[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: A couple of questions regarding replication and user mapping

To: openldap-technical@openldap.org
Subject: Re: A couple of questions regarding replication and user mapping
From: Dieter Klünter <dieter@dkluenter.de>
Date: Fri, 21 Sep 2018 10:45:21 +0200
In-reply-to: <CAL017hDXz4j6DQ2jMuRcZ8p31hwTvqWWFaZfB-EGSyC0_5HXoA@mail.gmail.com>
Organization: AVCI
References: <CAL017hDXz4j6DQ2jMuRcZ8p31hwTvqWWFaZfB-EGSyC0_5HXoA@mail.gmail.com>

Am Thu, 20 Sep 2018 22:29:11 +0200
schrieb Karsten Heymann <karsten.heymann@gmail.com>:

> Hi,
> 
> I'm having a rough week as a long planned ldap migration this week
> went semi-bad, in that we noticed a good day after the new cluster
> went productive that both masters and both clients started to diverge
> data-wise. I'm still sorting out the details, but while
> troubleshooting some questions arose already.
> 
> (I'm running 2.4.46+dfsg-5~bpo9+1 on debian 9 with two masters
> (syncrepl, mirror mode) behind a load balancer and two slaves, also
> behind a load balancer. I was authenticating the replication with
> client certificates, but had to switch back to simple bind usind
> rootdn/rootpw als sync credentials to rule out any acl problems
> causing our problems.)
> 
> 1. I've read in an older debian bug report, that changing
> olcAuthRegexp requires a slapd restart in order to be effective. Is
> that still the case? If yes, could this *please* be added to the
> manpage and the documentation? Pretty please?
> 
> 2. Is ldapwhoami supposed to also print out the result of a
> authz-regexp mapping?

Yes
> 
> 3. The slapd.conf manpage mentions: "The replaced name can be either a
> DN, i.e. a string prefixed by "dn:", or an LDAP URI." Is prepending
> dn: really required? The examples on
> https://www.openldap.org/doc/admin24/sasl.html don't have it.

No

> 4. What happens when a lot of concurrent writes happen to two masters
> configured in mirror mode? We had a loadbalancer misconfiguration and
> the loadbalancers were using simple round robin to write to the
> masters. Can this result in diverging content on the two masters?

First write should win, depending on timestamp
 
> 5. At one time we had diverging content on both masters for the same
> entries, probably due to a broken acl config that did not allow the
> sync user to see all alltributes on the other master. Is there any way
> to cause a "re-sync" of an entry without actually changing data on the
> entry? The only way I found was to use slapd -c, but

If you have a log database with sufficient old data and matching
timestamps and csn's it might be possible. But a slapcat and slapdadd
would be easier. 

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: A couple of questions regarding replication and user mapping
  - From: Michael Ströder <michael@stroeder.com>
- Proposition of overlay explockout
  - From: David Coutadeur <david.coutadeur@gmail.com>

References:
- A couple of questions regarding replication and user mapping
  - From: Karsten Heymann <karsten.heymann@gmail.com>

Prev by Date: Re: How to make ldap evaluate clear text password vs DES stored password
Next by Date: Re: How to make ldap evaluate clear text password vs DES stored password
Index(es):
- Chronological
- Thread