Hello Jonathan & Oliver,
thanks for your answers... because you both are asking about config
details, i'll try to answer but you can find my complete slapd.conf
below, so that you can take a look by yourself.
On 18.08.2010 11:57, Jonathan Clarke wrote:
Hi,
Does your config also contain appropriate SID definitions and a syncrepl
consumer for each master? With mirrormode set to TRUE?
i think so; please see my complete slapd.conf below. @Oliver: Server
ID's are different, and i think i have also a separate syncrepl
section for every server.
Are the servers tightly time synchronized, via NTP or equivalent?
I'm in doubt about that. Of course ntp is configured and works on both
servers, but the offset from their master timeserver differs quite a bit:
ldapmaster:
remote refid offset
=========================================
LOCAL(0) .LOCL. 0.000
*ns1.at.signintr 192.168.220.82 48.630
+a891lx03.schenk 192.168.220.82 188.350
ldapslave:
remote refid offset
=========================================
LOCAL(0) .LOCL. 0.000
*a890lx03.schenk 192.168.220.82 7.553
+ns2.at.signintr 192.168.220.82 132.635
I have read recommendations, that the offset of both servers should
not differ more than one or two milliseconds, but i don't know how i
could achieve / influence that. Both machines are in the same subnet
and physically in the same location; and hardware and ntpd setup is
the same.
What error messages (if any) are given when running with "olcLogLevel:
sync", on either nodes?
It logs a lot, and i don't know for what to look exactly. Please give
me some time to arrange it into a readable form...
Here's my complete slapd.conf:
--------------------------------
loglevel 16384
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
## server-ids/urls fuer mmr ###
ServerID 1 "ldap://ldapmaster.local.site";
ServerID 2 "ldap://ldapslave.local.site";
#######################################################################
database config
rootdn cn=config
rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q
### syncrepl- direktiven fuer mmr der olc ###
syncrepl rid=003
provider="ldap://ldapmaster.local.site";
searchbase="cn=config"
type=refreshAndPersist
retry="5 +"
bindmethod=simple
binddn="cn=config"
credentials="<secret>"
filter="(!(olcDatabase={0}config))"
syncrepl rid=004
provider="ldap://ldapslave.local.site";
searchbase="cn=config"
type=refreshAndPersist
retry="5 +"
bindmethod=simple
binddn="cn=config"
credentials="<secret>"
filter="(!(olcDatabase={0}config))"
overlay syncprov
MirrorMode On
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "dc=local,dc=site"
rootdn "cn=ldapadmin,dc=local,dc=site"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}iLwhoppdqOjJ+0HUroiScDJ3cpbOgo4u
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/
# Indices to maintain
index objectClass eq
index entryUUID,entryCSN eq
overlay syncprov
syncprov-checkpoint 10 1
syncprov-sessionlog 100
limits dn.exact="cn=replicator,dc=local,dc=site"
size=unlimited time=unlimited
access to *
by dn.exact="cn=replicator,dc=local,dc=site" read
by * break
### syncrepl- direktiven fuer mmr des hauptkontextes ###
syncrepl rid=001
provider="ldap://ldapmaster.local.site";
type=refreshAndPersist
retry="5 +"
searchbase="dc=local,dc=site"
bindmethod=simple
binddn="cn=replicator,dc=local,dc=site"
credentials="<secret>"
syncrepl rid=002
provider=ldap://ldapslave.local.site
type=refreshAndPersist
retry="5 +"
searchbase="dc=local,dc=site"
bindmethod=simple
binddn="cn=replicator,dc=local,dc=site"
credentials="<secret>"
MirrorMode On
----------------------------------------
best regards..
--
elmar