[Date Prev][Date Next] [Chronological] [Thread] [Top]

Slurpd/Slapd question - issue (LONG)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I have a RHEL 3 server running openldap-2.2.24/db-4.2.52/openssl-0.9.7c and 
all appears to be running fine.  I'm replicating the db to two other servers, 
FC1 and rh9 with the same packages.  

I'm able to replicate fine from the primary server to the two slaves but the 
contents of the 3 databases doesn't match up.  

I stopped the primary server, ran a slapcat on it, ran slapadd on the slaves, 
started the slaves and then started the server.  When I change the password 
via our web interface, which modifies shadowLastChange, I can watch the 
slurpd.replog and see the changes are pushed out to the slaves.  

Here are my slaves slapd.conf files:

Slave 1: 

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /opt/ldap/etc/openldap/schema/core.schema
include         /opt/ldap/etc/openldap/schema/cosine.schema
include         /opt/ldap/etc/openldap/schema/inetorgperson.schema
include         /opt/ldap/etc/openldap/schema/nis.schema
include         /opt/ldap/etc/openldap/schema/misc.schema
include         /opt/ldap/etc/openldap/schema/solaris.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 bind_anon_dn

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral       ldap://konldap1.cellnet.com

loglevel        256
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.

TLSCipherSuite          HIGH:MEDIUM
TLSCertificateFile      /opt/ldap/etc/openldap/slapd-cert.pem
TLSCertificateKeyFile   /opt/ldap/etc/openldap/slapd-key.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

#password-hash          {CRYPT}

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
readonly        off
suffix          "dc=cellnet,dc=com"
rootdn          "cn=replica,dc=cellnet,dc=com"
updatedn        "cn=replica,dc=cellnet,dc=com"
updateref       "ldap://148.80.158.218";
rootpw          {SSHA}o+DILbBGHbxPDrzEJjkglivhEPw0FQI9
directory       /var/lib/ldap
mode            0700

cachesize 10000
sizelimit 10000

# Indices to maintain for this database

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index nisNetgroupTriple                 pres

#Restrict userPassword to be used for authentications only
access to 
attrs=userPassword,telephoneNumber,mobile,mail,shadowLastChange,shadowMax,shadowMin,shadowWarning,shadowInactive
     by self write
     by anonymous auth
     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
     by * none

#ACL allowing read access to everyone
access to *
     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
     by * read


Here is the other slaves slapd.conf:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /opt/ldap/etc/openldap/schema/core.schema
include         /opt/ldap/etc/openldap/schema/cosine.schema
include         /opt/ldap/etc/openldap/schema/inetorgperson.schema
include         /opt/ldap/etc/openldap/schema/nis.schema
include         /opt/ldap/etc/openldap/schema/misc.schema
include         /opt/ldap/etc/openldap/schema/solaris.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 bind_anon_dn

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral       ldap://konldap1.cellnet.com

loglevel        256
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.

TLSCipherSuite          HIGH:MEDIUM
TLSCertificateFile      /opt/ldap/etc/openldap/slapd-cert.pem
TLSCertificateKeyFile   /opt/ldap/etc/openldap/slapd-key.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

#password-hash          {CRYPT}

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
readonly        off
suffix          "dc=cellnet,dc=com"
rootdn          "cn=replica,dc=cellnet,dc=com"
updatedn        "cn=replica,dc=cellnet,dc=com"
updateref       "ldap://148.80.158.218";
rootpw          {SSHA}o+DILbBGHbxPDrzEJjkglivhEPw0FQI9
directory       /var/lib/ldap
mode            0700

cachesize 10000
sizelimit 10000

# Indices to maintain for this database

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index nisNetgroupTriple                 pres

#Restrict userPassword to be used for authentications only
access to 
attrs=userPassword,telephoneNumber,mobile,mail,shadowLastChange,shadowMax,shadowMin,shadowWarning,shadowInactive
     by self write
     by anonymous auth
     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
     by * none

#ACL allowing read access to everyone
access to *
     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
     by * read

Here is the servers slapd.conf:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /opt/ldap/etc/openldap/schema/core.schema
include         /opt/ldap/etc/openldap/schema/cosine.schema
include         /opt/ldap/etc/openldap/schema/inetorgperson.schema
include         /opt/ldap/etc/openldap/schema/nis.schema
include         /opt/ldap/etc/openldap/schema/misc.schema
include         /opt/ldap/etc/openldap/schema/solaris.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 bind_anon_dn

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

loglevel        256
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# The next three lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.

TLSCipherSuite          HIGH:MEDIUM
TLSCACertificateFile    /opt/ldap/etc/openldap/cacert.pem
TLSCertificateFile      /opt/ldap/etc/openldap/slapd-cert.pem
TLSCertificateKeyFile   /opt/ldap/etc/openldap/slapd-key.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

#password-hash          {CRYPT}

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=cellnet,dc=com"
rootdn          "cn=Manager,dc=cellnet,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

rootpw          {SSHA}kzivzqK4M9JX9sj0g+waiJwNMQ/gl6xI

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.

directory       /var/lib/ldap
mode            700

cachesize 10000
sizelimit 10000

# Indices to maintain for this database

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index nisNetgroupTriple                 pres

#Restrict userPassword to be used for authentications only
access to 
attrs=userPassword,telephoneNumber,mobile,mail,shadowLastChange,shadowMax,shadowMin,shadowWarning,shadowInactive
     by self write
     by anonymous auth
     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
     by * none

#ACL allowing read access to everyone
access to *
     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
     by * read

replogfile      /var/log/slapd.replog

replica host=konldap2.cellnet.com:389
        suffix="dc=cellnet,dc=com"
        binddn="cn=replica,dc=cellnet,dc=com"
        bindmethod=simple
        credentials=password
        tls=yes

replica host=scarecrow.cellnet.com:389
        suffix="dc=cellnet,dc=com"
        binddn="cn=replica,dc=cellnet,dc=com"
        bindmethod=simple
        credentials=password
        tls=yes

Does anyone know why the db's wouldn't be in sync and why when I manually add 
in shadowLastChange it isn't reflected into the db?

Here's an example of just one instance where the db's differ:

(Slave 1)
/opt/ldap/bin/ldapsearch -x -h 148.80.180.6 -b 
"ou=office,ou=projects,dc=cellnet,dc=com" uid=ahirsch
# extended LDIF
#
# LDAPv3
# base <ou=office,ou=projects,dc=cellnet,dc=com> with scope sub
# filter: uid=ahirsch
# requesting: ALL
#

# ahirsch, office, projects, cellnet.com
dn: uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com
uid: ahirsch
cn: Aaron Hirsch
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uidNumber: 1008
gidNumber: 3
homeDirectory: /home/ahirsch
gecos: Aaron Hirsch
loginShell: /bin/bash

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

(Slave 2)
/opt/ldap/bin/ldapsearch -x -h 148.80.158.219 -b 
"ou=office,ou=projects,dc=cellnet,dc=com" uid=ahirsch
# extended LDIF
#
# LDAPv3
# base <ou=office,ou=projects,dc=cellnet,dc=com> with scope sub
# filter: uid=ahirsch
# requesting: ALL
#

# ahirsch, office, projects, cellnet.com
dn: uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com
cn: ahirsch
gidNumber: 3
homeDirectory: /home/ahirsch
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
sn: Hirsch
uid: ahirsch
uidNumber: 1008
shadowExpire: 12641

# ahirsch, people, office, projects, cellnet.com
dn: uid=ahirsch,ou=people,ou=office,ou=projects,dc=cellnet,dc=com
cn: ahirsch
gidNumber: 3
homeDirectory: /home/ahirsch
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
shadowExpire: 12641
sn: Hirsch
uid: ahirsch
uidNumber: 1008

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

(Server)
/opt/ldap/bin/ldapsearch -x -h 148.80.158.218 -b 
"ou=office,ou=projects,dc=cellnet,dc=com" uid=ahirsch
# extended LDIF
#
# LDAPv3
# base <ou=office,ou=projects,dc=cellnet,dc=com> with scope sub
# filter: uid=ahirsch
# requesting: ALL
#

# ahirsch, office, projects, cellnet.com
dn: uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com
cn: ahirsch
gidNumber: 3
homeDirectory: /home/ahirsch
loginShell: /bin/bash
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
sn: Hirsch
uid: ahirsch
uidNumber: 1008

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So, as you can see slave 2 has information that is not contained in slave 1 or 
the master server.  The extra entry was in the db and deleted but it's still 
showing up!  There are no slurpd locks so I would have thought that the 
information should have been removed from the replica.

Any ideas why the db's are out of sync?

- -- 
Aaron M. Hirsch

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBQIbzRDt2cqYtCmgKAQINIQP9F/lCpfoeT9xI5AsN/3LkrL7UpfdToyKJ
74cO5fWxS55FB+XUHhImFmRPDT/zbvmVJrBY92MDIauj5q8Ht8gX9eQ1YKXpg9Gy
DMh9mSmJWZFhRDXTNpcliK5V3LIqb65uJ7tLeGtknStAtzLrhXO8gbklE89X3k1Y
2cwV2/yfb/s=
=IJaq
-----END PGP SIGNATURE-----