Re: OL 2.3.18 syncrepl vs slurpd

[Francis Swasey <Frank.Swasey@uvm.edu>]

On 1/23/06 12:59 PM, Quanah Gibson-Mount wrote:
> --On Monday, January 23, 2006 9:04 AM -0500 Francis Swasey 
> <Frank.Swasey@uvm.edu> wrote:
>
> > Now, I have discovered three things.
> >
> > 1) delta-syncrepl doesn't seem to have any way to filter the amount of
> > what is sent -- so, it has the same issues that I'm fighting with slurpd
> > of sending every update to all the replicas and perhaps I do not want all
> > the updates on all the replicas (this was the reason for me going to
> > syncrepl).
>
> You could, of course, have more than one accesslog database, each with 
> what you wanted going to the different replicas.  Or, alternately, you 
> should be able to use a filter similar to what you configured for 
> syncRepl for use with delta-syncrepl on the accesslog DB.

Yes, I suppose I could, but I don't seem to be intelligent enough to 
figure out how to filter what gets put into the accesslog based on 
whether or not the DN is in the correct branch of the DIT.

I've probably allowed too much in a single database, and now I want to 
send all the updates to one class of replicas and everything except the 
sendmail access control entries to another class of replicas -- of 
course, this is because slurpd is getting behind from time to time -- 
perhaps delta-syncrepl will be fast enough that this will not be an issue.

> > 2) There is a DOS against the master server if the consumer codes a bad
> > logfilter.  You will see a bad filter indication in the log on the master
> > (with loglevel stats) when the consumer starts up.  The first update to
> > the master after that will cause slapd to end with nothing going into the
> > syslog at all, but suddenly, it's not running anymore. Given that anyone
> > could fire up a syncrepl consumer and point it at my master... that's a
> > rather nasty one...  Has anyone else noticed it (I honestly just found it
> > and have not searched in the ITS yet)?
>
> I'm not really sure this is a DOS attack.  It certainly causes a 
> segfault on the master.  However, I assume that it requires a replica 
> that can bind with valid credentials to the master, implying the 
> administrator would have to be the one initiating such an attack on 
> themselves... In any case, I imagine it'll be fixed fairly soon. :P

Well, I suppose, if you force me to think it all the way through that 
yes, you have to authenticate with the correct DN to be able to get to 
the accesslog database.... but it's still a nasty surprise ;-)

> > 3) loglevel sync on the syncrepl consumer doesn't log anything with
> > delta-syncrepl.  Did I miss something in the slapd.conf(5) man page about
> > the loglevel to get delta-syncrepl actions logged?  Or is it in a
> > different man page, that I didn't think to look at?
>
> This one I haven't played with, but it sounds like a bug.

Hmmm, if it sounds like a bug to you, I guess I better file an ITS.

--
Frank Swasey                    | http://www.uvm.edu/~fcs
Senior IT Professional          | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
  "I am not young enough to know everything." - Oscar Wilde (1854-1900)