[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync working in lab but not in production

To: Philip Colmer <philip.colmer@linaro.org>
Subject: Re: Sync working in lab but not in production
From: Yann Cézard <yann.cezard@univ-pau.fr>
Date: Thu, 05 Dec 2013 15:50:27 -0000
Cc: openldap-technical@openldap.org
In-reply-to: <CAKTSSTgwv5EPaWZDZjcirh=AuMYB=8tK1HV=kNZ4A9wedWO3qA@mail.gmail.com>
Organization: Université de Pau et des Pays de l'Adour
References: <CAKTSSTgwv5EPaWZDZjcirh=AuMYB=8tK1HV=kNZ4A9wedWO3qA@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10

Le 05/12/2013 14:38, Philip Colmer a écrit :
> I suspect I've broken a fundamental rule of how sync works on OpenLDAP
> but here goes ...
>
> We've been running a single OpenLDAP server for a while now so I
> wanted to get some resiliency into place. We are using version 2.4.28
> on Ubuntu 12.04.
>
> The original machine is a VM so I cloned it and built two further
> servers from that clone. I then followed the instructions in
> https://help.ubuntu.com/12.04/serverguide/openldap-server.html to add
> the provider bits to server A and the consumer bits to server B.
>
> That works fine.
>
> So, since I had a working consumer, I added the provider bits to the
> original LDAP server and changed the configuration on server B so that
> it queries that server and not server A. Syncing now fails and I'm
> getting the following in the log:
>
> slapd[8201]: conn=1059 fd=18 ACCEPT from IP=127.0.0.1:52374 (IP=0.0.0.0:389)
> slapd[8201]: conn=1059 op=0 BIND dn="cn=XXX,dc=YYY,dc=ZZZ" method=128
> slapd[8201]: conn=1059 op=0 BIND dn="cn=XXX,dc=YYY,dc=ZZZ" mech=SIMPLE ssf=0
> slapd[8201]: conn=1059 op=0 RESULT tag=97 err=0 text=
> slapd[8201]: conn=1059 op=1 SRCH base="cn=accesslog" scope=2 deref=0
> filter="(&(?objectClass=auditWriteObject)(?reqResult=0))"
> slapd[8201]: conn=1059 op=1 SRCH attr=reqDN reqType reqMod reqNewRDN
> reqDeleteOldRDN reqNewSuperior entryCSN
> slapd[8201]: conn=1059 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
> slapd[8201]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT (32) No such object
> slapd[8201]: do_syncrep2: rid=000 (32) No such object
> slapd[8201]: conn=1059 op=2 UNBIND
>
> I've double-checked the configuration on the provider and if I revert
> the configuration on server B so that it consumes from server A, it
> all works again.
>
> Have I broken a fundamental rule? If I have, how can I fix it? If I
> haven't, what have I done wrong?
>
> Thanks.
>
> Philip
>
Hi,

The "IP=127.0.0.1" in the first log line make me thinks your server is
asking itself for the accesslog, which means it thinks it is the provider.
As you have cloned the original server (which is aimed to be the
provider), wouldn't you have some line in your /etc/hosts on server B
that resolves your_provider_dns_name to 127.0.0.1 ?
That would explain why it works when configured to ask server A (it
resolve to the real IP of server A), and not when configured to ask to
your original server (it resolve its dns_name as itself : 127.0.0.1).

Just a guess...

Regards,

-- 
Yann Cézard - administrateur systèmes serveurs
Centre de ressources informatiques    -     http://cri.univ-pau.fr
Université de Pau et des pays de l'Adour -  http://www.univ-pau.fr
bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau
Téléphone : +33 (0)5 59 40 77 94

Prev by Date: SSL authentication to Active Directory via OpenLDAP client
Next by Date: default setup examples/documentation
Index(es):
- Chronological
- Thread