[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: two databases replicating to one slave server doesn't work
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Buchan Milne wrote:
| Andreas wrote:
| | openldap-2.1.30
| | berkeley db 4.2.52 + 2 patches
| |
|
| I'm running the same versions, and it gets more interesting ... see below.
|
| | With the following setup (two databases), changes are sent twice to
| the slave
| | server (logs further below). Obviously, the second time the change is
| already
| | there and a replication error occurs.
| |
| | MASTER
| | database bdb
| | subordinate
| | suffix "ou=Branch1,dc=my-domain,dc=com"
| | rootdn "cn=Manager,dc=my-domain,dc=com"
| | directory /var/lib/ldap-branch
| | index objectClass eq
| | access to attr=userPassword
| | by anonymous auth
| | by self write
| | by * none
| | access to attr=shadowLastChange
| | by self write
| | by * read
| | access to *
| | by * read
| | replica host=build-cl9.distro.conectiva tls=no
| | suffix="ou=Branch1,dc=my-domain,dc=com"
| | bindmethod=simple
| | binddn="uid=replicator,dc=my-domain,dc=com"
| | credentials="replicator"
| | replogfile /var/lib/replog/master-replog
| | database bdb
| | suffix "dc=my-domain,dc=com"
| | rootdn "cn=Manager,dc=my-domain,dc=com"
| | rootpw changethis
| | directory /var/lib/openldap-data
| | index objectClass eq
| | access to attr=userPassword
| | by anonymous auth
| | by self write
| | by * none
| | access to attr=shadowLastChange
| | by self write
| | by * read
| | access to *
| | by * read
| | replica host=build-cl9.distro.conectiva tls=no
| | suffix="dc=my-domain,dc=com"
| | bindmethod=simple
| | binddn="uid=replicator,dc=my-domain,dc=com"
| | credentials="replicator"
| | replogfile /var/lib/replog/master-replog
| |
| | I added a "description" attribute under the "uid=replicator" entry. It
| got sent
| | twice to the slave server.
| |
| | /var/lib/slurpd/replica/slurpd.replog:
| | replica: build-cl9.distro.conectiva
| | time: 1089386416
| | dn: uid=replicator,dc=my-domain,dc=com
| | changetype: modify
| | add: description
| | description:: dXN1w6FyaW8gZGUgcmVwbGljYcOnw6Nv
| | -
| | replace: entryCSN
| | entryCSN: 2004070915:20:16Z#0x0001#0#0000
| | -
| | replace: modifiersName
| | modifiersName: cn=Manager,dc=my-domain,dc=com
| | -
| | replace: modifyTimestamp
| | modifyTimestamp: 20040709152016Z
| | -
| |
| | LDAP log on the slave:
| | slapd[24432]: conn=5 fd=17 ACCEPT from IP=10.0.2.177:40993
| (IP=0.0.0.0:389)
| | slapd[24432]: conn=6 fd=20 ACCEPT from IP=10.0.2.177:40994
| (IP=0.0.0.0:389)
| | slapd[24447]: conn=5 op=0 BIND dn="uid=replicator,dc=my-domain,dc=com"
| method=128
| | slapd[24447]: conn=5 op=0 BIND dn="uid=replicator,dc=my-domain,dc=com"
| mech=simple ssf=0
| | slapd[24447]: conn=5 op=0 RESULT tag=97 err=0 text=
| | slapd[24441]: conn=6 op=0 BIND dn="uid=replicator,dc=my-domain,dc=com"
| method=128
| | slapd[24441]: conn=6 op=0 BIND dn="uid=replicator,dc=my-domain,dc=com"
| mech=simple ssf=0
| | slapd[24441]: conn=6 op=0 RESULT tag=97 err=0 text=
| | slapd[24447]: conn=5 op=1 MOD dn="uid=replicator,dc=my-domain,dc=com"
| | slapd[24447]: conn=5 op=1 MOD attr=description entryCSN modifiersName
| modifyTimestamp
| | slapd[24441]: conn=6 op=1 MOD dn="uid=replicator,dc=my-domain,dc=com"
| | slapd[24441]: conn=6 op=1 MOD attr=description entryCSN modifiersName
| modifyTimestamp
| | slapd[24447]: conn=5 op=1 RESULT tag=103 err=0 text=
| | slapd[24441]: conn=6 op=1 RESULT tag=103 err=20 text=modify/add:
| description: value #0 already exists
| |
|
| I have 3 databases, 4 replicas for the first two, 5 for the 3rd, but
| each replica uses different replica DNs. But, it seems slurpd gets
| confused, and uses the wrong replica DN for a specific database:
|
| # grep -E "(^suffix|^replica|^replog|binddn)" /etc/openldap/slapd.conf
| suffix "cn=mail,ou=isp"
| replogfile /var/lib/ldap/mail/replog
| replica host=io:389
| ~ binddn="cn=root,cn=mail,ou=isp"
| replica host=ganymedes:389
| ~ binddn="cn=root,cn=mail,ou=isp"
| replica host=leda:389
| ~ binddn="cn=root,cn=mail,ou=isp"
| replica host=elara:389
| ~ binddn="cn=root,cn=mail,ou=isp"
| # binddn="cn=root,cn=mail,ou=isp" bindmethod=simple
| credentials=mailme99
| # binddn="cn=root,cn=mail,ou=isp" bindmethod=simple
| credentials=mailme99
| suffix "ou=radius,o=intekom,c=za"
| replogfile /var/lib/ldap/radius/replog
| replica host=io:389
| ~ binddn="cn=root,ou=radius,o=intekom,c=za"
| replica host=ganymedes:389
| ~ binddn="cn=root,ou=radius,o=intekom,c=za"
| replica host=leda:389
| ~ binddn="cn=root,ou=radius,o=intekom,c=za"
| replica host=elara:389
| ~ binddn="cn=root,ou=radius,o=intekom,c=za"
| # binddn="cn=root,ou=radius,o=intekom,c=za"
| bindmethod=simple credentials=infranetpoid
| # binddn="cn=root,ou=radius,o=intekom,c=za"
| bindmethod=simple credentials=infranetpoid
| suffix "dc=telkomsa,dc=net"
| replogfile /var/lib/ldap/openldap-master-replog
| replica host=io:389
| ~ binddn="cn=metis,ou=Hosts,dc=telkomsa,dc=net"
| replica host=ganymedes:389
| ~ binddn="cn=metis,ou=Hosts,dc=telkomsa,dc=net"
| replica host=leda:389
| ~ binddn="cn=metis,ou=Hosts,dc=telkomsa,dc=net"
| replica host=elara:389
| ~ binddn="cn=metis,ou=Hosts,dc=telkomsa,dc=net"
| replica host=jupiter:389
| ~ binddn="cn=metis,ou=Hosts,dc=telkomsa,dc=net"
|
| And, in the log on one of the slaves, we see:
|
| Jul 19 16:59:57 io slapd[9732]: conn=3 op=0 BIND
| dn="cn=root,ou=radius,o=intekom
| ,c=za" method=128
| Jul 19 16:59:57 io slapd[9732]: conn=3 op=0 BIND
| dn="cn=root,ou=radius,o=intekom
| ,c=za" mech=SIMPLE ssf=0
| Jul 19 16:59:57 io slapd[9732]: conn=3 op=0 RESULT tag=97 err=0 text=
| Jul 19 16:59:57 io slapd[9735]: conn=3 op=1 ADD
| dn="cn=iafrica,cn=mail,ou=isp"
| Jul 19 16:59:57 io slapd[9735]: conn=3 op=1 RESULT tag=105 err=10 text=
|
|
| So, slurpd is trying to write to the "cn=mail,ou=isp" database as the
| rootdn for ou=radius,o=intekom,c=za, which is clearly wrong and
| obviously not going to work.
|
| | Just for fun, I replaced one of the replica lines with the IP
| | address of the slave host instead of its name. That is, I made
| | the directive different from the other one, but still pointing to
| | the same host.
| |
| | Voilá, it started working.
| | So, instead of:
| | (...)
| | replica uri=ldap://build-cl9.distro.conectiva:389
| | (...)
| | replica uri=ldap://build-cl9.distro.conectiva:389
| | (...)
| |
| | I have:
| | (...)
| | replica uri=ldap://10.0.17.107:389
| | (...)
| | replica uri=ldap://build-cl9.distro.conectiva:389
| | (...)
| |
| | Then it works (yes, I also switched to using "uri" instead of "host"
| | midtesting, but that alone didn't help).
| | 10.0.17.107 is the IP address of build-cl9.distro.conectiva. Just having
| | it "different" in the two replica directives seemed to be the trick.
| |
| | So, is this scenario not supported? Is it a glitch? A bug? Am I mad? :)
| | Thanks for any input.
|
| In our setup, it's not that simple ... it can't work as slurpd is trying
| to replicate as the wrong DN for the database it is trying to replicate.
|
Ok, using one replogfile for all databases fixes the issue for now.
| Guess it's time to file an ITS.
Seems there already is:
http://www.openldap.org/its/index.cgi/Incoming?id=3223
which has been marked as a dupe of 1119, which I couldn't find ...
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA++5xrJK6UGDSBKcRAm+jAKCFCbH7f7xQYHoG+WoZ6zE+vre5awCfRV8P
+aWLHRL7D68DOFxrdMDjWiw=
=Yejg
-----END PGP SIGNATURE-----