[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
replication
Good morning list
I am having no end of problems trying to setup a delta synchronized
replication. One consumer and one provider.
Symptoms are as follows:
User can authenticate and login using provider. If user changes password,
new password does not get replicated to consumer. If password has not
changed the user can authenticate and login using the consumer.
Provider configuration is as follows:
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for
wrappers
include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_cred
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
logfile /var/log/slapd.log
# Load dynamic backend modules using this path!!!
modulepath /usr/lib/openldap
moduleload ppolicy.la
moduleload accesslog.la
schemacheck on
lastmod on
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
##NOPE access to * by * write
# ------------------------------------------------------------------- #
# Access log database instance for replication
# ------------------------------------------------------------------- #
# Accesslog database definitions
database bdb
suffix cn=accesslog
directory /var/lib/db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #
database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin, dc=chin,dc=ca"
# rootpw
rootpw {SSHA}xxxyyyzzzz
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
# define the default policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca"
ppolicy_use_lockout
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
The consumer configuration is as follows:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for
wrappers
include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_cred
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
#loglevel -1
#loglevel 16384
logfile /var/log/slapd.log
modulepath /usr/lib/openldap
# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #
database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin,dc=chin,dc=ca"
directory /var/lib/ldap
# ------------------------------------------------------------------- #
# Replica configuration instance
# ------------------------------------------------------------------- #
# syncrepl specific indices
index entryUUID eq
# syncrepl directives
syncrepl rid=0
provider=ldap://ldap
bindmethod=simple
binddn="uid=replicator,ou=people,dc=chin,dc=ca"
#binddn="cn=admin,dc=chin,dc=ca"
credentials=xyzyzzz
searchbase="dc=chin,dc=ca"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref ldap://ldap
Error messages on the consumer is:
Aug 15 09:28:08 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying
Aug 15 09:29:09 stgvir009 slapd[31110]: syncrepl_message_to_entry: rid 000
mods check (pwdAttribute: value #0 invalid per syntax)
Aug 15 09:29:09 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying
Which looks like it is missing a schema. But I can't find a schema that is
missing.
Log messages on provider showing replicator account activity.
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 ACCEPT from
IP=172.16.50.40:45510 (IP=0.0.0.0:389)
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND
dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND
dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 RESULT tag=97 err=0
text=
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH
base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)"
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH attr=* +
Aug 15 09:29:53 provir009 slapd[27606]: send_search_entry: conn 6736 ber
write failed.
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 closed (connection
lost on write)
Aug 15 09:29:53 provir009 slapd[27606]: connection_read(17): no connection!
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 fd=17 ACCEPT from
IP=172.16.50.40:45511 (IP=0.0.0.0:389)
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND
dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND
dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 RESULT tag=97 err=0
text=
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=1 SRCH
base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)"
I don't know what this means I'm afraid. But intuitively it doesn't look
good.
Any guidance would be astoundingly great. I am new to ldap so this is a bit
of a learning curve.
Many thanks
Rocke Robertson
Gouvernement du Canada | Government of Canada