[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openldap syncrepl issue

To: Michael Ströder <michael@stroeder.com>, Howard Chu <hyc@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: openldap syncrepl issue
From: Chris Card <ctcard@hotmail.com>
Date: Tue, 12 Nov 2013 09:50:56 +0000
Importance: Normal
In-reply-to: <5281F548.3090806@stroeder.com>
References: <DUB125-W859B38FD62B8D3F7B54DD7CCFF0@phx.gbl>, <5280FD2D.8050003@stroeder.com>, <528142E3.3070704@symas.com> <DUB125-W1027C73B95688884185A14CCFE0@phx.gbl>, <5281F548.3090806@stroeder.com>

Michael Ströder wrote:
> Chris Card wrote:
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> Chris Card wrote:
>>>>> I am running openldap 2.4.36 with BDB for my main backend db, and
>>> multi-master replication setup using delta-syncrepl with MDB for the
>>> cn=accesslog db.
>>>>>
>>>>> I monitor the contextCSN to check that replication is in sync, but I've
>>> noticed what looks like a bug:
>>>>>
>>>>> If I try to delete a non-existent DN from the main db on machine A, I
>>>>> see
>>> the delete attempt in the cn=accesslog db on machine A with status 32, but the
>>> contextCSN of the main db is not changed, as expected.
>>>>>
>>>>> On machine B the contextCSN of the main db is updated, as if the delete
>>>>> had
>>> succeeded, and then machine A appears to be behind machine B according to the
>>> contextCSN values.
>>>
>>>>> Is this a known bug?
>>>
>>> In delta-syncrepl the consumer is supposed to be configured to only receive
>>> updates from the log whose reqResult=0. Otherwise the consumer shouldn't
>>> receive anything at all.
>> I can't see anything in the syncrepl configuration, but I see that slapo-accesslog can be configured with logsuccess set to TRUE:
>>
>> logsuccess TRUE | FALSE
>> If set to TRUE then log records will only be generated for successful requests, i.e., requests that produce a result code of 0 (LDAP_SUCCESS). If FALSE, log records are generated for all requests whether they succeed or not. The default is FALSE.
>>
>> Is that what you mean?
>
> You probably missed parameter 'logfilter' for the 'syncrepl' statement.
I do have logfilter set correctly as far as I can see (though I forgot about it in my previous reply):

olcSyncrepl: {1}rid=*** provider="ldap://****:389"; binddn="***************" bindmethod=simple credentials=******* searchbase="**********" type=refreshAndPersist retry="5 5 300 5" timeout=1 logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog

Setting logsuccess to TRUE for the accesslog overlay does work round the problem, but it still feels like a bug to me.

Chris

Follow-Ups:
- RE: openldap syncrepl issue
  - From: Chris Card <ctcard@hotmail.com>

References:
- openldap syncrepl issue
  - From: Chris Card <ctcard@hotmail.com>
- Re: openldap syncrepl issue
  - From: Michael Ströder <michael@stroeder.com>
- Re: openldap syncrepl issue
  - From: Howard Chu <hyc@symas.com>
- RE: openldap syncrepl issue
  - From: Chris Card <ctcard@hotmail.com>
- Re: openldap syncrepl issue
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: openldap syncrepl issue
Next by Date: TLS_REQCERT and no server certificate
Index(es):
- Chronological
- Thread