >> > Pat
>  >  > >> >> >
>  >  > >> >> >
>  >  > >> >> >
>  >  > >> >> >
>  >  > >> >>
>  >  > >> >
>  >  > >> >
>  >  > >>
>  >  > >
>  >  > >
>  >  >
>  >
>  >
>  >  --
>  >  Sent from my mobile device
>  >
>  >  http://www.suretecsystems.com/services/openldap/
>  >
>  >
>  >
>  >
>  > Adrien Futschik
>  >
>
>  --
>  Sent from my mobile device
>
>  http://www.suretecsystems.com/services/openldap/
>
>
>
>
> Adrien Futschik

-- 
Sent from my mobile device

http://www.suretecsystems.com/services/openldap/