>>>>> "quanah" == Quanah Gibson-Mount <[EMAIL PROTECTED]> writes:
quanah> --On Wednesday, August 30, 2006 10:19 AM -0400 "Allan E. Johannesen" quanah> <[EMAIL PROTECTED]> wrote: >> I've been using rootdn passwords over TLS with slurpd and since switching to >> syncrepl. Seeing a posting by Quanah Gibson-Mount <[EMAIL PROTECTED]> >> some weeks ago about k5start and KRB5CCNAME, I was inspired to try to make >> the switch. quanah> So, I've been thinking over all of this, and I actually see only one quanah> error: quanah> You need to index entryUUID. Well, yes it's better to index entryUUID. It's critical for good response time to do it and I did that on my production boxes, but I was testing this on an different system. I made the mistake of using an existing slapd config from prior tests and forgot to add the index of entryUUID. quanah> Lets talk about how this whole replication thing works: quanah> (a) You get a K5 ticket (or it already exists, thanks to kstart, etc) quanah> (b) You start the replica (c) It connects to the master whenever the quanah> master is available. It makes a *persistent* connection, since that is quanah> what you have specified (d) Changes replicate.. time passes, k5start quanah> renews the ticket cache, the ldap/* bit for the master disappears from quanah> the cache (e) Changes continue to replicate quanah> The reason things still work between (d) & (e) is because the quanah> connection is *persistent*. The ldap/* bit for the master is only quanah> necessary for establishing the initial connection. That is why quanah> replication continues to work on my ldap slaves even though they don't quanah> have an ldap/* principal in their ticket cache any more: Note that when I control-C the persistent connection, I get an encryption error. That's relavent to the issue, I think. SEETHE:~# fg /usr/local/libexec/slapd -d 16384 -f /usr/local/etc/openldap/slapd.seethe.conf daemon: shutdown requested and initiated. slapd shutdown: waiting for 1 threads to terminate sb_sasl_write: failed to encode packet: generic failure slapd stopped. SEETHE:~# After indexing entryUUID, it's happier, but updates still bind up after time: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) syncrepl_entry: be_search (0) syncrepl_entry: wpieduPersonUUID=2af586df6800b3389cbe7bcbf2a920df,ou=People,dc=WPI,dc=EDU syncrepl_entry: be_modify (0)
