Pierangelo,
I offered to do post my configuration in my initial post. No one
accepted my offer. Since you are now asking for it, I will gladly
post it below.
Two, thanks for the hint about editing passwords, I can assure you
that all confidential data posted below will have been tainted
*somehow*.
I should also point out that today I made a change to my
infrastructure that I hope will help the situation. Since I've noticed
that most of the DIT discrepancies were limited to the standard
Consumer boxes, and not the Providers, I have decided to do away
entirely with the the standard Consumers. We now have six (6)
virtually-identically configured Providers whom all replicate with the
other five (5) respective hybrid Consumer/Providers. Essentially a six
member multimaster mesh, all of whom can contact all of the other
members perfectly via both LDAP and LDAPS.
Here is a slapd.conf from ONE of the SIX members:
#####
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/sudo.schema
include /etc/ldap/schema/dhcp.schema
include /etc/ldap/schema/samba.schema
include /usr/share/doc/libpam-ldap/ldapns.schema
include /etc/ldap/schema/hdb.schema
include /etc/ldap/schema/uber.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
tool-threads 4
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_relay
moduleload rwm.la
moduleload back_monitor.la
moduleload syncprov
moduleload accesslog
serverID 100 ldaps://10.64.100.100:636/
serverID 107 ldaps://10.64.100.107:636/
serverID 108 ldaps://10.64.100.108:636/
serverID 811 ldaps://10.9.8.11:636/
serverID 812 ldaps://10.9.8.12:636/
serverID 814 ldaps://10.9.8.14:636/
TLSCertificateFile /etc/ldap/ssl/wildcard.site.example.com.crt
TLSCertificateKeyFile /etc/ldap/ssl/wildcard.site.example.com.key
TLSCACertificateFile /etc/ssl/certs/ca.cert
disallow bind_anon
sizelimit unlimited
timelimit unlimited
security tls=0
access to dn.subtree="cn=Subschema"
by users read
by * none stop
access to dn.base=""
by users read
by * none stop
defaultSearchBase dc=real,dc=example,dc=com
sasl-realm SITE.EXAMPLE.COM
sasl-host ds.site.example.com
#sasl-secprops minssf=0
authz-regexp "uid=\(.*\),cn=SITE.EXAMPLE.COM,cn=gssapi,cn=auth"
"uid=$1,cn=plain,cn=auth,dc=site,dc=example,dc=com"
authz-regexp "gidNumber=\\\0+uidNumber=\\
\0,cn=peercred,cn=external,cn=auth"
"uid=writer,cn=plain,cn=auth,dc=real,dc=example,dc=com"
backend hdb
########### Monitoring Database - For slapd/hdb performance data
database monitor
rootdn uid=monitor,cn=monitor
rootpw {SSHA}encrypted-hash
access to dn.subtree="cn=monitor"
by group/groupOfUniqueNames/
uniqueMember
="cn=ldapadmin,cn=ldap,cn=groups,dc=real,dc=example,dc=com" read
by
dn.exact="uid=rootdn,cn=plain,cn=auth,dc=real,dc=example,dc=com" read
########### example.Log
database hdb
suffix cn=log
rootdn "uid=log,cn=log"
rootpw {SSHA}encrypted-hash
directory /var/lib/ldap/log
index reqStart,objectClass,entryCSN,reqResult eq
dbconfig set_cachesize 0 2097152 0
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
access to dn.subtree="cn=log"
by group/groupOfUniqueNames/
uniqueMember
="cn=ldapadmin,cn=ldap,cn=groups,dc=real,dc=example,dc=com" read
by dn.base="uid=rootdn,cn=plain,cn=auth,dc=real,dc=example,dc=com"
read
by dn.base="uid=log,cn=log" read
########### example.real
database hdb
cachesize 10000
idlcachesize 30000
suffix "dc=real,dc=example,dc=com"
checksum
checkpoint 100 10
cachefree 20
rootdn "uid=rootdn,cn=plain,cn=auth,dc=real,dc=example,dc=com"
rootpw {SSHA}encrypted-hash
monitoring on
directory "/var/lib/ldap/real"
dncachesize 100000
dbconfig set_cachesize 1 0 2
dbconfig set_lg_max 10485760
dbconfig set_flags db_log_autoremove
dbconfig set_lg_bsize 2097152
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass,structuralObjectClass eq
index entryCSN,entryUUID eq
index cn,uid,memberUid eq
syncrepl rid=001
provider=ldaps://10.64.100.100:636/
bindmethod=simple
binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com"
credentials=syncreplpass
scope=sub
filter="(objectClass=*)"
schemachecking=off
searchbase="dc=real,dc=example,dc=com"
retry="120 +"
sizelimit=unlimited
timeout=1
type=refreshAndPersist
syncrepl rid=002
provider=ldaps://10.64.100.107:636/
bindmethod=simple
binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com"
credentials=syncreplpass
scope=sub
filter="(objectClass=*)"
schemachecking=off
searchbase="dc=real,dc=example,dc=com"
retry="120 +"
sizelimit=unlimited
timeout=1
type=refreshAndPersist
syncrepl rid=003
provider=ldaps://10.64.100.108:636/
bindmethod=simple
binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com"
credentials=syncreplpass
scope=sub
filter="(objectClass=*)"
schemachecking=off
searchbase="dc=real,dc=example,dc=com"
retry="120 +"
sizelimit=unlimited
timeout=1
type=refreshAndPersist
syncrepl rid=004
provider=ldaps://10.9.8.14:636/
bindmethod=simple
binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com"
credentials=syncreplpass
scope=sub
filter="(objectClass=*)"
schemachecking=off
searchbase="dc=real,dc=example,dc=com"
retry="120 +"
sizelimit=unlimited
timeout=1
type=refreshAndPersist
syncrepl rid=005
provider=ldaps://10.9.8.11:636/
bindmethod=simple
binddn="uid=syncrepl,cn=plain,cn=auth,dc=real,dc=example,dc=com"
credentials=syncreplpass
scope=sub
filter="(objectClass=*)"
schemachecking=off
searchbase="dc=real,dc=example,dc=com"
retry="120 +"
sizelimit=unlimited
timeout=1
type=refreshAndPersist
mirrormode true
overlay syncprov
syncprov-reloadhint TRUE
#syncprov-checkpoint 10 5
syncprov-sessionlog 5000
overlay accesslog
logdb cn=log
logops writes
logpurge 7+00:00 2+00:00
logsuccess TRUE
include /etc/ldap/acls
include /etc/ldap/relays
####
Thanks again
Jeff
