[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: CSN too old, ignoring - and therefore not syncing
Ok, thanks.
On 23/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
> On Tue, 2008-12-23 at 18:28 +0000, Gavin Henry wrote:
>> Where did you read that those were needed anyway? If it was the admin
>> guide then I need to fix it ;-)
>>
>> Gavin.
>
> I have no idea where I found those at... I know it wasn't the (recent)
> admin guide. It may have been from around the 2.4.8 release, but that
> is long gone...
>
> Pat
>
>>
>> On 23/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>> > On Tue, 2008-12-23 at 15:55 +0000, Gavin Henry wrote:
>> >> Try dropping nopresent and reloadhint relating to ITS5669. You only
>> >> need these two syncprov settings on an accesslog db.
>> >>
>> >> Gavin.
>> >
>> > Thanks, that did the job!
>> >
>> > Pat
>> >
>> >>
>> >> On 23/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>> >> > On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
>> >> >> Can you post your config somewhere?
>> >> >
>> >> >
>> >> > allow bind_v2
>> >> >
>> >> > include /etc/ldap/schema/core.schema
>> >> > include /etc/ldap/schema/cosine.schema
>> >> > include /etc/ldap/schema/nis.schema
>> >> > include /etc/ldap/schema/inetorgperson.schema
>> >> > include /etc/ldap/schema/samba.schema
>> >> > include /etc/ldap/schema/eduperson-200412.schema
>> >> > include /etc/ldap/schema/hdb.schema
>> >> > include /etc/ldap/schema/IWU.schema
>> >> >
>> >> > pidfile /var/run/slapd/slapd.pid
>> >> > argsfile /var/run/slapd/slapd.args
>> >> >
>> >> > modulepath /usr/lib/ldap
>> >> > moduleload back_hdb
>> >> > moduleload back_monitor
>> >> > moduleload memberof
>> >> > moduleload syncprov
>> >> > moduleload smbk5pwd
>> >> >
>> >> > tool-threads 2
>> >> > sizelimit 500
>> >> > idletimeout 7200
>> >> >
>> >> > TLSCACertificateFile /etc/ldap/ssl/IWU.crt
>> >> > TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt
>> >> > TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key
>> >> > TLSVerifyClient allow
>> >> >
>> >> > localSSF 160
>> >> > security ssf=1 update_ssf=128 simple_bind=112
>> >> > sasl-secprops noanonymous
>> >> >
>> >> > access to dn.base="" by * read
>> >> > access to dn.base="cn=Subschema" by * read
>> >> >
>> >> > backend hdb
>> >> > database hdb
>> >> >
>> >> > overlay memberof
>> >> > overlay smbk5pwd
>> >> > overlay syncprov
>> >> >
>> >> > smbk5pwd-enable samba
>> >> > smbk5pwd-enable krb5
>> >> > smbk5pwd-must-change 0
>> >> >
>> >> > syncprov-checkpoint 100 10
>> >> > syncprov-sessionlog 200
>> >> > syncprov-nopresent TRUE
>> >> > syncprov-reloadhint TRUE
>> >> >
>> >> > suffix "dc=iwu,dc=edu"
>> >> >
>> >> > rootdn "cn=admin,dc=iwu,dc=edu"
>> >> > rootpw {redacted}
>> >> >
>> >> > authz-regexp "uidNumber=0\\\
>> >> > +gidNumber=.*,cn=peercred,cn=external,cn=auth"
>> >> > "cn=ldapi,dc=iwu,dc=edu"
>> >> > authz-regexp "gidNumber=.*\\\
>> >> > +uidNumber=0,cn=peercred,cn=external,cn=auth"
>> >> > "cn=ldapi,dc=iwu,dc=edu"
>> >> >
>> >> > authz-regexp "uid=(.+),cn=.+,cn=auth"
>> >> > "uid=$1,ou=People,dc=iwu,dc=edu"
>> >> >
>> >> > directory "/var/lib/ldap/"
>> >> >
>> >> > dbconfig set_cachesize 0 62914560 0
>> >> > dbconfig set_lk_max_objects 1500
>> >> > dbconfig set_lk_max_locks 1500
>> >> > dbconfig set_lk_max_lockers 1500
>> >> >
>> >> > # Make sure to do a nightly slapcat
>> >> > dbconfig set_flags DB_LOG_AUTOREMOVE
>> >> >
>> >> > index objectClass eq,pres
>> >> > index default eq,sub,pres
>> >> > index mail eq,sub,pres
>> >> > index sn eq,sub,pres
>> >> > index cn eq,sub,pres
>> >> > index displayName eq,sub,pres
>> >> > index gecos eq,sub,pres
>> >> > index uid eq,sub,pres
>> >> > index memberUid eq,sub,pres
>> >> > index uidNumber eq,pres
>> >> > index gidNumber eq,pres
>> >> > index entryCSN eq,pres
>> >> > index entryUUID eq,pres
>> >> > index uniqueMember eq,pres
>> >> > index userPassword eq,pres
>> >> > index krb5PrincipalName eq,pres
>> >> > index krb5PrincipalRealm eq,pres
>> >> > index sambaDomainName eq,pres
>> >> > index sambaSID eq,pres
>> >> > index sambaPrimaryGroupSID eq,pres
>> >> > index sambaSIDList eq,pres
>> >> >
>> >> > lastmod on
>> >> >
>> >> > checkpoint 256 15
>> >> >
>> >> > password-hash {SSHA}
>> >> >
>> >> > limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
>> >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >> > limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited
>> >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >> > limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited
>> >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >> > limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited
>> >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >> > limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited
>> >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >> >
>> >> > access to dn.sub="dc=iwu,dc=edu"
>> >> > by dn.exact="cn=ldapi,dc=iwu,dc=edu" write
>> >> > by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write
>> >> > by dn.exact="cn=mirror,dc=iwu,dc=edu" read
>> >> > by dn.exact="cn=freeradius,dc=iwu,dc=edu" read
>> >> > by * break
>> >> >
>> >> > access to dn.sub="dc=iwu,dc=edu"
>> >> > attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key
>> >> > by anonymous auth
>> >> > by self write
>> >> > by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write
>> >> > by users auth
>> >> > by * break
>> >> >
>> >> > access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none
>> >> > access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none
>> >> > access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none
>> >> > access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none
>> >> > access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none
>> >> > access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none
>> >> >
>> >> > access to dn.regex="uid=.*\$,ou=People,dc=iwu,dc=edu" by self read by
>> >> > *
>> >> > none
>> >> > access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by * none
>> >> > access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none
>> >> > access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by self
>> >> > read
>> >> > by * none
>> >> > access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by
>> >> > self
>> >> > read by * none
>> >> > access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self read by
>> >> > *
>> >> > none
>> >> >
>> >> > access to
>> >> > dn.regex="krb5PrincipalName=.*@IWU.EDU,ou=People,dc=iwu,dc=edu" by
>> >> > self
>> >> > read by * none
>> >> >
>> >> > access to dn.sub="dc=iwu,dc=edu"
>> >> > attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName
>> >> > by self write
>> >> > by users read
>> >> > by anonymous none
>> >> > by * break
>> >> >
>> >> > access to dn.sub="dc=iwu,dc=edu"
>> >> > attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber
>> >> > by self read
>> >> > by anonymous none
>> >> > by * break
>> >> >
>> >> > access to dn.sub="dc=iwu,dc=edu"
>> >> > attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid
>> >> > by * none
>> >> >
>> >> > access to dn.sub="dc=iwu,dc=edu"
>> >> > attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength
>> >> > by self read
>> >> > by anonymous none
>> >> > by * break
>> >> >
>> >> > access to dn.sub="dc=iwu,dc=edu" by * read
>> >> >
>> >> > serverID 1
>> >> >
>> >> > syncrepl rid=2
>> >> > provider=ldap://ldap2.iwu.edu/
>> >> > schemachecking=off
>> >> > searchbase="dc=iwu,dc=edu"
>> >> > scope=sub
>> >> > type=refreshAndPersist
>> >> > binddn="cn=mirror,dc=iwu,dc=edu"
>> >> > credentials={redacted}
>> >> > bindmethod=simple
>> >> > starttls=yes
>> >> > tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt
>> >> > tls_key=/etc/ldap/ssl/ldap.iwu.edu.key
>> >> > tls_cacert=/etc/ldap/ssl/IWU.crt
>> >> > tls_reqcert=try
>> >> > interval=00:00:00:30
>> >> > retry="15 +"
>> >> > timeout=1
>> >> > timelimit=unlimited
>> >> > sizelimit=unlimited
>> >> >
>> >> > mirrormode on
>> >> >
>> >> > ###############################
>> >> > database monitor
>> >> > limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
>> >> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >> >
>> >> > access to dn.exact="cn=Monitor"
>> >> > by dn.exact="cn=admin,dc=iwu,dc=edu" read
>> >> > by * none
>> >> >
>> >> > access to dn.subtree="cn=Monitor"
>> >> > by dn.exact="cn=admin,dc=iwu,dc=edu" read
>> >> > by * none
>> >> >
>> >> >
>> >> >>
>> >> >> On 22/12/2008, Pat Riehecky <prieheck@iwu.edu> wrote:
>> >> >> > Here is the quick and dirty what I am trying to do:
>> >> >> >
>> >> >> > ldap1 and ldap2 are supposed to be in MultiMaster. They are time
>> >> >> > synced
>> >> >> > to pool.ntp.org and each other (if they drift I would rather they
>> >> >> > sorta
>> >> >> > drift together, but pool should be keeping that in check).
>> >> >> >
>> >> >> > Right now I am just beating them up to see how 2.4.13 performs.
>> >> >> > (So
>> >> >> > far
>> >> >> > VERY well, minus this little problem)
>> >> >> >
>> >> >> > I have a rather small ldif (41 entries) that just wont sync (I'm
>> >> >> > starting small). Debug gives me
>> >> >> >
>> >> >> > ber_scanf fmt (m}) ber:
>> >> >> > ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62
>> >> >> > 0000: 00 3c 72 69 64 3d 30 30 31 2c 73 69 64 3d 30
>> >> >> > 30 .<rid=001,sid=00
>> >> >> > 0010: 32 2c 63 73 6e 3d 32 30 30 38 31 32 32 32 31 37
>> >> >> > 2,csn=2008122217
>> >> >> > 0020: 34 37 32 31 2e 38 35 35 39 30 34 5a 23 30 30 30
>> >> >> > 4721.855904Z#000
>> >> >> > 0030: 30 30 30 23 30 30 31 23 30 30 30 30 30 30
>> >> >> > 000#001#000000
>> >> >> > do_syncrep2:
>> >> >> > cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000
>> >> >> > do_syncrep2: rid=001 CSN too old, ignoring
>> >> >> > 20081222174721.855904Z#000000#001#000000
>> >> >> > ldap_msgfree
>> >> >> >
>> >> >> > I am not exactly sure how it gotten to be "too old." The ldif I
>> >> >> > am
>> >> >> > importing is not the result of a slapcat or anything that would
>> >> >> > preserve
>> >> >> > the CSN or UUID attributes (not that syncrepl uses UUID). I am
>> >> >> > loading
>> >> >> > one single file with ldapadd which, in my understanding, sets up
>> >> >> > the
>> >> >> > CSN
>> >> >> > and wouldn't let me import one anyway.
>> >> >> >
>> >> >> > Each server has no entries until I load the one, so there
>> >> >> > shouldn't
>> >> >> > be
>> >> >> > any weird stale CSNs causing this. They are "sync'ed" almost
>> >> >> > instantly
>> >> >> > after the one system is loaded - I just don't have everything.
>> >> >> >
>> >> >> > After a sync:
>> >> >> > ldap1 - slapcat |grep dn: |wc -l = 41
>> >> >> > ldap2 - slapcat |grep dn: |wc -l = 18
>> >> >> >
>> >> >> > Right now I can get them in sync with a slapcat/slapadd, but when
>> >> >> > the
>> >> >> > go
>> >> >> > into production I wont be able to say for certain which one is
>> >> >> > authoritative. That is the purpose of multi-master....
>> >> >> >
>> >> >> > OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu Linux 32
>> >> >> > bit
>> >> >> >
>> >> >> > Any ideas as to what I can do to stop this from happening?
>> >> >> >
>> >> >> > Pat
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >
>> >> >
>> >>
>> >
>> >
>>
>
>
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/