[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: CSN too old, ignoring - and therefore not syncing
Also, interval is only used in refreshOnly mode and overlays should be
listed last before the next database definition stacked the order you
want them loaded (in your case leave as is as they are in the correct
order).
Thanks.
On 23/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
> On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
>> Can you post your config somewhere?
>
>
> allow bind_v2
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/samba.schema
> include /etc/ldap/schema/eduperson-200412.schema
> include /etc/ldap/schema/hdb.schema
> include /etc/ldap/schema/IWU.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
>
> modulepath /usr/lib/ldap
> moduleload back_hdb
> moduleload back_monitor
> moduleload memberof
> moduleload syncprov
> moduleload smbk5pwd
>
> tool-threads 2
> sizelimit 500
> idletimeout 7200
>
> TLSCACertificateFile /etc/ldap/ssl/IWU.crt
> TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt
> TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key
> TLSVerifyClient allow
>
> localSSF 160
> security ssf=1 update_ssf=128 simple_bind=112
> sasl-secprops noanonymous
>
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
>
> backend hdb
> database hdb
>
> overlay memberof
> overlay smbk5pwd
> overlay syncprov
>
> smbk5pwd-enable samba
> smbk5pwd-enable krb5
> smbk5pwd-must-change 0
>
> syncprov-checkpoint 100 10
> syncprov-sessionlog 200
> syncprov-nopresent TRUE
> syncprov-reloadhint TRUE
>
> suffix "dc=iwu,dc=edu"
>
> rootdn "cn=admin,dc=iwu,dc=edu"
> rootpw {redacted}
>
> authz-regexp "uidNumber=0\\\
> +gidNumber=.*,cn=peercred,cn=external,cn=auth"
> "cn=ldapi,dc=iwu,dc=edu"
> authz-regexp "gidNumber=.*\\\
> +uidNumber=0,cn=peercred,cn=external,cn=auth"
> "cn=ldapi,dc=iwu,dc=edu"
>
> authz-regexp "uid=(.+),cn=.+,cn=auth" "uid=$1,ou=People,dc=iwu,dc=edu"
>
> directory "/var/lib/ldap/"
>
> dbconfig set_cachesize 0 62914560 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
>
> # Make sure to do a nightly slapcat
> dbconfig set_flags DB_LOG_AUTOREMOVE
>
> index objectClass eq,pres
> index default eq,sub,pres
> index mail eq,sub,pres
> index sn eq,sub,pres
> index cn eq,sub,pres
> index displayName eq,sub,pres
> index gecos eq,sub,pres
> index uid eq,sub,pres
> index memberUid eq,sub,pres
> index uidNumber eq,pres
> index gidNumber eq,pres
> index entryCSN eq,pres
> index entryUUID eq,pres
> index uniqueMember eq,pres
> index userPassword eq,pres
> index krb5PrincipalName eq,pres
> index krb5PrincipalRealm eq,pres
> index sambaDomainName eq,pres
> index sambaSID eq,pres
> index sambaPrimaryGroupSID eq,pres
> index sambaSIDList eq,pres
>
> lastmod on
>
> checkpoint 256 15
>
> password-hash {SSHA}
>
> limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
> limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
>
> access to dn.sub="dc=iwu,dc=edu"
> by dn.exact="cn=ldapi,dc=iwu,dc=edu" write
> by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write
> by dn.exact="cn=mirror,dc=iwu,dc=edu" read
> by dn.exact="cn=freeradius,dc=iwu,dc=edu" read
> by * break
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key
> by anonymous auth
> by self write
> by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write
> by users auth
> by * break
>
> access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none
> access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none
>
> access to dn.regex="uid=.*\$,ou=People,dc=iwu,dc=edu" by self read by *
> none
> access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by * none
> access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none
> access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by self read
> by * none
> access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by self
> read by * none
> access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self read by *
> none
>
> access to
> dn.regex="krb5PrincipalName=.*@IWU.EDU,ou=People,dc=iwu,dc=edu" by self
> read by * none
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName
> by self write
> by users read
> by anonymous none
> by * break
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber
> by self read
> by anonymous none
> by * break
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid
> by * none
>
> access to dn.sub="dc=iwu,dc=edu"
> attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength
> by self read
> by anonymous none
> by * break
>
> access to dn.sub="dc=iwu,dc=edu" by * read
>
> serverID 1
>
> syncrepl rid=2
> provider=ldap://ldap2.iwu.edu/
> schemachecking=off
> searchbase="dc=iwu,dc=edu"
> scope=sub
> type=refreshAndPersist
> binddn="cn=mirror,dc=iwu,dc=edu"
> credentials={redacted}
> bindmethod=simple
> starttls=yes
> tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt
> tls_key=/etc/ldap/ssl/ldap.iwu.edu.key
> tls_cacert=/etc/ldap/ssl/IWU.crt
> tls_reqcert=try
> interval=00:00:00:30
> retry="15 +"
> timeout=1
> timelimit=unlimited
> sizelimit=unlimited
>
> mirrormode on
>
> ###############################
> database monitor
> limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
> time.hard=unlimited size.soft=unlimited time.soft=unlimited
>
> access to dn.exact="cn=Monitor"
> by dn.exact="cn=admin,dc=iwu,dc=edu" read
> by * none
>
> access to dn.subtree="cn=Monitor"
> by dn.exact="cn=admin,dc=iwu,dc=edu" read
> by * none
>
>
>>
>> On 22/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>> > Here is the quick and dirty what I am trying to do:
>> >
>> > ldap1 and ldap2 are supposed to be in MultiMaster. They are time synced
>> > to pool.ntp.org and each other (if they drift I would rather they sorta
>> > drift together, but pool should be keeping that in check).
>> >
>> > Right now I am just beating them up to see how 2.4.13 performs. (So far
>> > VERY well, minus this little problem)
>> >
>> > I have a rather small ldif (41 entries) that just wont sync (I'm
>> > starting small). Debug gives me
>> >
>> > ber_scanf fmt (m}) ber:
>> > ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62
>> > 0000: 00 3c 72 69 64 3d 30 30 31 2c 73 69 64 3d 30
>> > 30 .<rid=001,sid=00
>> > 0010: 32 2c 63 73 6e 3d 32 30 30 38 31 32 32 32 31 37
>> > 2,csn=2008122217
>> > 0020: 34 37 32 31 2e 38 35 35 39 30 34 5a 23 30 30 30
>> > 4721.855904Z#000
>> > 0030: 30 30 30 23 30 30 31 23 30 30 30 30 30 30
>> > 000#001#000000
>> > do_syncrep2:
>> > cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000
>> > do_syncrep2: rid=001 CSN too old, ignoring
>> > 20081222174721.855904Z#000000#001#000000
>> > ldap_msgfree
>> >
>> > I am not exactly sure how it gotten to be "too old." The ldif I am
>> > importing is not the result of a slapcat or anything that would preserve
>> > the CSN or UUID attributes (not that syncrepl uses UUID). I am loading
>> > one single file with ldapadd which, in my understanding, sets up the CSN
>> > and wouldn't let me import one anyway.
>> >
>> > Each server has no entries until I load the one, so there shouldn't be
>> > any weird stale CSNs causing this. They are "sync'ed" almost instantly
>> > after the one system is loaded - I just don't have everything.
>> >
>> > After a sync:
>> > ldap1 - slapcat |grep dn: |wc -l = 41
>> > ldap2 - slapcat |grep dn: |wc -l = 18
>> >
>> > Right now I can get them in sync with a slapcat/slapadd, but when the go
>> > into production I wont be able to say for certain which one is
>> > authoritative. That is the purpose of multi-master....
>> >
>> > OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu Linux 32 bit
>> >
>> > Any ideas as to what I can do to stop this from happening?
>> >
>> > Pat
>> >
>> >
>> >
>> >
>>
>
>
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/