[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync working in lab but not in production

Le 05/12/2013 14:38, Philip Colmer a écrit :
> I suspect I've broken a fundamental rule of how sync works on OpenLDAP
> but here goes ...
> We've been running a single OpenLDAP server for a while now so I
> wanted to get some resiliency into place. We are using version 2.4.28
> on Ubuntu 12.04.
> The original machine is a VM so I cloned it and built two further
> servers from that clone. I then followed the instructions in
> https://help.ubuntu.com/12.04/serverguide/openldap-server.html to add
> the provider bits to server A and the consumer bits to server B.
> That works fine.
> So, since I had a working consumer, I added the provider bits to the
> original LDAP server and changed the configuration on server B so that
> it queries that server and not server A. Syncing now fails and I'm
> getting the following in the log:
> slapd[8201]: conn=1059 fd=18 ACCEPT from IP= (IP=
> slapd[8201]: conn=1059 op=0 BIND dn="cn=XXX,dc=YYY,dc=ZZZ" method=128
> slapd[8201]: conn=1059 op=0 BIND dn="cn=XXX,dc=YYY,dc=ZZZ" mech=SIMPLE ssf=0
> slapd[8201]: conn=1059 op=0 RESULT tag=97 err=0 text=
> slapd[8201]: conn=1059 op=1 SRCH base="cn=accesslog" scope=2 deref=0
> filter="(&(?objectClass=auditWriteObject)(?reqResult=0))"
> slapd[8201]: conn=1059 op=1 SRCH attr=reqDN reqType reqMod reqNewRDN
> reqDeleteOldRDN reqNewSuperior entryCSN
> slapd[8201]: conn=1059 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
> slapd[8201]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT (32) No such object
> slapd[8201]: do_syncrep2: rid=000 (32) No such object
> slapd[8201]: conn=1059 op=2 UNBIND
> I've double-checked the configuration on the provider and if I revert
> the configuration on server B so that it consumes from server A, it
> all works again.
> Have I broken a fundamental rule? If I have, how can I fix it? If I
> haven't, what have I done wrong?
> Thanks.
> Philip

The "IP=" in the first log line make me thinks your server is
asking itself for the accesslog, which means it thinks it is the provider.
As you have cloned the original server (which is aimed to be the
provider), wouldn't you have some line in your /etc/hosts on server B
that resolves your_provider_dns_name to ?
That would explain why it works when configured to ask server A (it
resolve to the real IP of server A), and not when configured to ask to
your original server (it resolve its dns_name as itself :

Just a guess...


Yann Cézard - administrateur systèmes serveurs
Centre de ressources informatiques    -     http://cri.univ-pau.fr
Université de Pau et des pays de l'Adour -  http://www.univ-pau.fr
bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau
Téléphone : +33 (0)5 59 40 77 94