[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: synchronisation monitoring, contextCSN and operational attributes



Guillaume Rousse wrote:
Hello list.

I'm using delta-syncrepl in search-and-persist mode between my slaves
and my master server. And I'm using a nagios plugin to check sync
status, based on value of contextCSN attribute. But I'm often sync
alerts for unknown reasons.

First issue, is this an expected result to have an higher contextCSN on
the slave side ? From what I've understood from contextCSN, this
attribute is updated each time a write operation is performed on the
server. As the slave server is not supposed not to perform any write
operation, this should never happens. However, it does:

Ordinarily, a slave cannot initiate any write operations. However, you appear to be using ppolicy. The ppolicy overlay writes Bind status updates to the local server, regardless of master or slave status. Thus, it can cause the slave's contextCSN to be newer than the master's.

[root@etoile ~]# /usr/share/nagios/plugins/check_syncrepl.py
ldap://ldap1.msr-inria.inria.fr ldap://ldap2.msr-inria.inria.fr -b
dc=msr-inria,dc=inria,dc=fr -v
[..]
2009-05-25 13:36:49,740 - check_syncrepl.py - DEBUG - Retrieving
Provider contextCSN
2009-05-25 13:36:49,741 - check_syncrepl.py - DEBUG - contextCSN =
20090520141922.274229Z#000000#000#000000
2009-05-25 13:36:49,742 - check_syncrepl.py - DEBUG - Retrieving
Consumer contextCSN
2009-05-25 13:36:49,742 - check_syncrepl.py - DEBUG - contextCSN =
20090525095027.118111Z#000000#000#000000
2009-05-25 13:36:49,752 - check_syncrepl.py - INFO -   Consumer NOT in SYNCH
2009-05-25 13:36:49,753 - check_syncrepl.py - INFO -   Delta is -5 days,
4:28:55

Second issue, how does syncrepl sync operational attributes ? When using
ppolicy, for instance, each failed bind operation result in a
pwdChangedTime attribute added to the user entry. From my own attempts,
the slave and the master maintain their own list separatly.

As synchronisation is performed from master to slave only, it seems
quite logical failed authentication on the slaves doesn't impact the
user entry on the master. However, from reading slapd.conf man page,
syncrepl is supposed to synchronise operational attributes too by default:
   The attrs list defaults to "*,+" to return all user and operational
attributes, and attrsonly  is unset  by  default.

Also, the logs on the slave clearly show something happens when a failed
autentication is performed on the master.

Start state:
Provider contextCSN = 20090525122053.257812Z#000000#000#000000
Consumer contextCSN = 20090525122053.257812Z#000000#000#000000

Logs:
May 25 14:18:34 nation slapd[28717]: do_syncrep2:
cookie=rid=123,csn=20090525121834.036489Z#000000#000#000000
May 25 14:18:34 nation slapd[28717]: slap_queue_csn: queing 0x93d55d8
20090525121834.036489Z#000000#000#000000
May 25 14:18:34 nation slapd[28717]: slap_graduate_commit_csn: removing
0x9450550 20090525121834.036489Z#000000#000#000000
May 25 14:18:34 nation slapd[28717]: syncrepl_message_to_op: rid=123
be_modify uid=rousse,ou=users,dc=msr-inria,dc=inria,dc=fr (0)
May 25 14:18:34 nation slapd[28717]: slap_queue_csn: queing 0x9461d18
20090525121834.036489Z#000000#000#000000
May 25 14:18:34 nation slapd[28717]: slap_graduate_commit_csn: removing
0x945e640 20090525121834.036489Z#000000#000#000000

End state
Provider contextCSN = 20090525122053.257812Z#000000#000#000000
Consumer contextCSN = 20090525122122.287486Z#000000#000#000000

The provider didn't increases its contextCSN value, while performing a
change, and the consumer did increase its own, while not performing the
change :(

Here is my syncrepl configuration:
syncrepl rid=123
      provider=ldaps://ldap1.msr-inria.inria.fr
      type=refreshAndPersist
      retry="60 +"
      logbase="cn=log"
      logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
      syncdata=accesslog
      searchbase="dc=msr-inria,dc=inria,dc=fr"
      scope=sub
      schemachecking=off
      bindmethod=simple
      binddn="cn=syncrepl,ou=roles,dc=msr-inria,dc=inria,dc=fr"
      credentials=XXXXXX



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/