[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: openldap syncrepl Provider with Slave(older version)



Thanks for reply Mark, I have corrected my comments.
Still not succeeded in replication.
 
The current version of my product (with openldap 2.2) does replication using slurpd.With new RHEL 6.x(openldap 2.4) we want replication to work using syncrepl in such way that it can replicate data to slaves databases (clients using openldap 2.2).
The openldap document http://www.openldap.org/doc/admin24/replication.html
suggest way to replace slurpd. For initial understanding I have kept configured setup very similar to document(standalone proxy) Master---> Consumer Proxy --->syncrepl->Slave database(replica).
 
1)Can you please guide me why am getting following error ?
I am getting error following error message in consumer proxy logs
----------------------------------------------------------------------
syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
syncrepl_entry: rid=001 be_search (49)
syncrepl_entry: rid=001 dc=suretecsystems,dc=com
null_callback : error code 0x31
syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com (49)
syncrepl_entry: rid=001 be_add dc=suretecsystems,dc=com failed (49)
do_syncrepl: rid=001 rc 49 retrying (4 retries left)
----------------------------------------------------------------------
 
Master logs show following
----------------------------------------------------------------------
connection_read(13): no connection!
connection_read(13): no connection!
syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000
connection_read(13): no connection!
connection_read(13): no connection!
syncprov_search_response: cookie=rid=001,csn=20110819163703.707486Z#000000#000#000000
----------------------------------------------------------------------
Slave logs doesn’t say much
----------------------------------------------------------------------
        mockbuild@x86-007.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
slapd starting
----------------------------------------------------------------------
 
 
My processes and configurations file slapd.conf(master),proxy.conf(consumer proxy) and slave.conf are as below
/usr/sbin/slapd -h ldap://10.52.35.204:389 -f /usr/share/openldap-servers/slapd.conf -d16384
 
/usr/sbin/slapd -h ldap://10.52.35.204:9012 -f /usr/share/openldap-servers/proxy.conf -d16384
 
/usr/sbin/slapd -h ldap://10.52.35.204:9015 -f /usr/share/openldap-servers/slave.conf -d16384
 
I performed below steps for replication
I)   Started Master and Proxy consumer databases and took slapcat output
II)  Started new slave database, populated slave(slapadd )using output of       slapcat out of Master.
III) Added an entry to master for testing replication to check replication
 
 
slapd.conf(Master configuration)
---------------------------------------------------------------------------
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include     /usr/share/openldap-servers/slapd.acl
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
# Load dynamic backend modules
modulepath /usr/lib/openldap
moduleload accesslog.la
moduleload syncprov.la
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database        bdb
suffix          "dc=suretecsystems,dc=com"
#directory      /etc/openldap/ldap_db_dir
directory /usr/share/openldap-servers/ldap_data
rootdn          "cn=admin,dc=suretecsystems,dc=com"
rootdn         "cn=admin,dc=suretecsystems,dc=com"
rootpw          testing
checkpoint      1024 5
cachesize       10000
idlcachesize    10000
index       objectClass eq
index       default     sub
checkpoint      1024 5
cachesize       10000
idlcachesize    10000
index entryCSN eq
index entryUUID eq
overlay syncprov
syncprov-checkpoint 1000 60
limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
database    monitor
database    config
rootpw          testing
 
 
 
proxy.conf(Consumer proxy configuration)
----------------------------------------------------------------------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
allow bind_v2
pidfile         /var/run/openldap/slapd.3.pid
argsfile        /var/run/openldap/slapd.3.args
# Load dynamic backend modules
modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
moduleload accesslog.la
moduleload pcache.la
moduleload syncprov.la
##############################################################################
# Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap
##############################################################################
database        ldap
# ignore conflicts with other databases, as we need to push out to same suffix
hidden              on
suffix          "dc=suretecsystems,dc=com"
rootdn          "cn=slapd-ldap"
uri             ldap://10.52.35.204:9012/
lastmod         on
restrict        all
acl-bind        bindmethod=simple
                binddn="cn=Rupesh,dc=suretecsystems,dc=com"
                credentials=1234
syncrepl        rid=001
                provider=ldap://10.52.35.204:389/
                binddn="cn=Rupesh,dc=suretecsystems,dc=com"
                bindmethod=simple
                credentials=1234
                searchbase="dc=suretecsystems,dc=com"
                type=refreshAndPersist
                retry="5 5 300 5"
overlay         syncprov
 
 
Slave.conf (Slave configuration file)
--------------------------------------------------------------------------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include     /usr/share/openldap-servers/slapd.acl
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
pidfile         /var/run/openldap/slapd.sl.pid
argsfile        /var/run/openldap/slapd.sl.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
moduleload accesslog.la
# moduleload pcache.la
moduleload syncprov.la
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
loglevel    sync stats
database        bdb
suffix          "dc=suretecsystems,dc=com"
directory /usr/share/openldap-servers/ldap_slave_data
rootdn          "cn=admin,dc=suretecsystems,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw                secret
# rootpw                {crypt}ijFYNcSNctBYg
rootdn         "cn=admin,dc=suretecsystems,dc=com"
rootpw          testing
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
checkpoint      1024 5
cachesize       10000
idlcachesize    10000
# Indices to maintain for this database
index       objectClass eq
index       default     sub
limits dn.exact="cn=Rupesh,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
updatedn "cn=Rupesh,dc=suretecsystems,dc=com"
updateref   ldap://10.52.35.204:389
database    monitor
database    config
rootpw      testing
------------------------------------------------------------------
cat /usr/share/openldap-servers/slapd.acl
------------------------------------------------------------------
access to dn.base="dc=suretecsystems,dc=com"
       by dn.base="cn=admin,dc=suretecsystems,dc=com" write
       by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write
       by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read
       by anonymous auth
access to dn.regex="cn=([^,]+),dc=suretecsystems,dc=com"
       by dn.base="cn=admin,dc=suretecsystems,dc=com" write
       by dn.base="cn=Rupesh,dc=suretecsystems,dc=com" write
       by dn.regex="cn=([^,]+),dc=suretecsystems,dc=com" read
       by anonymous auth
------------------------------------------------------------------
 
 
Other than consumer proxy log errors I have following queries
2)updateref  entry in slave configuration pointing to master "ldap://10.52.35.204:389", should it point to " proxy   "ldap://10.52.35.204:9012" ?
3)If I want to query proxy consumer using ldapsearch utility, I believe I will require to set proxycache setting(overlay pcache) ?
 
Thanks
Rupesh
 
-----Original Message-----
From: Marc Patermann [mailto:hans.moser@ofd-z.niedersachsen.de]
Sent: Friday, August 19, 2011 4:43 PM
To: Rupesh Thakkar; openldap-technical openldap org
Subject: Re: openldap syncrepl Provider with Slave(older version)
 
Rupesh,
 
Rupesh Thakkar schrieb:
 
> #syncrepl Provider for primary db
>         overlay syncprov
>         syncprov-checkpoint 1000 60
>         # Let the replica DN have limitless searches
>         limits dn.exact="umObjectGUID=218afb42cb5e11e09542001a64e587d4,ou=People,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
>         limits dn.exact="cn=replicator,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
[...]
>         syncrepl        rid=001
>                         provider=ldap://localhost:389/
>                         binddn="cn=replicator,dc=Avaya"
>                         #binddn="umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya
>                         bindmethod=simple
>                         credentials=Testpw
>                         #credentials=1234
>                         searchbase="dc=Avaya"
>                         type=refreshAndPersist
>                         retry="5 5 300 5"
As far as I know, you cannot comment out "lines" in options like
syncrepl, because interally this is only one line. And so everything
after your first "#" is commented out.
 
"If  a  line begins with white space, it is considered a continuation of
the previous line.  No physical line should be over 2000 bytes long.
Blank lines and comment  lines  beginning  with  a  `#'  character  are
ignored.   Note:  continuation  lines are unwrapped before comment pro-
cessing is applied."
- man slapd.conf
 
 
Marc
 
"This email and any files transmitted with it contain confidential, proprietary,
privileged information of Symphony Services Corp (India) Pvt. Ltd. and are intended
solely for the use of the recipient/s to whom it is addressed. Any unauthorized
notifying, copying or distributing of this e-mail, directly or indirectly, and the
contents therein in full or part is prohibited by any entity who is not a recipient.
Any email received inadvertently or by mistake should be deleted by the entity who
is not a recipient thereof. You may be pleased to notify the sender immediately by
email and the email should be deleted from your system".