[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re:
- To: Chris Cardone <ccardone@squaretrade.com>, openldap-technical@openldap.org
- Subject: Re:
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Tue, 01 May 2018 15:44:15 -0700
- Content-disposition: inline
- In-reply-to: <CADr0+sdaY8ytZaS4UB8c_ygdbY9rOV0PU-iZ2JBf3LEz_PT9RA@mail.gmail.com>
- References: <CADr0+sdaY8ytZaS4UB8c_ygdbY9rOV0PU-iZ2JBf3LEz_PT9RA@mail.gmail.com>
--On Tuesday, April 24, 2018 10:34 AM -0600 Chris Cardone
<ccardone@squaretrade.com> wrote:
Hi Chris,
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=010
provider=ldap://master-1.example.com:389/
bindmethod=simple
binddn="uid=rpuser,dc=example,dc=com"
credentials=banana
searchbase="dc=example,dc=com"
type=refreshAndPersist
retry="30 5 300 3"
interval=00:00:05:00
Are you really using dc=example,dc=com as the search base? Because your DB
is configured for dc=squaretrade,dc=com.
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
If this is the same as your ACL on the master, the replica will be unable
to read userPassword changes. This will become problematic in the long run.
olcSyncrepl: {0}rid=010 provider=ldap://master-1.example.com
:389/ bindmethod=simple binddn="uid=rpuser,dc=example,dc=com"
credentials
=banana searchbase="dc=example,dc=com" type=refreshAndPersist retry="30
5
300 3" interval=00:00:05:00
Same comment here about the searchbase being invalid.
olcDbCheckpoint: 512 30
I suggest reading the man page for slapd-mdb(5) and the checkpoint
parameter (just so you're aware that one of those values provided is
ignored).
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
You're missing the required indices for replication. Please read the
documentation thoroughly.
here is the syncprov config on the master it is communicating with
# {0}syncprov, {1}mdb, config
dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
You're missing a few items, such as:
olcSpCheckpoint
olcSpSessionlog
My questions
1> does the slave also require the cn=config database replication?
It shouldn't, no.
2> do the masters need similar configs (i.e. like the n-master config)
does RID=010 also need to be configured on the master?
No. The documentation clearly states that RIDs are tracked internally per
slapd. A given slapd has zero knowledge of what RID values are used on
other servers, and doesn't require it.
Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: do_syncrep2: rid=010
got search entry without Sync State control (dc=example,dc=com)
This again shows you using the incorrect base. I believe this is the
expected behavior when that is the case.
Warm regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>