[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdfailuretime with multi-sync

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: pwdfailuretime with multi-sync
From: Chris Leung <chris@q-station.net>
Date: Fri, 1 Sep 2017 09:17:29 +0800 (HKT)
Cc: Chris Leung <chris@q-station.net>, openldap-technical@openldap.org
In-reply-to: <47669DD771CFBFF91B0C10B1@[192.168.1.30]>
References: <alpine.DEB.2.20.1708301340180.20362@dawn> <WM!67da46dcf64de75ae4fd155293eae18764bed4bba7918816a53129a4458cf0d19fb3ea6e7edcd83008097d8fb69740c1!@mailstronghold-1.zmailcloud.com> <FFF3835DCF59F6D364BCBA8D@[192.168.1.30]> <WM!2f42a80fde15feb8a85f22e9a7516054e9a0e1bb2c6523027f29aa27039e8308d771feba77a4fa7d19e166a6ddcd7b8a!@mailstronghold-1.zmailcloud.com> <47669DD771CFBFF91B0C10B1@[192.168.1.30]>
User-agent: Alpine 2.20 (DEB 67 2015-01-07)

Dear Quanah,

I would like to point out the password out of sync is not 100% happen whenerror 16 occour. I've checked:

- both openldap server with the same password policy and overlay enabled,e.g., both can generate pwdfailuretime and replicate to each other whenuser bind with incorrect password to any one of the server

- pwdfailuretime actually exist on the entries (and both server), but itfail with attribute not exist

Sep 1 01:20:19 openldap1 slapd[30596]: mdb_modify:uid=xxxxxxxxxxxxxSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: replaceuserPasswordSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: replacepwdChangedTimeSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: softdelpwdFailureTimeSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: replaceentryCSNSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: replacemodifiersNameSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: replacemodifyTimestampSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: deletepwdFailureTimeSep 1 01:20:19 openldap1 slapd[30596]: mdb_modify_internal: 16modify/delete: pwdFailureTime: no such attributeSep 1 01:20:19 openldap1 slapd[30596]: send_ldap_result: err=16matched="" text="modify/delete: pwdFailureTime: no such attribute"

Sep  1 01:20:19 openldap1 slapd[30596]: null_callback : error code 0x10

Sep 1 01:20:19 openldap1 slapd[30596]: slap_graduate_commit_csn: removing0x7fb460118ed0 20170831172019.265684Z#000000#002#000000Sep 1 01:20:19 openldap1 slapd[30596]: syncrepl_message_to_op: rid=001be_modify uid=xxxxxxxxxxxxxxx (16)Sep 1 01:20:19 openldap1 slapd[30596]: do_syncrep2: rid=001 delta-synclost sync on (reqStart=20170831172019.000000Z,cn=xxxxxxxxxxxxx)

, switching to REFRESH

And then, in most case, the user password could be sync afterward.

Anyway, thanks for your information. I think I need to gather moreinformation for the issue and post to the list again.



Thanks.


Chris

On Wed, 30 Aug 2017, Quanah Gibson-Mount wrote:

--On Wednesday, August 30, 2017 9:21 AM -0700 Quanah Gibson-Mount<quanah@symas.com> wrote:

--On Wednesday, August 30, 2017 2:49 PM +0800 Chris Leung
<chris@q-station.net> wrote:

Sometime, the user password is replicated without problem after switched
to REFRESH, however, sometime password can't be sync.


Error 16 means "no such attribute exists".  My guess would be you have
ACLs that block your replica from replicating userPassword.  I'd also
guess that you originally loaded the replica via a slapcat of the other
master, so some accounts have passwords, and others don't.  This is all
guesswork of course, but it would match the behavior you're seeing.

Also, I would confirm that you have identical overlay configurations betweenthe two masters. It sounds like on has ppolicy and perhaps the other onedoesn't? Also be sure and read the ppolicy manpage closely on replicationbehavior.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: N-Way replication configuration
Next by Date: OpenLDAP not starting using "systemctl start" but runs fine invoking slapd directly
Index(es):
- Chronological
- Thread