[Date Prev][Date Next] [Chronological] [Thread] [Top]
replication

To: openldap-technical@openldap.org
Subject: replication
From: rocke.robertson@pch.gc.ca
Date: Mon, 15 Aug 2011 09:37:46 -0400
Good morning list

I am having no end of problems trying to setup a delta synchronized
replication. One consumer and one provider.


Symptoms are as follows:

User can authenticate and login using provider. If user changes password,
new password does not get replicated to consumer. If password has not
changed the user can authenticate and login using the consumer.



Provider configuration is as follows:

include		 		 /etc/openldap/schema/misc.schema
include		 		 /etc/openldap/schema/core.schema
include		 		 /etc/openldap/schema/cosine.schema
include		 		 /etc/openldap/schema/inetorgperson.schema
include		 		 /etc/openldap/schema/nis.schema
include		  		 /etc/openldap/schema/redhat/autofs.schema

include		  		 /etc/openldap/schema/ppolicy.schema

### added for host_attr access, this scheme gives me a host object for
wrappers
include		 		 /usr/share/doc/nss_ldap-253/ldapns.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 bind_anon_cred

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral		 ldap://root.openldap.org

pidfile		 		 /var/run/openldap/slapd.pid
argsfile		 /var/run/openldap/slapd.args

loglevel 256
logfile /var/log/slapd.log

# Load dynamic backend modules using this path!!!
modulepath  /usr/lib/openldap

moduleload ppolicy.la
moduleload accesslog.la

schemacheck     on
lastmod         on

access to attrs=userPassword
  by self write
  by anonymous auth
  by * none

access to attrs=shadowLastChange
  by self write
  by * read

access to *
      by * read

##NOPE access to * by * write

# ------------------------------------------------------------------- #
# Access log database instance for replication
# ------------------------------------------------------------------- #

# Accesslog database definitions
database bdb
suffix cn=accesslog
directory /var/lib/db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited

# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #

database    bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin, dc=chin,dc=ca"

# rootpw
rootpw {SSHA}xxxyyyzzzz

directory		 /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID        eq

# define the default policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca"
ppolicy_use_lockout


# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60

# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00

# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited


The consumer configuration is as follows:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/ppolicy.schema

### added for host_attr access, this scheme gives me a host object for
wrappers
include         /usr/share/doc/nss_ldap-253/ldapns.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 bind_anon_cred

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel 256
#loglevel -1
#loglevel 16384
logfile /var/log/slapd.log

modulepath  /usr/lib/openldap

# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #

database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin,dc=chin,dc=ca"

directory       /var/lib/ldap

# ------------------------------------------------------------------- #
# Replica configuration instance
# ------------------------------------------------------------------- #

# syncrepl specific indices
index entryUUID eq

# syncrepl directives
syncrepl  rid=0
               provider=ldap://ldap
               bindmethod=simple
               binddn="uid=replicator,ou=people,dc=chin,dc=ca"
               #binddn="cn=admin,dc=chin,dc=ca"
               credentials=xyzyzzz
               searchbase="dc=chin,dc=ca"
               logbase="cn=accesslog"
               logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
               schemachecking=on
               type=refreshAndPersist
               retry="60 +"
               syncdata=accesslog

     # Refer updates to the master
updateref               ldap://ldap


Error messages on the consumer is:

Aug 15 09:28:08 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying
Aug 15 09:29:09 stgvir009 slapd[31110]: syncrepl_message_to_entry: rid 000
mods check (pwdAttribute: value #0 invalid per syntax)
Aug 15 09:29:09 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying

Which looks like it is missing a schema. But I can't find a schema that is
missing.


Log messages on provider showing replicator account activity.

Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 ACCEPT from
IP=172.16.50.40:45510 (IP=0.0.0.0:389)
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND
dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND
dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 RESULT tag=97 err=0
text=
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH
base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)"
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH attr=* +
Aug 15 09:29:53 provir009 slapd[27606]: send_search_entry: conn 6736  ber
write failed.
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 closed (connection
lost on write)
Aug 15 09:29:53 provir009 slapd[27606]: connection_read(17): no connection!
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 fd=17 ACCEPT from
IP=172.16.50.40:45511 (IP=0.0.0.0:389)
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND
dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND
dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 RESULT tag=97 err=0
text=
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=1 SRCH
base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)"


I don't know what this means I'm afraid. But intuitively it doesn't look
good.



Any guidance would be astoundingly great. I am new to ldap so this is a bit
of a learning curve.

Many thanks








Rocke Robertson
Gouvernement du Canada | Government of Canada
Follow-Ups:
- Re: replication
  - From: Dmitriy Kirhlarov <dimma@higis.ru>
- Re: replication
  - From: Michael Ströder <michael@stroeder.com>
Prev by Date: Re: Assigning Groups to LDAP users
Next by Date: Re: provider crash on high replication load
Index(es):
- Chronological
- Thread