[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: CSN too old, ignoring - and therefore not syncing
Try dropping nopresent and reloadhint relating to ITS5669. You only
need these two syncprov settings on an accesslog db.
Gavin.
On 23/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
> On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
>> Can you post your config somewhere?
>
>
> allow bind_v2
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/samba.schema
> include /etc/ldap/schema/eduperson-200412.schema
> include /etc/ldap/schema/hdb.schema
> include /etc/ldap/schema/IWU.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> modulepath /usr/lib/ldap
> moduleload back_hdb
> moduleload back_monitor
> moduleload memberof
> moduleload syncprov
> moduleload smbk5pwd
>
> tool-threads 2
> sizelimit 500
> idletimeout 7200
>
> TLSCACertificateFile /etc/ldap/ssl/IWU.crt
> TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt
> TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key
> TLSVerifyClient allow
>
> localSSF 160
> security ssf=1 update_ssf=128 simple_bind=112
> sasl-secprops noanonymous
>
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
>
> backend hdb
> database hdb
>
> overlay memberof
> overlay smbk5pwd
> overlay syncprov
>
> smbk5pwd-enable samba
> smbk5pwd-enable krb5
> smbk5pwd-must-change 0
>
> syncprov-checkpoint 100 10
> syncprov-sessionlog 200
> syncprov-nopresent TRUE
> syncprov-reloadhint TRUE
>
> suffix "dc=iwu,dc=edu"
>
> rootdn "cn=admin,dc=iwu,dc=edu"
> rootpw {redacted}
>
> authz-regexp "uidNumber=0\\\
> +gidNumber=.*,cn=peercred,cn=external,cn=auth"
> "cn=ldapi,dc=iwu,dc=edu"
> authz-regexp "gidNumber=.*\\\
> +uidNumber=0,cn=peercred,cn=external,cn=auth"
> "cn=ldapi,dc=iwu,dc=edu"
>
> authz-regexp "uid=(.+),cn=.+,cn=auth" "uid=$1,ou=People,dc=iwu,dc=edu"
>
> directory "/var/lib/ldap/"
>
> dbconfig set_cachesize 0 62914560 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
>
> # Make sure to do a nightly slapcat
> dbconfig set_flags DB_LOG_AUTOREMOVE
>
> index objectClass eq,pres
> index default eq,sub,pres
> index mail eq,sub,pres
> index sn eq,sub,pres
> index cn eq,sub,pres
> index displayName eq,sub,pres
> index gecos eq,sub,pres
> index uid eq,sub,pres
> index memberUid eq,sub,pres
> index uidNumber eq,pres
> index gidNumber eq,pres
> index entryCSN eq,pres
> index entryUUID eq,pres
> index uniqueMember eq,pres
> index userPassword eq,pres
> index krb5PrincipalName eq,pres
> index krb5PrincipalRealm eq,pres
> index sambaDomainName eq,pres
> index sambaSID eq,pres
> index sambaPrimaryGroupSID eq,pres
> index sambaSIDList eq,pres
>
> lastmod on
>
> checkpoint 256 15
>
> password-hash {SSHA}
>
> limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
>
> access to dn.sub="dc=iwu,dc=edu"
> by dn.exact="cn=ldapi,dc=iwu,dc=edu" write
> by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write
> by dn.exact="cn=mirror,dc=iwu,dc=edu" read
> by dn.exact="cn=freeradius,dc=iwu,dc=edu" read
> by * break
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key
> by anonymous auth
> by self write
> by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write
> by users auth
> by * break
>
> access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none
>
> access to dn.regex="uid=.*\$,ou=People,dc=iwu,dc=edu" by self read by *
> none
> access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by * none
> access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none
> access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by self read
> by * none
> access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by self
> read by * none
> access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self read by *
> none
>
> access to
> dn.regex="krb5PrincipalName=.*@IWU.EDU,ou=People,dc=iwu,dc=edu" by self
> read by * none
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName
> by self write
> by users read
> by anonymous none
> by * break
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber
> by self read
> by anonymous none
> by * break
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid
> by * none
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength
> by self read
> by anonymous none
> by * break
>
> access to dn.sub="dc=iwu,dc=edu" by * read
>
> serverID 1
>
> syncrepl rid=2
> provider=ldap://ldap2.iwu.edu/
> schemachecking=off
> searchbase="dc=iwu,dc=edu"
> scope=sub
> type=refreshAndPersist
> binddn="cn=mirror,dc=iwu,dc=edu"
> credentials={redacted}
> bindmethod=simple
> starttls=yes
> tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt
> tls_key=/etc/ldap/ssl/ldap.iwu.edu.key
> tls_cacert=/etc/ldap/ssl/IWU.crt
> tls_reqcert=try
> interval=00:00:00:30
> retry="15 +"
> timeout=1
> timelimit=unlimited
> sizelimit=unlimited
>
> mirrormode on
>
> ###############################
> database monitor
> limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
>
> access to dn.exact="cn=Monitor"
> by dn.exact="cn=admin,dc=iwu,dc=edu" read
> by * none
>
> access to dn.subtree="cn=Monitor"
> by dn.exact="cn=admin,dc=iwu,dc=edu" read
> by * none
>
>
>>
>> On 22/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>> > Here is the quick and dirty what I am trying to do:
>> >
>> > ldap1 and ldap2 are supposed to be in MultiMaster. They are time synced
>> > to pool.ntp.org and each other (if they drift I would rather they sorta
>> > drift together, but pool should be keeping that in check).
>> >
>> > Right now I am just beating them up to see how 2.4.13 performs. (So far
>> > VERY well, minus this little problem)
>> >
>> > I have a rather small ldif (41 entries) that just wont sync (I'm
>> > starting small). Debug gives me
>> >
>> > ber_scanf fmt (m}) ber:
>> > ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62
>> > 0000: 00 3c 72 69 64 3d 30 30 31 2c 73 69 64 3d 30
>> > 30 .<rid=001,sid=00
>> > 0010: 32 2c 63 73 6e 3d 32 30 30 38 31 32 32 32 31 37
>> > 2,csn=2008122217
>> > 0020: 34 37 32 31 2e 38 35 35 39 30 34 5a 23 30 30 30
>> > 4721.855904Z#000
>> > 0030: 30 30 30 23 30 30 31 23 30 30 30 30 30 30
>> > 000#001#000000
>> > do_syncrep2:
>> > cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000
>> > do_syncrep2: rid=001 CSN too old, ignoring
>> > 20081222174721.855904Z#000000#001#000000
>> > ldap_msgfree
>> >
>> > I am not exactly sure how it gotten to be "too old." The ldif I am
>> > importing is not the result of a slapcat or anything that would preserve
>> > the CSN or UUID attributes (not that syncrepl uses UUID). I am loading
>> > one single file with ldapadd which, in my understanding, sets up the CSN
>> > and wouldn't let me import one anyway.
>> >
>> > Each server has no entries until I load the one, so there shouldn't be
>> > any weird stale CSNs causing this. They are "sync'ed" almost instantly
>> > after the one system is loaded - I just don't have everything.
>> >
>> > After a sync:
>> > ldap1 - slapcat |grep dn: |wc -l = 41
>> > ldap2 - slapcat |grep dn: |wc -l = 18
>> >
>> > Right now I can get them in sync with a slapcat/slapadd, but when the go
>> > into production I wont be able to say for certain which one is
>> > authoritative. That is the purpose of multi-master....
>> >
>> > OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu Linux 32 bit
>> >
>> > Any ideas as to what I can do to stop this from happening?
>> >
>> > Pat
>> >
>> >
>> >
>> >
>>
>
>
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/