[Date Prev][Date Next] [Chronological] [Thread] [Top]

updateref question and Openldap Replication



Many thanks to Justin Hahn who helped me solve a great portion of getting replication to work on our test systems.
For those of you who maybe stuck, you may find the section at the bottom of this e-mail helpful.


My question is centered around the updateref and how it performs its job.

Currently updateref is defined to be ldap://153.32.1.120:389

updateref[TAB]"ldap://153.32.1.120:389"; or
updateref	"ldap://153.32.1.120:389";

Whenever I send a request to update/delete a member from a group to the master, everything works as expected. The replication is sent to the slave and everything is fine. When I send an update to the slave however, I get a Referral but the changes never make it to the master. Here are the steps I've taken:

(1) /usr/local/bin/ldapmodify -f mod.ldif -v -d 256 -h "myslave.mydomain.com" -p "389" -D "cn=admin,o=MyDomain" -w adminpw

(2) output is:
ber_flush: 45 bytes to sd 5
request 1 done
add remove:
	member
add member:
	uid=testAccount1@test.org,ou=External_ID,ou=Company,o=MyDomain
modifying entry "cn=testGroup, ou=SpecialGroup, ou=Company, o=MyDomain"
ber_flush: 169 bytes to sd 5
ldap_modify: Referral

ldif_record() = 10
ber_flush: 7 bytes to sd 5

(3) I tested the network connection everything is fine
telnet myslave.mydomain.com 389

and the response on the master logs are:
Oct 31 12:33:10 myslave slapd[3515]: daemon: conn=81 fd=31 connection from IP=15.32.1.121:33376 (IP=0.0.0.0:0) accepted


so it looks like I can telnet into the port no problem. Since the boxes don't have a browser with them (we can only telnet) there's no other way I could think of to test that the "referral" is actually being passed onto the master.

Can anybody offer any suggestions???

Thanks in advance.



#############################################
#
Configuring Replication tips one master, one slave
1. If best, start with two identical machines. To achieve this, install OpenLDAP on one, configure slapd.conf, install the data (index it if necessary) and then tar up this build and copy it over to the intended slave.
2. Make sure to create a replicator account (other than root) on both the master and the slave such that when you copy your databases over to the slave, this account already exists
3. In the slapd.conf, I modify the section beneath the ldbm database section as follows for the master


#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
cachesize 1000
dbcachesize 100000
dbnolocking
dbnosync
directory /ldapdb # directory for all your LDAP data make sure that this is owned by slapd (user you create) and chmod at least 600
suffix "o=MyDomain" # some examples could be "o=Hewlett-Packard" etc
rootdn "cn=root,o=MyDomain"
rootpw secret


# replication
replica host=myslave.mydomain.com:389
binddn="cn=MyCopier, o=MyDomain" # Make sure that this account has a space between MyCopier, and o=MyDomain
bindmethod=simple credentials=123abc # credentials
replogfile /replication/replication.log # Make sure that slapd has access to this for testing purposes


# ldbm indexed attribute definitions ###################################
index default pres,eq
index objectClass,uid
index cn,sn eq,sub

4. In the slapd.conf of the slave, the ldbm database definitions are the safe with the exception of the replication section

#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
cachesize 1000
dbcachesize 100000
dbnolocking
dbnosync
directory /ldapdb # directory for all your LDAP data make sure that this is owned by slapd (user you create) and chmod at least 600
suffix "o=MyDomain" # some examples could be "o=Hewlett-Packard" etc
rootdn "cn=root,o=MyDomain"
rootpw secret


# replication
updatedn "cn=MyCopier, o=MyDomain" # make sure that there is a space between MyCopier, and o=MyDomain
updateref "ldap://mymaster.mydomain.com:389"; # your master server


# ldbm indexed attribute definitions ###################################
index default pres,eq
index objectClass,uid
index cn,sn eq,sub

5. Start slapd and slurpd on the master, here's a shell script that I wrote that might help you (Solaris 2.7 Bourne Shell)
#!/bin/sh


DEBUG_MODE=256

case "$1" in
   'start')
        # Start the slapd daemon
        if [ -f /usr/local/libexec/slapd ] ; then
          echo "starting slapd"
          /usr/local/libexec/slapd \
          -f /usr/local/etc/openldap/slapd.conf \
          -h "ldap:/// ldaps:///" \
          -l local4 \
          -s $DEBUG_MODE \
          -u slapd -g slapd

# If the slapd daemon started fine, start replication
if [ $? = 0 ]; then
if [ -f /usr/local/libexec/slurpd ]; then
echo "starting slurpd"
/usr/local/libexec/slurpd \
-f /usr/local/etc/openldap/slapd.conf
if [ $? = 0 ]; then
nawk 'BEGIN{ "ps -e -o pid,comm | grep slurpd" | getline d; split(d,arr) ; print arr[1]}' > /usr/local/var/slurpd.pid
fi
fi
fi
fi
;;
'stop')
# Stop the slapd daemon
echo "stopping slapd"
kill -TERM `cat /usr/local/var/slapd.pid`
echo "stopping slurpd"
kill -TERM `cat /usr/local/var/slurpd.pid`
;;


6. Always do a /bin/ps -ef | grep sl to make sure everything is running properly, your output should be similar to:

slapd 3515 1 0 11:31:05 ? 0:32 /usr/local/libexec/slapd -f /usr/local/etc/openldap/slapd.conf -h ldap:/// ldap
root 3517 1 0 11:31:05 ? 0:00 /usr/local/libexec/slurpd -f /usr/local/etc/openldap/slapd.conf


7. Start slapd on the slave (not slurpd)

8. Send an update to the master and you should see that everything is replicating fine. If it doesn't, make sure that you've defined the proper access control rules for the MyCopier account. Also check that you have all your file permissions straightened away.

Hope this helps for anyone, who's been scratching their heads (as I have for a while) trying to get replication working. Good luck!

OpenLDAP 2.0.11
db-3.2.9
OpenSSL-0.9.6b
Solaris 2.7