[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap clients cant connect to replica after failure

On 09/11/2009 14:33, Scott Behrens wrote:

The client pointing to the replica is a 3rd host also running centOS.
OpenLDAP 2.3.43.  I can pretty much narrow down the issue to
configuration, our network/server config side is pretty
straightforward.

I turned the logging to 256 on the replica, I pointed my client using
authconfig to the replica.


su - ldapuser


Just hangs, in the logs on replica:

Nov  9 02:25:48 mnetmgt2 slapd[30963]: slapd shutdown: initiated
Nov  9 02:25:48 mnetmgt2 slapd[30963]: ====>  bdb_cache_release_all
Nov  9 02:25:48 mnetmgt2 slapd[30963]: slapd destroy: freeing system resources.
Nov  9 02:25:48 mnetmgt2 slapd[30963]: slapd stopped.
Nov  9 02:25:48 mnetmgt2 slapd[15086]: @(#) $OpenLDAP: slapd 2.3.43
(Jan 21 2009 03:59:37) $
mockbuild@builder10.centos.org:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
Nov  9 02:25:48 mnetmgt2 slapd[15087]: slapd starting
This log just shows slapd being shut down and restarted. Nothing connection related - did you restart slapd after changing the loglevel in slapd.conf? Without more logs, it's hard to tell what's going on.
A good test would be to use ldapsearch directly to interrogate your two servers. This will help determine whether the problem is coming from your LDAP server(s) or your system authentication settings. 

Hope this helps,
Jonathan



If I point it back to the primary, it works fine.  Here are the slapd
files, they look correct based on what I read in the documentation.


Primary Slapd.conf:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/solaris.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema


# DATABASE CONFIG
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
rootpw {SSHA}somepassword

directory       /var/lib/ldap

index entryCSN,entryUUID eq,pres
index objectClass,uid,uidNumber,gidNumber,ou eq
index cn,mail,surname,givenname eq,subinitial
index memberUid eq
index nisDomain eq
index uniqueMember pres
#index sudoUser eq,sub

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
loglevel 1

# Performance tuning directives
sizelimit 5000
threads 16
idletimeout 14400
cachesize 10000
checkpoint 256 15
password-hash {SSHA}


Replica slapd.conf file:

nclude /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/solaris.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/duaconf.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# DATABASE CONFIG
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
rootpw {SSHAsomehash

index entryCSN,entryUUID eq,pres
directory       /var/lib/ldap
loglevel 256

syncrepl      rid=001
                      provider=ldap://10.10.1.91
                      interval=00:05:00:00
                      bindmethod=simple
                      scope=sub
                      filter="(objectClass=organizationalPerson)"
                      attrs="cn,sn,ou,telephoneNumber,title,l"
                      searchbase="dc=matlock,dc=com"
                      binddn="cn=proxyagent,ou=profile,dc=matlock,dc=com"
                      credentials="abc123"
                      schemachecking=off
                      type=refreshAndPersist
                      retry="60 +"



# Indices to maintain

index objectClass,uid,uidNumber,gidNumber,ou eq
index cn,mail,surname,givenname eq,subinitial
index memberUid eq
index nisDomain eq
index uniqueMember pres


# Performance tuning directives
sizelimit 5000
threads 16
idletimeout 14400
cachesize 10000
checkpoint 256 15
password-hash {SSHA}


On Mon, Nov 9, 2009 at 3:16 AM, Jonathan Clarke<jonathan@phillipoux.net>  wrote:

On 06/11/2009 15:31, Scott Behrens wrote:


Hello,

I am running 2 hosts CentOS release 5.3 (Final) with kernel
2.6.18-164.el5l.

One box is the provider and the other is a consumer using syncrepl.
When the primary goes down, I can perform searches against the domain
from the replica so I know the replica has replicated the data (when I
stop both hosts I can't preform the search obviously).  When I point a
client to the replica, I get a timeout when trying to perform searches
or pull data.  ldap_bind: Can't contact LDAP server (-1).

Any ideas?  I will provide more information if needed.


Hi,

Which client are you pointing to the replica? ldapsearch? And what version
of OpenLDAP are you running?

This is a pretty vague error, many things could be the cause: bad client
setup, network problems, server problems...

I suggest you check out the logs from the server you're trying to connect
to, having previously set them to include "stats" (level 256).

Hope this helps,
Jonathan