[Date Prev][Date Next] [Chronological] [Thread] [Top]

migrating from syncrepl to delta syncrepl

To: <openldap-technical@openldap.org>
Subject: migrating from syncrepl to delta syncrepl
From: "Paul B. Henson" <henson@acm.org>
Date: Wed, 29 Jan 2014 13:29:24 -0800
Content-language: en-us
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=Qf3y41CWQLZkh+/xFz9ZprT3GAJEpzSc0YNsSPJ6XCo=; b=h22ErFd+Stsf0AWq4157GPuA/U76oTVZ/N+uGKmcfUtpQHsc3qrHZYfNsAWRX6/ZCi haJhFTmg6PiqcuerS/ma4ThWCeAfd/UzeqOlk/naCmq1vbfEj3RwxyqGZd3NN4HTGnDu suG7fpZ3cZPv4QHJpWGgjtC6L3ACylcSIunzl7FUPz/7dr7VyWVr6XqW1TPJCN9U5eyo IFURDMwxNlZBeoat29bzqVIUS8zdusz6A7COrZu9CZwFlXXz2rYVm2v++CH5EZDNTifJ kGSLR7v7I8a+hgdu3J5zGYHyW+zR9mOjO7Eb63Tv1gyjvjOgO6EZNNFPvQ0vtUeT+Ruu GDYw==
Thread-index: Ac8dLVkLCQUcdYn9SreViF4ldu34hA==

When we first deployed openldap a decade or so ago, we implemented regular
syncrepl rather than delta syncrepl because at the time the latter did not
support mirror mode. As part of a project to implement the password policy
overlay, we plan to switch to delta syncrepl to make the replication of
failed login attributes etc more efficient.

If I understand correctly, while obviously if a provider is only configured
for syncrepl a consumer can only use syncrepl, if a provider is configured
for delta syncrepl, a consumer can do either? As such, my tentative
deployment plan (intended to avoid downtime), is:

* Update configuration on backup master to provide delta syncrepl
* Cutover load balancer to backup master
* Update primary master to provide delta syncrepl, and to consume changes
from backup master via delta syncrepl
* Cutover load balancer back to primary master
* Update backup master to consume changes from primary master via delta
syncrepl
* One at a time, remove slaves from load balancer and update to consume
changes from both masters via delta syncrepl

Currently on my masters, syncrepl is configured as:

-----
overlay syncprov
syncprov-checkpoint 500 30
syncprov-reloadhint TRUE
syncprov-sessionlog 500
-----

And consumers are configured as:

-----
syncrepl    rid=1
        provider=ldaps://master-2.ldap.csupomona.edu/
        type=refreshAndPersist
        retry="10 10 60 +"
        searchbase="dc=csupomona,dc=edu"
        bindmethod=simple
        binddn=cn=XXXX
        credentials=XXXXXX
-----

To add delta syncrepl support to the provider, my understanding is that I
need to add the access log database:

-----
database mdb
directory /var/lib/openldap-data/accesslog
maxsize 2147483648
suffix cn=accesslog
rootdn cn=accesslog

index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
-----

And update the syncrepl config on the primary database to include the
accesslog overlay:

-----
overlay syncprov
syncprov-checkpoint 500 30
syncprov-reloadhint TRUE
syncprov-sessionlog 500

overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
-----

And then on the consumer, I need to update the syncrepl configuration to
include the logbase, logfilter, and syncdata elements:

-----
syncrepl    rid=1
        provider=ldaps://master-2.ldap.csupomona.edu/
        type=refreshAndPersist
        retry="10 10 60 +"
        searchbase="dc=csupomona,dc=edu"
        bindmethod=simple
        binddn=cn=XXXX
        credentials=XXXXXX
        logbase="cn=accesslog"
        logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
        syncdata=accesslog
-----

Does this all seem reasonable and pass sanity check?

Thanks much.

Follow-Ups:
- Re: migrating from syncrepl to delta syncrepl
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: RE: MDB_BAD_VALSIZE error
Next by Date: Re: [LMDB] Error 87 followed by MDB_PAGE_NOTFOUND
Index(es):
- Chronological
- Thread