[Date Prev][Date Next] [Chronological] [Thread] [Top]

n-way syncrepl issues



Hi list,

I tried to read all information about the subject, both in the mail
archives and on the website (admin guide and faq-o-matic), but somehow
things are not working as expected.

I have 3 servers, Debian 6 with the distro-version of openldap
(2.4.23-7). I use phpldapadmin (PLA for short), version 1.2.0.5. I also
use ldapvi and the standard ldap-tools (ldapadd/ldapmodify etc). I use
the slapd.d/ config backend. My userdata DIT is empty at the moment,
until the issues are resolved.

*) When using n-way multimaster, I understand that the whole DIT is
identical on all servers (assuming full read access for the replication
DN, which is the case). Because of this, I used a generic name for the
certificates, while on each server the content of the files are
server-specific. This works as expected. The other difference between
the servers is the slapd startup command line: in it is each server's
own FQDN. On debian, this is specified in /etc/default/slapd. On server1
this file has:

SLAPD_SERVICES=ldap://127.0.0.1 ldaps://server1.domain.tld ldapi:///"

On server2 the URI changes in ldaps://server2.domain.tld and on server3
it changes likewise. This is al per the admin guide.

For some reason, replication is not working as expected. Some updates go
through, others are ignored and stay local on a server. The servers are
on different subnets with a firewall in-between, but I can access each
server from the other servers using eg 'ldapsearch'.

Question: With n-way multimaster, I understand the DIT should be
identical on all servers. Can I just do tar -czf slapd.conf.tgz
/etc/ldap/slapd.d on one server, and copy and untar this on the other
servers (with slapd stopped) and start slapd? My (anonymized) slapd.d is
at the end of this message (I deleted the (default) schema definitions
for readability).

Question: Is the above-mentioned method a valid way to add/restore an
extra n-way multimaster node in the setup? If so, Do I do the export
AFTER adding the extra node to the config, or BEFORE?

Question: I also want to replicate the dc=domain,dc=tld DIT. Can I use
the same rid values in de replication statements as for the cn=config
DIT, or do they need to be unique within the total config?

Question: I do not like to use the cn=admin,cn=config identity as the
replication ID. Yet I do not have content in the dc=domain,dc=tld DIT,
and thus no way to specifiy another identity. Can this be solved?

Once the DIT has the identity, I assume I can change the replication ID
(as long as ACLs are not blocking things).

Can anyone answer my questions, or point me in the right direction? I
tried numerous things with all kind of different results, but I feel I
miss some fundamental insight.

Thanks for any help!

Marcel

--------------------------------------------------------------------
Anonymized slapd.d config of server1 (exported using PLA)
--------------------------------------------------------------------

# Server: Server1 (ldap://localhost)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 13
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on
June 29, 2011 8:19 am
# Version: 1.2.0.5

version: 1

# Entry 1: cn=config
dn: cn=config
cn: config
contextcsn: 20110621205759.540662Z#000000#000#000000
createtimestamp: 20110429201711Z
creatorsname: cn=config
entrycsn: 20110621205759.540662Z#000000#000#000000
entrydn: cn=config
entryuuid: 690a54f4-06e9-1030-9aec-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110621205759Z
objectclass: olcGlobal
olcargsfile: /var/run/slapd/slapd.args
olcloglevel: sync
olcloglevel: stats
olcloglevel: args
olcpidfile: /var/run/slapd/slapd.pid
olcserverid: 11 ldaps://server1.domain.tld
olcserverid: 12 ldaps://server2.domain.tld
olcserverid: 13 ldaps://server3.domain.tld
olctlscacertificatefile: /etc/ssl/certs/cacert.org.pem
olctlscertificatefile: /etc/ssl/certs/thishost.crt
olctlscertificatekeyfile: /etc/ssl/private/thishost.key
olctlsverifyclient: NEVER
olctoolthreads: 1
structuralobjectclass: olcGlobal
subschemasubentry: cn=Subschema

# Entry 2: cn=module{0},cn=config
dn: cn=module{0},cn=config
cn: module{0}
createtimestamp: 20110429201711Z
creatorsname: cn=admin,cn=config
entrycsn: 20110429201711.660046Z#000000#000#000000
entrydn: cn=module{0},cn=config
entryuuid: 690b3608-06e9-1030-9af4-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110429201711Z
objectclass: olcModuleList
olcmoduleload: {0}back_hdb
olcmoduleload: {1}syncprov.la
olcmodulepath: /usr/lib/ldap
structuralobjectclass: olcModuleList
subschemasubentry: cn=Subschema

# Entry 3: cn=schema,cn=config
### DELETED default schema definitions for readability

# Entry 4: cn={0}core,cn=schema,cn=config
### DELETED default schema definitions for readability

# Entry 5: cn={1}cosine,cn=schema,cn=config
### DELETED default schema definitions for readability

# Entry 6: cn={2}nis,cn=schema,cn=config
### DELETED default schema definitions for readability

# Entry 7: cn={3}inetorgperson,cn=schema,cn=config
### DELETED default schema definitions for readability

# Entry 8: olcBackend={0}hdb,cn=config
dn: olcBackend={0}hdb,cn=config
createtimestamp: 20110429201711Z
creatorsname: cn=admin,cn=config
entrycsn: 20110429201711.707740Z#000000#000#000000
entrydn: olcBackend={0}hdb,cn=config
entryuuid: 69127d0a-06e9-1030-9af5-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110429201711Z
objectclass: olcBackendConfig
olcbackend: {0}hdb
structuralobjectclass: olcBackendConfig
subschemasubentry: cn=Subschema

# Entry 9: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={-1}frontend,cn=config
createtimestamp: 20110429201711Z
creatorsname: cn=config
entrycsn: 20110429201711.654507Z#000000#000#000000
entrydn: olcDatabase={-1}frontend,cn=config
entryuuid: 690a5da0-06e9-1030-9aed-e9c45301ace2
modifiersname: cn=config
modifytimestamp: 20110429201711Z
objectclass: olcDatabaseConfig
objectclass: olcFrontendConfig
olcaccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth manage by * break
olcaccess: {1}to dn.exact="" by * read
olcaccess: {2}to dn.base="cn=Subschema" by * read
olcdatabase: {-1}frontend
olcsizelimit: 500
structuralobjectclass: olcDatabaseConfig
subschemasubentry: cn=Subschema

# Entry 10: olcDatabase={0}config,cn=config
dn: olcDatabase={0}config,cn=config
createtimestamp: 20110429201711Z
creatorsname: cn=config
entrycsn: 20110619065612.945749Z#000000#000#000000
entrydn: olcDatabase={0}config,cn=config
entryuuid: 690a693a-06e9-1030-9aee-e9c45301ace2
modifiersname: cn=admin,cn=config
modifytimestamp: 20110619065612Z
objectclass: olcDatabaseConfig
olcaccess: {0}to * by dn.exact=cn=admin,cn=config read by
dn.exact=gidNumber=0+uidNumber=0,cn=pe
 ercred,cn=external,cn=auth manage by * break
olcdatabase: {0}config
olcmirrormode: TRUE
olcrootdn: cn=admin,cn=config
olcrootpw: {SSHA}deletedforsecurityreasons
olcsyncrepl: {0}rid=011 provider=ldaps://server1.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="cn=config"
type=refreshAndPersist retry="5 5 300  +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {1}rid=012 provider=ldaps://server2.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="cn=config"
type=refreshAndPersist retry="5 5 300  +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {2}rid=013 provider=ldaps://server3.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="cn=config"
type=refreshAndPersist retry="5 5 300  +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
structuralobjectclass: olcDatabaseConfig
subschemasubentry: cn=Subschema

# Entry 11: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
createtimestamp: 20110512150606Z
creatorsname: cn=admin,cn=config
entrycsn: 20110522201415.682681Z#000000#000#000000
entrydn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
entryuuid: 1ae3191c-10f5-1030-9102-e14c7638455a
modifiersname: cn=admin,cn=config
modifytimestamp: 20110522201415Z
objectclass: olcOverlayConfig
objectclass: olcSyncProvConfig
objectclass: top
olcoverlay: {0}syncprov
olcspcheckpoint: 100 10
structuralobjectclass: olcSyncProvConfig
subschemasubentry: cn=Subschema

# Entry 12: olcDatabase={1}hdb,cn=config
dn: olcDatabase={1}hdb,cn=config
createtimestamp: 20110512144416Z
creatorsname: cn=admin,cn=config
entrycsn: 20110619123128.846982Z#000000#000#000000
entrydn: olcDatabase={1}hdb,cn=config
entryuuid: 0e60d5a6-10f2-1030-9d9b-35ce2d01c34c
modifiersname: cn=admin,cn=config
modifytimestamp: 20110619123128Z
objectclass: olcDatabaseConfig
objectclass: olcHdbConfig
olcaccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
 ous auth by dn="cn=admin,cn=config" write by * none
olcaccess: {1}to dn.base="" by * read
olcaccess: {2}to * by self write by dn="cn=admin,cn=config" write by * read
olcdatabase: {1}hdb
olcdbcheckpoint: 512 30
olcdbconfig: {0}set_cachesize 0 2097152 0
olcdbconfig: {1}set_lk_max_objects 1500
olcdbconfig: {2}set_lk_max_locks 1500
olcdbconfig: {3}set_lk_max_lockers 1500
olcdbdirectory: /var/lib/ldap/
olcdbindex: objectClass eq
olcdbindex: entryCSN eq
olcdbindex: entryUUID eq
olclastmod: TRUE
olcmirrormode: TRUE
olcrootdn: cn=admin,cn=config
olcrootpw: {SSHA}s1C7GBjdeletedforsecurityreasons
olcsuffix: dc=domain,dc=tld
olcsyncrepl: {0}rid=011 provider=ldaps://server1.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="dc=domain,dc=tld"
type=refreshAndPersist retry="5 5 300  +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {1}rid=012 provider=ldaps://server2.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="dc=domain,dc=tld"
type=refreshAndPersist retry="5 5 300  +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
olcsyncrepl: {2}rid=013 provider=ldaps://server3.domain.tld
binddn="cn=admin,cn=config" credentials="mysecretpassword"
bindmethod=simple starttls=no searchbase="dc=domain,dc=tld"
type=refreshAndPersist retry="5 5 300  +" timeout=0 network-timeout=0
filter="(objectclass=*)" attrs="*,+" scope=sub
structuralobjectclass: olcHdbConfig
subschemasubentry: cn=Subschema

# Entry 13: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
createtimestamp: 20110522163658Z
creatorsname: cn=admin,cn=config
entrycsn: 20110522201502.521704Z#000000#000#000000
entrydn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
entryuuid: 74b70896-18dd-1030-94f4-2183161cb5d6
modifiersname: cn=admin,cn=config
modifytimestamp: 20110522201502Z
objectclass: olcOverlayConfig
objectclass: olcSyncProvConfig
objectclass: top
olcoverlay: {0}syncprov
olcspcheckpoint: 100 10
structuralobjectclass: olcSyncProvConfig
subschemasubentry: cn=Subschema