[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymous Syncrepl?

To: openldap-software@openldap.org
Subject: Re: Anonymous Syncrepl?
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 11 Nov 2009 14:02:02 +0100
Cc: "Eric B." <ebenze@hotmail.com>
Content-disposition: inline
In-reply-to: <BLU122-W137427EE67C0F000125269DCAB0@phx.gbl>
References: <BLU122-W137427EE67C0F000125269DCAB0@phx.gbl>
User-agent: KMail/1.11.4 (Linux/2.6.29.6-desktop-2mnb; KDE/4.2.4; x86_64; ; )

On Tuesday, 10 November 2009 17:40:21 Eric B. wrote:
> Hi,
>
> I'm relatively new to OpenLDAP and am trying to set up a slave server.  I
> figured the easiest way would be to use the anonymous user to perform the
> synchronization given that my master allows for full anonymous reads:

We hope you're aware of the risks in the usual trade-off.

> access to *
>         by self write
>         by users read
>         by anonymous read

But, can an anonymous search retrieve all the entries (see 'timelimit' and 
'sizelimit' options).

Secondly, did you configure your master for syncrepl ? Specifically, has the 
database holding dc=domain,dc=com got the syncrepl overlay loaded (and you 
should also index the attributes used for replication state, see the 
documentation ...).

> I have tried to specify the following in my slave slapd.conf:
> syncrepl rid=8
>         provider=ldap://snoopy.domain.com:389
>         type=refreshAndPersist
>         retry="60 +"
>         searchbase="dc=domain,dc=com"
>         schemachecking=off
>         bindmethod=simple
>
>
> However, my slave seems to be unable to connect properly to the master.

It connects just fine, and initiates a search, however the search doesn't 
complete.

> It
> seems to be trying to write something, and am not quite sure what.  My
> master has the following log:
> Nov  9 16:37:52 snoopy slapd[1481]: conn=6270 fd=72 ACCEPT from
> IP=10.1.1.8:39558 (IP=0.0.0.0:389)
> Nov  9 16:37:52 snoopy slapd[1481]: conn=6270 op=0 BIND dn="" method=128
> Nov  9 16:37:52 snoopy slapd[1481]: conn=6270 op=0 RESULT tag=97 err=0
> text= Nov  9 16:37:52 snoopy slapd[1481]: conn=6270 op=1 SRCH
> base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"
> Nov  9 16:37:52 snoopy slapd[1481]: conn=6270 op=1 SRCH attr=* +
> Nov  9 16:37:52 snoopy slapd[1481]: send_search_entry: conn 6270  ber write
> failed.
> Nov  9 16:37:52 snoopy slapd[1481]: conn=6270 fd=72 closed (connection lost
> on write)
> My slave logs display the following:
> Nov  9 16:45:36 spike slapd[32415]: do_syncrep2: rid 008got search entry
> without control

Either it didn't get all the entries (and thus not the control which would 
follow) when doing the initial sync - fix the limits, or it got all the entries 
but no control - ensure the overlay is active on the producer.

Regards,
Buchan

References:
- Anonymous Syncrepl?
  - From: "Eric B." <ebenze@hotmail.com>

Prev by Date: Re: Anonymous Syncrepl?
Next by Date: Re: TLS renotiation
Index(es):
- Chronological
- Thread