[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: a newbie trying to get the basics of syncrepl going



On 25/02/2010 13:17, Seger, Mark wrote:


-----Original Message----- From: Jonathan Clarke
[mailto:jonathan@phillipoux.net] Sent: Thursday, February 25, 2010
6:00 AM To: Seger, Mark Cc: openldap-technical@openldap.org
Subject: Re: a newbie trying to get the basics of syncrepl going

On 23/02/2010 22:26, Seger, Mark wrote:
I’m an admitted ldap lightweight but have been able to bring up
an
ldap
server and populate it with the contents of my /etc/passwd file.
Now I want to set up a replica on another machine using sync
replication and am having a few issues getting it to work. My
most recent success was getting simple authentication working
because before it was failing
and
now it’s not so I’ve at least gotten that far. Here’s what my
replication section looks like in ldap.conf:

syncrepl rid=123

provider=ldap://10.99.99.99:389

type=refreshOnly

interval=01:00:00:00

searchbase="dc=myldap,dc=com"

filter="(objectClass=account)"

scope=sub

schemachecking=off

updatedn="cn=replica,dc=myldap,dc=com"

bindmethod=simple

binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"

credentials=Something

I’m pretty sure I have the search parameters set correctly
because if
I run:

ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid

it dumps all my uids.

The part I’m on clear on is how to define things on the slave
side.
For
example I have the main part of the conf set the same on the
master, just to make things easy on me and so I have the
following which is exactly how I have the master set up.

database bdb

suffix "dc=myldap,dc=com"

rootdn "cn=Manager,dc=myldap,dc=com"

rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R

directory /var/lib/ldap

I’m guessing my problem may be with
updatedn="cn=replica,dc=myldap,dc=com", but I’m not sure what it
should
be and whether or not I have to prime the replica with any
special authentication to be able to write to it.

If I run “ldapsearch -x -b 'dc=myldap,dc=com'” against the
replica it comes up empty so I’m sure nothing is getting
replicated. Further if I run the slave slapd with –d128 I get:

[root@hpdc3dmgt1 ~]# slapd -d 128

@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $

brewbuilder@hs20-bc1-
5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-
2.3.43/build-servers/servers/slapd

slapd starting

request done: ld 0x2ac52b507c70 msgid 1

=>  bdb_entry_get: cannot find entry: "dc=myldap,dc=com"

do_syncrep2: rid 123got search entry without control

do_syncrepl: rid 123 quitting

but I have no idea where it’s looking for the entry, on the
master or the slave? But I do have that entry on the master.

I’m sure I’m doing something wrong but am also hoping it’s
relatively
minor.

Don't forget that syncrepl is pull-based replication. That is, the
slave connects to the master and gets data.

In light of this, check your configuration for: - the syncrepl
statement above in the *slave* slapd.conf - a "overlay syncprov" in
the *master* slapd.conf (plus any configuration you may want)

I've made progress, I finally got my slave authticting with the
master, butI'm confused with your statement about modifying something
in the master's slapd.conf.  I don't want to, nor do I think I even
can, modify anything with the master.  I'm basing my choice for using
syncrepl on http://www.openldap.org/doc/admin22/syncrepl.html, which
says in the first section:

This link is for OpenLDAP 2.2, you should use this for your version of OpenLDAP :
http://www.openldap.org/doc/admin23/

"With syncrepl, a consumer server can create a replica without
changing provider's configurations and without restarting the
provider server, if the consumer server has appropriate access
privileges for the DIT fragment to be replicated. The consumer server
can stop the replication also without the need for provider-side
changes and restart."

This means that you can add consumer servers to an existing architecture without having to modify the master's configuration to add each one (this was not the case with the previous replication system, slurpd).

I'm assuming my replication isn't work, even though I don't see any
errors, because when I run slapd on the slave followed by slapcat,
all I see is the original entry I populated it with, namely: dn:
cn=Manager,dc=myldap,dc=com.

Are there some specific debugging switches I can use when running the
slave to get some insight into what's happening?  I did try various
combinations of the debugging switch and didn't see anything jump out
of the output though I was surprised to see what looked like a lot of
SNMP OIDs.

Is there some explicit way to see the slave send a pull request to
the master and see what the master returns?

Does this mean anything: do_syncrep2: rid 123got search entry without
control

Yes - this means the master doesn't understand the syncrepl protocol, and returned results without using it (it takes the form of an LDAP control). This is because you must include the "syncprov" overlay in the master's configuration, as described here:

http://www.openldap.org/doc/admin23/syncrepl.html#Set%20up%20the%20provider%20slapd

You need to modify the master's configuration to use syncrepl. If you really can't, you cant' use syncrepl, and will have to look into alternatives to get your data out.

Hope this helps,
Jonathan

--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------