Hello!
I've implemented in our testing lab, 2 openldap master servers (both configured as mirror mode); 1 HA server with HAproxy (to grant load balancing and tcp proxying to both masters), and 1 openldap slave which synchronizes its data from the masters through the HA server. All writes sent to the slave (add/edit ous and users), are forwarded to the masters. It work as is supposed to.
I've also implemented the ppolicy overlay on this architecture, with "olcPPolicyForwardUpdates" set to TRUE on the slave. All authentication failures made on the slave, are sent to the masters so they can manage the policy. Here is the issue:
On the slave, after a few write operations, its database misses its base (objectClass: dcObject). On the master, after an ldapsearch to its base I get the following:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example
dc: example
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9V1poc1UwK3VIV0FtMXRMMm1XdE9xU0Y4M3NHY05Qd28=
dn: ou=Test,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Test
On the slave, after an ldapsearch to its base, I get the following:
dn: ou=Test,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Test
I can still fetch objects, and make modifications to them from the slave; but tools like PHPLDAPADMIN, which constructs the tree from "dcObject", shows the following message: "This base cannot be created with PLA."
All this servers are Debian SID, with slapd 2.4.39.
I've been searching on the Internet how to solve this issue without any luck. Can someone point me to the right direction?