I try to set up a delta-syncrepl configured via slapd.d. Building the configuration with Ansilbe. I got the following errormessages on my two consumers: ---------------- Sep 08 19:45:49 ldapslave-01 slapd[3198]: do_syncrep2: rid=001 got search entry without Sync State control (reqStart=20200908174203.000008Z,cn=accesslog) Sep 08 19:45:49 ldapslave-01 slapd[3198]: do_syncrepl: rid=001 rc -1 retrying (4 retries left) Sep 08 19:45:54 ldapslave-01 slapd[3198]: do_syncrep2: rid=001 got search entry without Sync State control (reqStart=20200908174203.000008Z,cn=accesslog) Sep 08 19:45:54 ldapslave-01 slapd[3198]: do_syncrepl: rid=001 rc -1 retrying (3 retries left) Sep 08 19:45:59 ldapslave-01 slapd[3198]: do_syncrep2: rid=001 got search entry without Sync State control (reqStart=20200908174203.000008Z,cn=accesslog) Sep 08 19:45:59 ldapslave-01 slapd[3198]: do_syncrepl: rid=001 rc -1 retrying (2 retries left) Sep 08 19:46:04 ldapslave-01 slapd[3198]: do_syncrep2: rid=001 got search entry without Sync State control (reqStart=20200908174203.000008Z,cn=accesslog) Sep 08 19:46:04 ldapslave-01 slapd[3198]: do_syncrepl: rid=001 rc -1 retrying (1 retries left) Sep 08 19:46:09 ldapslave-01 slapd[3198]: do_syncrep2: rid=001 got search entry without Sync State control (reqStart=20200908174203.000008Z,cn=accesslog) Sep 08 19:46:09 ldapslave-01 slapd[3198]: do_syncrepl: rid=001 rc -1 retrying Sep 08 19:46:14 ldapslave-01 slapd[3198]: do_syncrep2: rid=001 got search entry without Sync State control (reqStart=20200908174203.000008Z,cn=accesslog) Sep 08 19:46:14 ldapslave-01 slapd[3198]: do_syncrepl: rid=001 rc -1 retrying
----------------
Here is my configuration of the provider:
-------------
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcLogLevel: sync
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem
olcTLSCertificateFile: /etc/ssl/certificates/ldapmaster-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapmaster-key.pem
olcToolThreads: 1
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}syncprov.la
olcModuleLoad: {2}accesslog.la
.
.
.
# {0}mdb, config
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth write by
dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr
ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break
olcAccess: {1} to attrs=userPassword by anonymous auth by self write by
* none
olcAccess: {2} to attrs=shadowLastChange by self write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryCSN,entryUUID eq
olcDbMaxSize: 1073741824
# {0}syncprov, {1}mdb, config
dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 300
# {2}mdb, config
dn: olcDatabase={2}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcAccess: {0} to dn.sub=cn=accesslog by
dn.exact=cn=repl-user,ou=users,dc=exa
mple,dc=net read by dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net read
olcDbIndex: reqStart,reqEnd,reqMod,reqResult eq
# {0}accesslog, {2}mdb, config
dn: olcOverlay={0}accesslog,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 01+00:00 00+04:00
olcAccessLogSuccess: TRUE
-------------
As you can see, the syncrepl and accesslog overlays are configured. The
database files are pressend and filepermission is ok.
Here now the configuration of the consumer
-------------
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcLogLevel: sync
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem
olcTLSCertificateFile: /etc/ssl/certificates/ldapslave-01-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapslave-01-key.pem
olcToolThreads: 1
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_md
.
.
.
# {0}mdb, config
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth write by
dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr
ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break
olcAccess: {1} to attrs=userPassword by anonymous auth by self write by
* none
olcAccess: {2} to attrs=shadowLastChange by self write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a
olcSyncrepl: {0}rid=1 provider=ldaps://ldapmaster.example.net
type=refreshAndP
ersist retry="5 5 300 +" filter="(ObjectClass=*)" scope=sub
bindmethod=simple
searchbase="dc=example,dc=net"
binddn="cn=repl-user,ou=users,dc=example,dc=n
et" credentials=geheim syncdata=accesslog logbase="cn=accesslog"
logfilter="(
&(objectClass=auditWriteObject)(reqResult=0))
olcUpdateRef: ldaps://ldapmaster.example.net
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryCSN,entryUUID eq
olcDbMaxSize: 1073741824
-------------
I can access the accesslog-DB with ldapsearch as repl-user:
-----------------
root@ldapslave-01:~# ldapsearch -x -D
cn=repl-user,ou=users,dc=example,dc=net -w geheim -b cn=accesslog -H
ldaps://ldapmaster.example.net -LLL
dn: cn=accesslog
objectClass: auditContainer
cn: accesslog
dn: reqStart=20200908174203.000008Z,cn=accesslog
objectClass: auditAdd
reqStart: 20200908174203.000008Z
reqEnd: 20200908174203.000011Z
reqType: add
reqSession: 18446744073709551615
reqAuthzID: cn=accesslog
reqDN: cn=accesslog
reqResult: 0
reqMod: objectClass:+ auditContainer
reqMod: cn:+ accesslog
reqMod: structuralObjectClass:+ auditContainer
-----------------
On the provider I see the following messages when accessing the accesslog:
-----------------
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 fd=14 ACCEPT from
IP=192.168.56.16:52338 (IP=0.0.0.0:636)
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 fd=14 TLS established
tls_ssf=256 ssf=256
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 op=0 BIND
dn="cn=repl-user,ou=users,dc=example,dc=net" method=128
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 op=0 BIND
dn="cn=repl-user,ou=users,dc=example,dc=net" mech=SIMPLE ssf=0
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 op=0 RESULT tag=97
err=0 text=
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 op=1 SRCH
base="cn=accesslog" scope=2 deref=0
filter="(&(objectClass=auditWriteObject)(reqResult=0))"
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 op=1 SRCH attr=reqDN
reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 op=2 UNBIND
Sep 08 19:45:54 ldapmaster slapd[2211]: conn=1058 fd=14 closed
-----------------
I see these messages even when I restart the consumer. So I think there
is no problem with the access-permissions.
any help is welcome :-)
Stefan
smime.p7s
Description: S/MIME Cryptographic Signature
