Oops -- forgot to enter subject-line!
On Thu, Dec 27, 2012 at 2:11 AM, fal patel <[email protected]> wrote: > Hello, > > I'm trying to accomplish Multi-Master OpenLDAP Replication for 3 nodes, > but it's not working. > > Specifically, per The OpenLDAP 2.4 Administrator's Guide, Section 18.3.3 > "N-Way Multi=Master", I have created the following LDIF file and slapd.conf > file, but when I run slapadd to create my config database it fails. > > Could you please advise? > > Thank you very much. > > Fal > > (1) The slapadd command, I execute, and the error message I get: > ================================================ > sudo slapadd -l /home/ubuntu11/openldap-2.4.33/mmr_servers.ldif -f > /usr/local/etc/openldap/slapd.conf -F /usr/local/etc/openldap/slapd.d > [sudo] password for ubuntu11: > 50dc0b31 bdb_monitor_db_open: monitoring disabled; configure monitor > database to enable > slapadd: line 1: database #1 (dc=ldapservice,dc=hq,dc=mycompany,dc=com) > not configured to hold "cn=config"; did you mean to use database #0 > (cn=config)? > _ 2.58% eta none elapsed none spd 1.1 > M/s > Closing DB... > > > > (2) My LDIF File, mmr-servers.ldif > ========================= > # This sets up the config database: > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 1 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > # second and third servers will have a different olcServerID obviously: > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 2 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 3 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW: secret > > # This sets up syncrepl as a provider (since these are all masters): > dn: cn=module,cn=config > objectClass: olcModuleList > cn: module > olcModulePath: /usr/local/libexec/openldap > olcModuleLoad: syncprov.la > > # Now we setup the first Master Node > # (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls): > dn: cn=config > changetype: modify > replace: olcServerID > ## olcServerID: 1 $URI1 > > olcServerID: 1 ldap://ldap.awshost.ldapservice.hq.mycompany.com > ## olcServerID: 2 $URI2 > olcServerID: 2 ldap://ldap.schost.ldapservice.hq.mycompany.com > ## olcServerID: 3 $URI3 > olcServerID: 3 ldap://ldap.sachost.ldapservice.hq.mycompany.com > > dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config > changetype: add > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: syncprov > > dn: olcDatabase={0}config,cn=config > changetype: modify > add: olcSyncRepl > olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple > credentials=secret searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple > credentials=secret searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple > credentials=secret searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=1 > > add: olcMirrorMode > olcMirrorMode: TRUE > > # Now start up the Master and a consumer/s; > # also add the above LDIF to the first consumer, second consumer etc. > # It will then replicate cn=config. > # You now have N-Way Multimaster on the config database. > > # We still have to replicate the actual data, not just the config; > # so add to the master > # (all active and configured consumers/masters will pull down this config, > # as they are all syncing). > # Also, replace all ${} variables with whatever is applicable to your > setup: > dn: olcDatabase={1}$BACKEND,cn=config > objectClass: olcDatabaseConfig > objectClass: olc${BACKEND}Config > olcDatabase: {1}$BACKEND > olcSuffix: $BASEDN > olcDbDirectory: ./db > olcRootDN: $MANAGERDN > olcRootPW: $PASSWD > olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited > size.soft=unlimited olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" > bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=00:00:00:10 retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=00:00:00:10 retry="5 5 300 5" timeout=1 > olcSyncRepl: rid=006 provider=$URI3 binddn="$MANAGERDN" bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=00:00:00:10 retry="5 5 300 5" timeout=1 > olcMirrorMode: TRUE > > dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config > changetype: add > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: syncprov > > # Note: All of your servers' clocks must be tightly synchronized using > e.g. NTP. > # Note: URLs specified in olcSyncRepl directives are the servers URLs to > replicate from. > # These must exactly match the URLs slapd listens on (-h in Command-Line > Options). > # Otherwise slapd may attempt to replicate from itself, causing a loop. > > > > (3) My slapd.conf file: > ================ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /usr/local/etc/openldap/schema/core.schema > > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /usr/local/var/run/slapd.pid > argsfile /usr/local/var/run/slapd.args > > # Load dynamic backend modules: > # modulepath /usr/local/libexec/openldap > # moduleload back_bdb.la > # moduleload back_hdb.la > # moduleload back_ldap.la > > # Sample security restrictions > # Require integrity protection (prevent hijacking) > # Require 112-bit (3DES or better) encryption for updates > # Require 63-bit encryption for simple bind > # security ssf=1 update_ssf=112 simple_bind=64 > > # Sample access control policy: > # Root DSE: allow anyone to read it > # Subschema (sub)entry DSE: allow anyone to read it > # Other DSEs: > # Allow self write access > # Allow authenticated users read access > # Allow anonymous users to authenticate > # Directives needed to implement policy: > # access to dn.base="" by * read > # access to dn.base="cn=Subschema" by * read > # access to * > # by self write > # by users read > # by anonymous auth > # > # if no access controls are present, the default policy > # allows anyone and everyone to read anything but restricts > # updates to rootdn. (e.g., "access to * by * read") > # > # rootdn can always read and write EVERYTHING! > > ####################################################################### > # BDB database definitions > ####################################################################### > ## database bdb > ## suffix "dc=my-domain,dc=com" > ## rootdn "cn=Manager,dc=my-domain,dc=com" > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > ## rootpw secret > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > ## directory /usr/local/var/openldap-data > # Indices to maintain > ## index objectClass eq > > ## added for multimaster replication (prior to running slapadd to create > db): > database bdb > # suffix <DN of root of subtree you are trying to create> > suffix "dc=ldapservice,dc=hq,dc=mycompany,dc=com" > rootdn "cn=admin,dc=ldapservice,dc=hq,dc=mycompany,dc=com" > rootpw secret > # directory for index files > directory /usr/local/var/openldap-data > # specify which indices you want to build > index objectClass eq > # loglevel 64 > > > > I have these additional questions also, please: > * It's "refreshAndPersist" Provider Push replication I want to implement, > not "refreshOnly" Consumer Poll Pull. > So in my mmr-servers.ldif file, can/should I change all the "refreshOnly" > clauses in the Data Replication part to "refreshAndPersist"? > > * In the above LDIF file, in both the Config Replication section and the > Data Replication section, why does it add MirrorMode and set it to True? > It's N-Way Multi-Master replication I want to implement, not Mirror-Mode > replication, so can/should I get rid of all those "Mirror Mode" clause > statements? > > Thank you once again. > >
