[Date Prev][Date Next] [Chronological] [Thread] [Top]

<olcMirrorMode> database is not a shadow

To: openldap-technical@openldap.org
Subject: <olcMirrorMode> database is not a shadow
From: admin@genome.arizona.edu
Date: Thu, 26 Jul 2018 13:36:24 -0700
Content-language: en-US

Hello,

Was setting up replication for our LDAP server, and was following theguide here,

https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP#Setting_up_replication

I had success with this guide but just a problem with authentication, Icould see in the ldap debug log for node1 entries like this:

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 fd=38 ACCEPT fromIP=<node1's IP>:34606 (IP=0.0.0.0:389)Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 BINDdn="cn=Manager,dc=genome,dc=arizona,dc=edu" method=128Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 BINDdn="cn=Manager,dc=genome,dc=arizona,dc=edu" mech=SIMPLE ssf=0

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 RESULT tag=97 err=0 text=

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 MODdn="olcDatabase={1}bdb,cn=config"

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 MOD attr=olcSyncrepl

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 RESULT tag=103 err=0text=Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 MODdn="olcDatabase={1}bdb,cn=config"

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 MOD attr=olcMirrorMode

Jul 20 16:21:22 node1 slapd[10218]: slap_client_connect:URI=ldap://node2.genome.arizona.eduDN="cn=ldapreader,dc=genome,dc=arizona,dc=edu" ldap_sasl_bind_s failed (49)

Jul 20 16:21:22 node1 slapd[10218]: do_syncrepl: rid=001 rc 49 retrying

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 RESULT tag=103 err=0text=

Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=3 UNBIND
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 fd=38 closed

and in the debug log for node2 entries like this:

Jul 20 16:21:22 node2 slapd[25327]: conn=14036 fd=17 ACCEPT fromIP=<node1's IP>:56460 (IP=0.0.0.0:389)Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=0 BINDdn="cn=ldapreader,dc=genome,dc=arizona,dc=edu" method=128Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=0 RESULT tag=97 err=49text=

Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=1 UNBIND
Jul 20 16:21:22 node2 slapd[25327]: conn=14036 fd=17 closed

It turns out i had literally used credentials="secret" in theadd-replication-node1/node2.ldif files! So I went back and usedslappasswd to generate a new password and put it into theldapreader.ldif and use ldapmodify instead this time with success onboth nodes,


[root@node1 openldap]# cat ldapreader.ldif
dn: cn=ldapreader,dc=genome,dc=arizona,dc=edu
changetype: modify
replace: userPassword
userPassword: <hash from slappasswd>

[root@node1 openldap]# ldapmodify -x -W -D"cn=Manager,dc=genome,dc=arizona,dc=edu" -f ldapreader.ldif

Enter LDAP Password:
modifying entry "cn=ldapreader,dc=genome,dc=arizona,dc=edu"
[root@node1 openldap]#

[root@node2 openldap]# cat ldapreader.ldif
dn: cn=ldapreader,dc=genome,dc=arizona,dc=edu
changetype: modify
replace: userPassword
userPassword: <hash from slappwasswd>

[root@node2 openldap]# ldapmodify -x -W -D"cn=Manager,dc=genome,dc=arizona,dc=edu" -f ldapreader.conf

Enter LDAP Password:
modifying entry "cn=ldapreader,dc=genome,dc=arizona,dc=edu"
[root@node2 openldap]#

Then I updated the add-replication-node1/node2.ldif to modify the entrywith the actual password instead of "secret"... on node1 i got twosuccess messages,


[root@node1 openldap]# cat add-replication-node1.ldif
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl:
  rid=001
  provider=ldap://node2.genome.arizona.edu
  binddn="cn=ldapreader,dc=genome,dc=arizona,dc=edu"
  bindmethod=simple
  credentials="<actual password>"
  searchbase="dc=genome,dc=arizona,dc=edu"
  type=refreshAndPersist
  timeout=0
  network-timeout=0
  retry="60 +"

dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcMirrorMode
olcMirrorMode: TRUE

[root@node1 openldap]# ldapmodify -x -W -D"cn=Manager,dc=genome,dc=arizona,dc=edu" -f add-replication-node1.ldif

Enter LDAP Password:
modifying entry "olcDatabase={1}bdb,cn=config"

modifying entry "olcDatabase={1}bdb,cn=config"

[root@node1 openldap]#

However when I went to modify the entries on node2, I now got the error<olcMirrorMode> database is not a shadow,


[root@node2 openldap]# cat add-replication-node2.ldif
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl:
  rid=002
  provider=ldap://node1.genome.arizona.edu
  binddn="cn=ldapreader,dc=genome,dc=arizona,dc=edu"
  bindmethod=simple
  credentials="<actual password>"
  searchbase="dc=genome,dc=arizona,dc=edu"
  type=refreshAndPersist
  timeout=0
  network-timeout=0
  retry="60 +"

dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcMirrorMode
olcMirrorMode: TRUE

[root@node2 openldap]# ldapmodify -x -W -D"cn=Manager,dc=genome,dc=arizona,dc=edu" -f add-replication-node2.ldif

Enter LDAP Password:
modifying entry "olcDatabase={1}bdb,cn=config"

modifying entry "olcDatabase={1}bdb,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
	additional info: <olcMirrorMode> database is not a shadow

[root@node2 openldap]#

Now the replication has stopped and there are no connection entries inthe ldap debug logs. So what did i do wrong and how to get replicationgoing again?


Thanks,

--
Chandler / Systems Administrator
Arizona Genomics Institute
www.genome.arizona.edu

Follow-Ups:
- Re: <olcMirrorMode> database is not a shadow
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Replication mutli-master via DNS record ?
Next by Date: Re: <olcMirrorMode> database is not a shadow
Index(es):
- Chronological
- Thread