[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP instance as syncREPL replica and Slurpd master

Bruno Lezoray EMSM wrote:
Howard Chu wrote:
Quanah Gibson-Mount wrote: 
--On September 14, 2007 5:21:28 PM +0200 Bruno Lezoray EMSM
<bruno.lezoray@wh-ces.gmessaging.net> wrote:

Hi all,

i want to implement a specific openldap configuration with 3 instances:
1st is a master
2nd is a syncrepl replica "and" slurpd master
3rd is a slurpd replica

Set up a pushed-base syncrepl instead of using slurpd.  Slurpd is
deprecated, and fully removed from OpenLDAP 2.4.

In OpenLDAP 2.3 this will require one more slapd process (while
eliminating the slurpd process).

1 provider
2 regular consumer
2A back-ldap consumer
3 external replica

None of the existing (1, 2, or 3) servers' configurations need any
changes. (Except, you can remove the "replica" directives from your
"slurpd master" since they don't do any good, and aren't needed anyway.)

The back-ldap consumer would be set up something like:

database    ldap
suffix      "dc=example,dc=com"
rootdn      "cn=Whoever"
uri     ldap://localhost:9013/     <---- URL of external replica

acl-bind    bindmethod=simple
        binddn="cn=Monitor"        <---- updatedn of external replica
        credentials=monitor        <---- password for updatedn

# the usual consumer config...
syncrepl    rid=1
        provider=ldap://localhost:9011/
        binddn="cn=Manager,dc=example,dc=com"
        bindmethod=simple
        credentials=secret
        searchbase="dc=example,dc=com"
        filter="(objectClass=*)"
        schemachecking=off
        scope=sub
        type=refreshOnly
        interval=00:00:00:10
        retry="5 5 300 5"


Ok.
On the backldap instance, i have this configuration:
database        ldap
suffix          "o=test"
rootdn          "cn=root DN, o=test"
rootpw          {SSHA}JDqRrNmZbCiInNsubLessizYPdmcwhgf
uri     ldaps://10.1.1.69:1636/

Is that really the URI of the external replica?

acl-bind    bindmethod=simple
        binddn="cn=root DN, o=test"
        credentials=secret
syncrepl    rid=1
        provider=ldaps://localhost:636/

Is that really the URI of the syncrepl master?

        binddn="cn=root DN,o=test"
        bindmethod=simple
        credentials=secret
        searchbase="o=test"
        filter="(objectClass=*)"
        schemachecking=off
        scope=sub
        type=refreshOnly
        interval=00:00:00:10
        retry="5 5 300 5"

And on the external replica, i have :
database        bdb
suffix          "o=test"
rootdn          "cn=root DN, o=test"
rootpw          {SSHA}JDqRrNmZbCiInNsubLessizYPdmcwhgf
directory       /usr/products/freeware/openldap/var/openldap-slapd-sym
checkpoint      64      15

You're missing the updateDN directive. And since this is supposed to be a replica, it shouldn't be generating password-hashes by itself, it should just be taking exactly what the master generated. 

password-hash   {SSHA}

cachesize       50000
index   objectClass,entryCSN,entryUUID  eq
index   uid     pres,eq,sub
index   mail    pres,eq,sub
index   cn      pres,eq,sub
index   sn      pres,eq,sub

But, the backldap failed to query the external replica. I have the
following error:
Sep 17 11:23:24 test-ldap backldap[28913]: [ID 702911 local4.debug] @(#)
$OpenLDAP: slapd 2.3.32 (Sep 13 2007 17:58:03) $
Sep 17 11:23:25 test-ldap backldap[28914]: [ID 100111 local4.debug]
slapd starting
Sep 17 11:23:25 test-ldap backldap[28914]: [ID 608079 local4.debug]
do_syncrep2: rid 001got search entry without control
Sep 17 11:23:30 test-ldap backldap[28914]: [ID 608079 local4.debug]
do_syncrep2: rid 001got search entry without control

For information, i use release 2.3.32 on Solaris 9/10. 

Obsolete, update to 2.3.38...
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/