[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Syncrepl and mmr

To: Quanah Gibson-Mount <quanah@zimbra.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: Syncrepl and mmr
From: "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu>
Date: Mon, 3 Feb 2014 14:26:07 -0500
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
In-reply-to: <4EEB696E0B8A8D3E9C96D37A@[192.168.1.2]>
References: <1BB724A73E57084D89F6F28ED9E651920AD3170DFB@LLE2K7-BE02.mitll.ad.local> <201401301252.s0UCqYiG032646@boole.openldap.org> <BB8429D49E4807C586371E61@[192.168.1.2]> <20140130202839.1351AA624A@edge02.zimbra.com> <2B630E28DF38ECE010CBD25A@[192.168.1.2]> <20140130212629.B2597A6250@edge02.zimbra.com> <DB1FEF6327E2B46EC94F873B@[192.168.1.2]> <20140130213534.84D20A6263@edge02.zimbra.com> <395A5E98A0BA923103457A7D@[192.168.1.2]> <20140130215154.21246A6250@edge02.zimbra.com> <E05E339BB9E6991AE1EE9034@[192.168.1.2]> <20140131135522.883144425D@edge01.zimbra.com> <8B2D174F182D2F00973C48E7@[192.168.1.2]> <20140131182111.1FCCDA6244@edge02.zimbra.com> <DA81C395D0AF170D0D2E8E2A@[192.168.1.2]> <52EBF648.2030003@stroeder.com> <20140131192626.8EDCB44260@edge01.zimbra.com> <70B15C25BB69C8535EA2BF2E@[192.168.1.2]> <20140131193800.428F9A624B@edge02.zimbra.com> <4555DA4EB27A62A899B751DB@[192.168.1.2]> <20140131213521.0E815A626E@edge02.zimbra.com> <89C7F52021B10496CDC11C3B@[192.168.1.2]> <20140203145812.66A5144228@edge01.zimbra.com> <301D280F978BB72758ED1FC4@[192.168.1.2]> <20140203180713.0E7424423A@edge01.zimbra.com> <4EEB696E0B8A8D3E9C96D37A@[192.168.1.2]>
Thread-index: Ac8hC8aTyTgWu9XWR0avE07G6ojf2QACIJVg
Thread-topic: Syncrepl and mmr

Ok, 

Sanity Check, please.  Still seeing "empty syncUUID" messages.  Also, the "userPassword" attributes on mm-server2, cannot be seen (via Apache Directory Studio -- but show up with ldapsearch), but when I attempt to add (via ldapmodify) it returns value already present.  

MM-Server1:
# ldapsearch -H ldap://mm-server1.example.ldap -d 256 -D cn=admin,cn=config -W -b cn=config olcAccess
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess 
#

# config
dn: cn=config

# module{0}, config
dn: cn=module{0},cn=config

# schema, config
dn: cn=schema,cn=config

# {0}core, schema, config
dn: cn={0}core,cn=schema,cn=config

# {1}cosine, schema, config
dn: cn={1}cosine,cn=schema,cn=config

# {2}inetorgperson, schema, config
dn: cn={2}inetorgperson,cn=schema,cn=config

# {3}java, schema, config
dn: cn={3}java,cn=schema,cn=config

# {4}misc, schema, config
dn: cn={4}misc,cn=schema,cn=config

# {5}nis, schema, config
dn: cn={5}nis,cn=schema,cn=config

# {6}openldap, schema, config
dn: cn={6}openldap,cn=schema,cn=config

# {7}ppolicy, schema, config
dn: cn={7}ppolicy,cn=schema,cn=config

# {8}2307bis, schema, config
dn: cn={8}2307bis,cn=schema,cn=config

# {9}printers, schema, config
dn: cn={9}printers,cn=schema,cn=config

# {10}sudo, schema, config
dn: cn={10}sudo,cn=schema,cn=config

# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to *  by self write  by users read  by anonymous auth

# {0}config, config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to *  by * none

# {1}bdb, config
dn: olcDatabase={1}bdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none
olcAccess: {1}to * by * read

# {0}syncprov, {1}bdb, config
dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config

# {1}accesslog, {1}bdb, config
dn: olcOverlay={1}accesslog,olcDatabase={1}bdb,cn=config

# {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
olcAccess: {0}to * by dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none

# {0}syncprov, {2}bdb, config
dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config

# search result
search: 2
result: 0 Success

# numResponses: 22
# numEntries: 21

MM-Server2:
# ldapsearch -H ldap://mm-server2.example.ldap -d 256 -D cn=admin,cn=config -W -b cn=config olcAccess
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess 
#

# config
dn: cn=config

# module{0}, config
dn: cn=module{0},cn=config

# schema, config
dn: cn=schema,cn=config

# {0}core, schema, config
dn: cn={0}core,cn=schema,cn=config

# {1}cosine, schema, config
dn: cn={1}cosine,cn=schema,cn=config

# {2}inetorgperson, schema, config
dn: cn={2}inetorgperson,cn=schema,cn=config

# {3}java, schema, config
dn: cn={3}java,cn=schema,cn=config

# {4}misc, schema, config
dn: cn={4}misc,cn=schema,cn=config

# {5}nis, schema, config
dn: cn={5}nis,cn=schema,cn=config

# {6}openldap, schema, config
dn: cn={6}openldap,cn=schema,cn=config

# {7}ppolicy, schema, config
dn: cn={7}ppolicy,cn=schema,cn=config

# {8}2307bis, schema, config
dn: cn={8}2307bis,cn=schema,cn=config

# {9}printers, schema, config
dn: cn={9}printers,cn=schema,cn=config

# {10}sudo, schema, config
dn: cn={10}sudo,cn=schema,cn=config

# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to *  by self write  by users read  by anonymous auth

# {0}config, config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to *  by * none

# {0}syncprov, {0}config, config
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config

# {1}bdb, config
dn: olcDatabase={1}bdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self  write by anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none
olcAccess: {1}to * by * read

# {0}accesslog, {1}bdb, config
dn: olcOverlay={0}accesslog,olcDatabase={1}bdb,cn=config

# {1}syncprov, {1}bdb, config
dn: olcOverlay={1}syncprov,olcDatabase={1}bdb,cn=config

# {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
olcAccess: {0}to * by dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none

# {0}syncprov, {2}bdb, config
dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config

# {3}monitor, config
dn: olcDatabase={3}monitor,cn=config
olcAccess: {0}to dn.children="cn=monitor" by dn.children="cn=admin,cn=config" read

# search result
search: 2
result: 0 Success

# numResponses: 24
# numEntries: 23

Log snippet from mm-server1
52efebcb >>> dnPrettyNormal: <uid=replicator,ou=admins,dc=example,dc=ldap>
=> ldap_bv2dn(uid=replicator,ou=admins,dc=example,dc=ldap,0)
<= ldap_bv2dn(uid=replicator,ou=admins,dc=example,dc=ldap)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=replicator,ou=admins,dc=example,dc=ldap)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=replicator,ou=admins,dc=example,dc=ldap)=0 
52efebcb <<< dnPrettyNormal: <uid=replicator,ou=admins,dc=example,dc=ldap>, <uid=replicator,ou=admins,dc=example,dc=ldap>
52efebcb conn=5640 op=0 BIND dn="uid=replicator,ou=admins,dc=example,dc=ldap" method=128
52efebcb do_bind: version=3 dn="uid=replicator,ou=admins,dc=example,dc=ldap" method=128
52efebcb ==> bdb_bind: dn: uid=replicator,ou=admins,dc=example,dc=ldap
52efebcb bdb_dn2entry("uid=replicator,ou=admins,dc=example,dc=ldap")
52efebcb => access_allowed: result not in cache (userPassword)
52efebcb => access_allowed: auth access to "uid=replicator,ou=Admins,dc=example,dc=ldap" "userPassword" requested
52efebcb => acl_get: [1] attr userPassword
52efebcb => acl_mask: access to entry "uid=replicator,ou=Admins,dc=example,dc=ldap", attr "userPassword" requested
52efebcb => acl_mask: to value by "", (=0) 
52efebcb <= check a_dn_pat: self
52efebcb <= check a_dn_pat: anonymous
52efebcb <= acl_mask: [2] applying auth(=xd) (stop)
52efebcb <= acl_mask: [2] mask: auth(=xd)
52efebcb => slap_access_allowed: auth access granted by auth(=xd)
52efebcb => access_allowed: auth access granted by auth(=xd)
52efebcb => access_allowed: result was in cache (userPassword)
52efebcb conn=5640 op=0 BIND dn="uid=replicator,ou=Admins,dc=example,dc=ldap" mech=SIMPLE ssf=0
52efebcb do_bind: v3 bind: "uid=replicator,ou=admins,dc=example,dc=ldap" to "uid=replicator,ou=Admins,dc=example,dc=ldap"
52efebcb send_ldap_result: conn=5640 op=0 p=3
52efebcb send_ldap_result: err=0 matched="" text=""
52efebcb send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 32
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........    
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00         0....a........    
52efebcb conn=5640 op=0 RESULT tag=97 err=0 text=
52efebcb daemon: activity on 1 descriptor
52efebcb daemon: activity on:52efebcb 
52efebcb daemon: epoll: listen=7 active_threads=0 tvp=zero
52efebcb daemon: activity on 1 descriptor
52efebcb daemon: activity on:52efebcb  32r52efebcb 
52efebcb daemon: read active on 32
52efebcb daemon: epoll: listen=7 active_threads=0 tvp=zero
52efebcb connection_get(32)
52efebcb connection_get(32): got connid=5640
52efebcb connection_read(32): checking for input on id=5640
ber_get_next
ldap_read: want=8, got=8

If you need more info, let me know.

Thank you in advance.

John

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] 
Sent: Monday, February 03, 2014 1:14 PM
To: Borresen, John - 0442 - MITLL; openldap-technical@openldap.org
Subject: RE: Syncrepl and mmr

--On Monday, February 03, 2014 1:06 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen@ll.mit.edu> wrote:

> The "cn=replicator,cn=accesslog" was the olcRootDN for the accesslog.
>
> Rather that was my intent.
>
> Rereading documentation...and the script you shared with me a few 
> weeks back.
>
> Currently, my set up is:
> 1) The rootDN for the cn=config is cn=admin (cn=admin,cn=config)
> 2) the rootDN for my primary dbase is cn=ldapadmin
> (cn=ldapadmin,dc=example,dc=ldap) 3) the rootDN for the accesslog, as 
> mentioned above, is/was cn=replicator (cn=replicator,cn=accesslog)
>
> My ou=Users,dc=example,dc=ldap has all the End-Users uids for logins.
>
> Noticed you have a cn=admins,cn=zimbra.
>
> Bear with the stupid question, this is more of a sanity check for me 
> (getting pressure from my side to get this project done -- so very 
> rushed).
>
> I could/should create an "ou=Admins,dc=example,dc=ldap", on both 
> MM-Servers
>
> In that ou create/move the replicator that I wrongfully created in
> cn=accesslog:
>
> uid=replicator,ou=Admins,dc=example,dc=ldap
>
> That will get this user in the dbase.
>
> Modify, the olcSyncrepl, olcAccess, etc on both MM-Servers.
>
> Is that basically, correct?

Yes.  For replication, you need one single replication DN to be used for replication, that has read access into both your primary DB and your accesslog DB.  The rootdns are entirely separate from any of that.

--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- RE: Syncrepl and mmr
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: Syncrepl and mmr
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: set-based constraint for prefix
Next by Date: RE: Syncrepl and mmr
Index(es):
- Chronological
- Thread