Hi Howard,
Thanks for your replying.
If we set the pcacheOffline FALSE (default) then when the cache is expired,
query would failed with "Proxy operation retry failed" because the DSA is
offline/unreachable.
pcacheOffline { TRUE | FALSE }
Set the cache to offline mode. While offline, the consistency
checker will be stopped and no expirations will occur. This allows the cache
contents to be used indefinitely
while the proxy is cut off from network access to the remote DSA.
The default is FALSE, i.e. consistency checks and expirations will be
performed.
If we manually update configuration to pcacheOffline TRUE and restarted slapd,
the existing cached data is still existing on database (hdb/dbd) but it can't
query proxycache (QUERY NOT ANSWERABLE) and tries to update the cache (QUERY
CACHEABLE) and would fail with "Proxy can't contact remote server" as below.
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: conn=1001 op=0 do_bindJun 14
18:47:49 prd-ldap1-euc1 slapd[4304]: >>> dnPrettyNormal:
<uid=userX,ou=employees,o=mycompany.com>
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: <<< dnPrettyNormal:
<uid=userX,ou=employees,o=mycompany.com>,
<uid=userX,ou=employees,o=mycompany.com>
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: conn=1001 op=0 BIND
dn="uid=userX,ou=employees,o=mycompany.com" method=128
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: do_bind: version=3
dn="uid=userX,ou=employees,o=mycompany.com" method=128
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: => bdb_entry_get: ndn:
"uid=userX,ou=employees,o=mycompany.com"
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: => bdb_entry_get: oc: "(null)", at:
"(null)"
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]:
bdb_dn2entry("uid=userX,ou=employees,o=mycompany.com")
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: => bdb_entry_get: found entry:
"uid=userX,ou=employees,o=mycompany.com"
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: bdb_entry_get: rc=0
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: str2filter "(uid=userX)"
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: begin get_filter
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: EQUALITY
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: end get_filter 0
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: Lock QC index = 0x56286a9179d0
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: Not answerable: Unlock QC
index=0x56286a9179d0
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: QUERY NOT ANSWERABLE
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: QUERY CACHEABLE
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: =>ldap_back_getconn: conn=1001
op=0: lc=0x7f22f010c620 inserted refcnt=1 rc=0
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: daemon: activity on 1 descriptor
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: daemon: activity on:
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]:
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: daemon: epoll: listen=9
active_threads=0 tvp=NULL
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: daemon: epoll: listen=10
active_threads=0 tvp=NULL
Jun 14 18:47:49 prd-ldap1-euc1 slapd[4304]: daemon: epoll: listen=11
active_threads=0 tvp=NULL
Jun 14 18:47:59 prd-ldap1-euc1 slapd[4304]: send_ldap_result: conn=1001 op=0 p=3
Jun 14 18:47:59 prd-ldap1-euc1 slapd[4304]: send_ldap_result: err=52 matched=""
text="Proxy can't contact remote server"
Jun 14 18:47:59 prd-ldap1-euc1 slapd[4304]: =>ldap_back_getconn: conn=1001
op=0: lc=0x7f22f018f610 inserted refcnt=1 rc=0
Jun 14 18:48:09 prd-ldap1-euc1 slapd[4304]: conn=1001 op=0 ldap_back_retry:
retrying URI="ldaps://dsa.mycompany.com" DN=""
Jun 14 18:48:19 prd-ldap1-euc1 slapd[4304]: send_ldap_result: conn=1001 op=0 p=3
Jun 14 18:48:19 prd-ldap1-euc1 slapd[4304]: send_ldap_result: err=52 matched=""
text="Proxy operation retry failed"
Jun 14 18:48:19 prd-ldap1-euc1 slapd[4304]: send_ldap_response: msgid=1 tag=97
err=52
Jun 14 18:48:19 prd-ldap1-euc1 slapd[4304]: conn=1001 op=0 RESULT tag=97 err=52
text=Proxy operation retry failed
How do we continue to use the ldap proxy when the remote DSA is cut off from
network / server is unavailable.
Thanks,
On Tuesday, June 14, 2022, 08:07:25 AM PDT, Howard Chu <[email protected]> wrote:
Read the slapo-pcache manpage more carefully. Setting pcacheOffline TRUE
disables cache expiration.
