RE: openldap syncrepl Provider with Slave(older version)

[Rupesh Thakkar <Rupesh.Thakkar@symphonysv.com>]

Thanks for reply Mark, I have corrected my comments.

Still not succeeded in replication.

 

The current version of my product (with openldap 2.2) does replication using slurpd.With new RHEL 6.x(openldap 2.4) we want replication to work using syncrepl in such way that it can replicate data to slaves databases (clients using openldap 2.2).

The openldap document http://www.openldap.org/doc/admin24/replication.html

suggest way to replace slurpd. For initial understanding I have kept configured setup very similar to document(standalone proxy) Master---> Consumer Proxy --->syncrepl->Slave database(replica).

 

1)Can you please guide me why am getting following error ?

I am getting error following error message in consumer proxy logs

----------------------------------------------------------------------

syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)

syncrepl_entry: rid=001 be_search (49)

syncrepl_entry: rid=001 dc=suretecsystems,dc=com

null_callback : error code 0x31

syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com (49)

syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com failed (49)

do_syncrepl: rid=001 rc 49 retrying (4 retries left)

----------------------------------------------------------------------

 

Master logs show following

----------------------------------------------------------------------

connection_read(13): no connection!

connection_read(13): no connection!

syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000

connection_read(13): no connection!

connection_read(13): no connection!

syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000

----------------------------------------------------------------------

Slave logs doesn’t say much

----------------------------------------------------------------------

        mockbuild@x86-007.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

slapd starting

----------------------------------------------------------------------

 

 

My processes and configurations file slapd.conf(master),proxy.conf(consumer proxy) and slave.conf are as below

/usr/sbin/slapd -h ldap://10.52.35.204:389 -f /usr/share/openldap-servers/slapd.conf -d16384

 

/usr/sbin/slapd -h ldap://10.52.35.204:9012 -f /usr/share/openldap-servers/proxy.conf -d16384

 

/usr/sbin/slapd -h ldap://10.52.35.204:9015 -f /usr/share/openldap-servers/slave.conf -d16384

 

I performed below steps for replication

I)   Started Master and Proxy consumer databases and took slapcat output

II)  Started new slave database, populated slave(slapadd )using output of       slapcat out of Master.

III) Added an entry to master for testing replication to check replication

 

 

slapd.conf(Master configuration)

---------------------------------------------------------------------------

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema

include     /usr/share/openldap-servers/slapd.acl

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules

modulepath /usr/lib/openldap

moduleload accesslog.la

moduleload syncprov.la

#######################################################################

# ldbm and/or bdb database definitions

#######################################################################

database        bdb

suffix          "dc=suretecsystems,dc=com"

#directory      /etc/openldap/ldap_db_dir

directory /usr/share/openldap-servers/ldap_data

rootdn          "cn=admin,dc=suretecsystems,dc=com"

rootdn         "cn=admin,dc=suretecsystems,dc=com"

rootpw          testing

checkpoint      1024 5

cachesize       10000

idlcachesize    10000

index       objectClass eq

index       default     sub

checkpoint      1024 5

cachesize       10000

idlcachesize    10000

index entryCSN eq

index entryUUID eq

overlay syncprov

syncprov-checkpoint 1000 60

limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

database    monitor

database    config

rootpw          testing

 

 

 

proxy.conf(Consumer proxy configuration)

----------------------------------------------------------------------------

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.3.pid

argsfile        /var/run/openldap/slapd.3.args

# Load dynamic backend modules

modulepath /usr/lib/openldap

# modulepath /usr/lib64/openldap

moduleload accesslog.la

moduleload pcache.la

moduleload syncprov.la

##############################################################################

# Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap

##############################################################################

database        ldap

# ignore conflicts with other databases, as we need to push out to same suffix

hidden              on

suffix          "dc=suretecsystems,dc=com"

rootdn          "cn=slapd-ldap"

uri             ldap://10.52.35.204:9012/

lastmod         on

restrict        all

acl-bind        bindmethod=simple

                binddn="cn=Rupesh,dc=suretecsystems,dc=com"

                credentials=1234

syncrepl        rid=001

                provider=ldap://10.52.35.204:389/

                binddn="cn=Rupesh,dc=suretecsystems,dc=com"

                bindmethod=simple

                credentials=1234

                searchbase="dc=suretecsystems,dc=com"

                type=refreshAndPersist

                retry="5 5 300 5"

overlay         syncprov

 

 

Slave.conf (Slave configuration file)

--------------------------------------------------------------------------

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/corba.schema

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/duaconf.schema

include         /etc/openldap/schema/dyngroup.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/java.schema

include         /etc/openldap/schema/misc.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/openldap.schema

include         /etc/openldap/schema/ppolicy.schema

include         /etc/openldap/schema/collective.schema

include     /usr/share/openldap-servers/slapd.acl

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

pidfile         /var/run/openldap/slapd.sl.pid

argsfile        /var/run/openldap/slapd.sl.args

# Load dynamic backend modules

# - modulepath is architecture dependent value (32/64-bit system)

# - back_sql.la overlay requires openldap-server-sql package

# - dyngroup.la and dynlist.la cannot be used at the same time

modulepath /usr/lib/openldap

# modulepath /usr/lib64/openldap

moduleload accesslog.la

# moduleload pcache.la

moduleload syncprov.la

#######################################################################

# ldbm and/or bdb database definitions

#######################################################################

loglevel    sync stats

database        bdb

suffix          "dc=suretecsystems,dc=com"

directory /usr/share/openldap-servers/ldap_slave_data

rootdn          "cn=admin,dc=suretecsystems,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoided.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

# rootpw                secret

# rootpw                {crypt}ijFYNcSNctBYg

rootdn         "cn=admin,dc=suretecsystems,dc=com"

rootpw          testing

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

checkpoint      1024 5

cachesize       10000

idlcachesize    10000

# Indices to maintain for this database

index       objectClass eq

index       default     sub

limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

updatedn "cn=Rupesh,dc=suretecsystems,dc=com"

updateref   ldap://10.52.35.204:389

database    monitor

database    config

rootpw      testing

------------------------------------------------------------------

cat /usr/share/openldap-servers/slapd.acl

------------------------------------------------------------------

access to dn.base="dc=suretecsystems,dc=com"

       by dn.base="cn=admin,dc=suretecsystems,dc=com" write

       by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write

       by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read

       by anonymous auth

access to dn.regex="cn=([^,]+),dc=suretecsystems,dc=com"

       by dn.base="cn=admin,dc=suretecsystems,dc=com" write

       by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write

       by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read

       by anonymous auth

------------------------------------------------------------------

 

 

Other than consumer proxy log errors I have following queries

2)updateref  entry in slave configuration pointing to master "ldap://10.52.35.204:389", should it point to " proxy   "ldap://10.52.35.204:9012" ?

3)If I want to query proxy consumer using ldapsearch utility, I believe I will require to set proxycache setting(overlay pcache) ?

 

Thanks

Rupesh

 

-----Original Message-----
From: Marc Patermann [mailto:hans.moser@ofd-z.niedersachsen.de]
Sent: Friday, August 19, 2011 4:43 PM
To: Rupesh Thakkar; openldap-technical openldap org
Subject: Re: openldap syncrepl Provider with Slave(older version)

 

Rupesh,

 

Rupesh Thakkar schrieb:

 

> #syncrepl Provider for primary db

>         overlay syncprov

>         syncprov-checkpoint 1000 60

>         # Let the replica DN have limitless searches

>         limits dn.exact="umObjectGUID=218afb42cb5e11e09542001a64e587d4,ou=People,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

>         limits dn.exact="cn=replicator,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

[...]

>         syncrepl        rid=001

>                         provider=ldap://localhost:389/

>                         binddn="cn=replicator,dc=Avaya"

>                         #binddn="umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya

>                         bindmethod=simple

>                         credentials=Testpw

>                         #credentials=1234

>                         searchbase="dc=Avaya"

>                         type=refreshAndPersist

>                         retry="5 5 300 5"

As far as I know, you cannot comment out "lines" in options like

syncrepl, because interally this is only one line. And so everything

after your first "#" is commented out.

 

"If  a  line begins with white space, it is considered a continuation of

the previous line.  No physical line should be over 2000 bytes long.

Blank lines and comment  lines  beginning  with  a  `#'  character  are

ignored.   Note:  continuation  lines are unwrapped before comment pro-

cessing is applied."

- man slapd.conf

 

 

Marc

 

"This email and any files transmitted with it contain confidential, proprietary, 
privileged information of Symphony Services Corp (India) Pvt. Ltd. and are intended 
solely for the use of the recipient/s to whom it is addressed. Any unauthorized 
notifying, copying or distributing of this e-mail, directly or indirectly, and the 
contents therein in full or part is prohibited by any entity who is not a recipient. 
Any email received inadvertently or by mistake should be deleted by the entity who 
is not a recipient thereof. You may be pleased to notify the sender immediately by 
email and the email should be deleted from your system".