[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: CSN too old, ignoring - and therefore not syncing
On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
> Can you post your config somewhere?
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/eduperson-200412.schema
include /etc/ldap/schema/hdb.schema
include /etc/ldap/schema/IWU.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_monitor
moduleload memberof
moduleload syncprov
moduleload smbk5pwd
tool-threads 2
sizelimit 500
idletimeout 7200
TLSCACertificateFile /etc/ldap/ssl/IWU.crt
TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key
TLSVerifyClient allow
localSSF 160
security ssf=1 update_ssf=128 simple_bind=112
sasl-secprops noanonymous
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
backend hdb
database hdb
overlay memberof
overlay smbk5pwd
overlay syncprov
smbk5pwd-enable samba
smbk5pwd-enable krb5
smbk5pwd-must-change 0
syncprov-checkpoint 100 10
syncprov-sessionlog 200
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
suffix "dc=iwu,dc=edu"
rootdn "cn=admin,dc=iwu,dc=edu"
rootpw {redacted}
authz-regexp "uidNumber=0\\\
+gidNumber=.*,cn=peercred,cn=external,cn=auth"
"cn=ldapi,dc=iwu,dc=edu"
authz-regexp "gidNumber=.*\\\
+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=ldapi,dc=iwu,dc=edu"
authz-regexp "uid=(.+),cn=.+,cn=auth" "uid=$1,ou=People,dc=iwu,dc=edu"
directory "/var/lib/ldap/"
dbconfig set_cachesize 0 62914560 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
# Make sure to do a nightly slapcat
dbconfig set_flags DB_LOG_AUTOREMOVE
index objectClass eq,pres
index default eq,sub,pres
index mail eq,sub,pres
index sn eq,sub,pres
index cn eq,sub,pres
index displayName eq,sub,pres
index gecos eq,sub,pres
index uid eq,sub,pres
index memberUid eq,sub,pres
index uidNumber eq,pres
index gidNumber eq,pres
index entryCSN eq,pres
index entryUUID eq,pres
index uniqueMember eq,pres
index userPassword eq,pres
index krb5PrincipalName eq,pres
index krb5PrincipalRealm eq,pres
index sambaDomainName eq,pres
index sambaSID eq,pres
index sambaPrimaryGroupSID eq,pres
index sambaSIDList eq,pres
lastmod on
checkpoint 256 15
password-hash {SSHA}
limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
access to dn.sub="dc=iwu,dc=edu"
by dn.exact="cn=ldapi,dc=iwu,dc=edu" write
by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write
by dn.exact="cn=mirror,dc=iwu,dc=edu" read
by dn.exact="cn=freeradius,dc=iwu,dc=edu" read
by * break
access to dn.sub="dc=iwu,dc=edu"
attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key
by anonymous auth
by self write
by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write
by users auth
by * break
access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none
access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none
access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none
access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none
access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none
access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none
access to dn.regex="uid=.*\$,ou=People,dc=iwu,dc=edu" by self read by *
none
access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by * none
access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none
access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by self read
by * none
access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by self
read by * none
access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self read by *
none
access to
dn.regex="krb5PrincipalName=.*@IWU.EDU,ou=People,dc=iwu,dc=edu" by self
read by * none
access to dn.sub="dc=iwu,dc=edu"
attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName
by self write
by users read
by anonymous none
by * break
access to dn.sub="dc=iwu,dc=edu"
attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber
by self read
by anonymous none
by * break
access to dn.sub="dc=iwu,dc=edu"
attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid
by * none
access to dn.sub="dc=iwu,dc=edu"
attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength
by self read
by anonymous none
by * break
access to dn.sub="dc=iwu,dc=edu" by * read
serverID 1
syncrepl rid=2
provider=ldap://ldap2.iwu.edu/
schemachecking=off
searchbase="dc=iwu,dc=edu"
scope=sub
type=refreshAndPersist
binddn="cn=mirror,dc=iwu,dc=edu"
credentials={redacted}
bindmethod=simple
starttls=yes
tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt
tls_key=/etc/ldap/ssl/ldap.iwu.edu.key
tls_cacert=/etc/ldap/ssl/IWU.crt
tls_reqcert=try
interval=00:00:00:30
retry="15 +"
timeout=1
timelimit=unlimited
sizelimit=unlimited
mirrormode on
###############################
database monitor
limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
time.hard=unlimited size.soft=unlimited time.soft=unlimited
access to dn.exact="cn=Monitor"
by dn.exact="cn=admin,dc=iwu,dc=edu" read
by * none
access to dn.subtree="cn=Monitor"
by dn.exact="cn=admin,dc=iwu,dc=edu" read
by * none
>
> On 22/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
> > Here is the quick and dirty what I am trying to do:
> >
> > ldap1 and ldap2 are supposed to be in MultiMaster. They are time synced
> > to pool.ntp.org and each other (if they drift I would rather they sorta
> > drift together, but pool should be keeping that in check).
> >
> > Right now I am just beating them up to see how 2.4.13 performs. (So far
> > VERY well, minus this little problem)
> >
> > I have a rather small ldif (41 entries) that just wont sync (I'm
> > starting small). Debug gives me
> >
> > ber_scanf fmt (m}) ber:
> > ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62
> > 0000: 00 3c 72 69 64 3d 30 30 31 2c 73 69 64 3d 30
> > 30 .<rid=001,sid=00
> > 0010: 32 2c 63 73 6e 3d 32 30 30 38 31 32 32 32 31 37
> > 2,csn=2008122217
> > 0020: 34 37 32 31 2e 38 35 35 39 30 34 5a 23 30 30 30
> > 4721.855904Z#000
> > 0030: 30 30 30 23 30 30 31 23 30 30 30 30 30 30
> > 000#001#000000
> > do_syncrep2:
> > cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000
> > do_syncrep2: rid=001 CSN too old, ignoring
> > 20081222174721.855904Z#000000#001#000000
> > ldap_msgfree
> >
> > I am not exactly sure how it gotten to be "too old." The ldif I am
> > importing is not the result of a slapcat or anything that would preserve
> > the CSN or UUID attributes (not that syncrepl uses UUID). I am loading
> > one single file with ldapadd which, in my understanding, sets up the CSN
> > and wouldn't let me import one anyway.
> >
> > Each server has no entries until I load the one, so there shouldn't be
> > any weird stale CSNs causing this. They are "sync'ed" almost instantly
> > after the one system is loaded - I just don't have everything.
> >
> > After a sync:
> > ldap1 - slapcat |grep dn: |wc -l = 41
> > ldap2 - slapcat |grep dn: |wc -l = 18
> >
> > Right now I can get them in sync with a slapcat/slapadd, but when the go
> > into production I wont be able to say for certain which one is
> > authoritative. That is the purpose of multi-master....
> >
> > OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu Linux 32 bit
> >
> > Any ideas as to what I can do to stop this from happening?
> >
> > Pat
> >
> >
> >
> >
>