[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl: turn consumer into a stand-alone ldap server

Hi everyone,

I have configured an ldap replication based on the producer-consumer mechanism using the syncrepl module.
It worked fine but at first, the ldap tree was only partially imported on the consumer because the autofs.schema was missing.
It took me a few hours (days?) to find out that I had to import the autofs.ldif manually on the consumer to make it work properly:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs.ldif

(that might not be the recommended way to achieve the sync but that worked).

Now that I have my producer and consumer perfectly in sync, I would like to get rid of the producer server and turn my consumer into the master ldap server (that might be used later as a producer). I wonder if it is possible...

I almost achieved "un-configuring" the consumer mechanism but the "ex-consumer" has now an odd behaviour : it allows me to modify the ldap tree with ldapmodify (normally impossible on consumer) but the tree is effectively modified on the ex-producer and not on the consumer itself. Yet when I perform an ldapsearch, it searches in the consumer tree, not on the producer side.

To initially configure the consumer, I had injected the following ldif file:

### consumer.ldif ###
#Load the syncprov module.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

#syncrepl specific indices
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://10.50.1.11 bindmethod=simple binddn="cn=synchronisator,dc=office,dc=myorg,dc=be" credentials=mysecret searchbase="dc=office,dc=myorg,dc=be" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
-
add: olcUpdateRef
olcUpdateRef: ldap://10.50.1.11

So I thought that after sync, disabling the consumer property would be as simple as unloading the syncprov module and removing the olcSyncRepl directive... this way:

### removeSyncprovModule.ldif ###
dn: cn=module{0},cn=config
changetype: modify
delete: olcModuleLoad
olcModuleLoad: {1}syncprov

### disableConsumer.ldif ###
dn: olcDatabase={1}bdb,cn=config
changetype: modify
delete: olcSyncrepl
-
delete: olcUpdateRef

But the ldapmodify returned an error when trying to inject that ldif file. Such operations are not allowed on the consumer.

So I had no other choice than to edit the ldif manually (though it is not recommended!) to delete the corresponding directives and restart the ldap server ( /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif )
Of course the server complained about wrong checksums. So I applied the method suggested on this page to fix it:
http://serverfault.com/questions/499856/is-there-any-bad-thing-happens-if-i-change-etc-ldap-slapd-d-cn-config-ldif-manu
(basically removing and re-adding the schemas+data using slapcat and slapadd)

Since that, the consumer is not sync-ed with the producer anymore (good) but as I mentionned above, any attempt to modify the tree on the ex-consumer sides results in a modification on the ex-producer side and not on the consumer.

Is there any easier and working way to turn a consumer into a stand-alone master ldap server?

Thank you.

Yannick