Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
--On Thursday, January 25, 2024 9:48 AM +0200 Viktor Keremedchiev wrote: If I use olcServerID: 1 ldaps://prod-ldap1.domain.com - server doesn't start post ldapmodify. Sounds like this doesn't match the options passed to slapd at startup. I do note your missing a port at the end of the URI which may be why. --Quanah
Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
> On 24 Jan 2024, at 18:39, Quanah Gibson-Mount wrote:
>
>
>
> --On Wednesday, January 24, 2024 8:28 AM +0200 Viktor Keremedchiev
> wrote:
>
>> Hello,
>> I'm somewhat not experienced with LDAP on the server side of things
>> I'm importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2
>> have 2 N-way (or multi-master*) ldap nodes. I've changed hdb to mdb,
>> created accesslog folder, fixed permissions, SSL etc
>> The import doesn't throw any errors. My understanding is that I need to
>> have cn=config replication, as well as my small dc=domain,dc=com,
>> replication as well
>
> It is not required to have cn=config replication. And I would note that
> OpenLDAP 2.6.3 is fairly old at this point with significant fixes done to the
> 2.6 series since its release. I'd advise using a current release of OpenLDAP
> 2.6.
>
Got it
>> The cn=config replication I call via this on both nodes followed by
>> restarts
>>
>>
>> dn: cn=config
>> changetype: modify
>> replace: olcServerID
>> olcServerID: 1
>
> Each server must have its own, unique, serverID. If you are going to use
> cn=config replication, then you *must* use the
>
> olcServerID: # URI
>
If I use olcServerID: 1 ldaps://prod-ldap1.domain.com - server doesn’t start
post ldapmodify.
>
> format.
>
>>
>> Now once I do that I've experimented with changing the olcLogLevel and
>> it seems to work. The rid's on each node are different server2 has
>> rid=002, server 1 has rid=001 as well as different olcServerID
>
> RIDs must be unique INSIDE a particular server, but different servers can use
> the same RID values.
>
Got it
>> What am I doing wrong? Perhaps more than one thing
>
> I'd suggest starting with just getting back-mdb replication working between
> the nodes.
>
> Side note, your configuration for the accesslog DB is missing an index on
> 'reqDN'.
>
Added
> --Quanah
>
>
I think I’ve been trying to add syncprov and acceslogs overlays that I already
have
dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config
dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config
but then again adding unnecessarily
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
I’ve also spotted in the logs that if I have olcMirrorMode twice for cn=config
and the domain - the log says it is already enabled. But if I remove second one
it is telling me that I’m missing referral when ldapsearch/update any of the
nodes.
Viktor
RE: [EXTERNAL] Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
--On Wednesday, January 24, 2024 4:42 PM + Bradley T Gill wrote: We stay in the 2.5 LTS branch. 2.6 is more of a Dev Branch if I understand it correctly. 2.5 is the current LTS release. 2.6 was the new 'feature' branch. It may become the next LTS. I've personally run it in production at a high volume 100% uptime environment for over 2 years. --Quanah
RE: [EXTERNAL] Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
We stay in the 2.5 LTS branch. 2.6 is more of a Dev Branch if I understand it correctly. From: Quanah Gibson-Mount Sent: Wednesday, January 24, 2024 11:39 AM To: Viktor Keremedchiev ; openldap-technical@openldap.org Subject: [EXTERNAL] Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles --On Wednesday, January 24, 2024 8: 28 AM +0200 Viktor Keremedchiev wrote: > Hello, > I'm somewhat not experienced with LDAP on the server side of things > I'm importing openldap 2. 4. into 2. 6. 3. --On Wednesday, January 24, 2024 8:28 AM +0200 Viktor Keremedchiev mailto:vkeremedch...@adaptavist.com>> wrote: > Hello, > I'm somewhat not experienced with LDAP on the server side of things > I'm importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2 > have 2 N-way (or multi-master*) ldap nodes. I've changed hdb to mdb, > created accesslog folder, fixed permissions, SSL etc > The import doesn't throw any errors. My understanding is that I need to > have cn=config replication, as well as my small dc=domain,dc=com, > replication as well It is not required to have cn=config replication. And I would note that OpenLDAP 2.6.3 is fairly old at this point with significant fixes done to the 2.6 series since its release. I'd advise using a current release of OpenLDAP 2.6. > The cn=config replication I call via this on both nodes followed by > restarts > > > dn: cn=config > changetype: modify > replace: olcServerID > olcServerID: 1 Each server must have its own, unique, serverID. If you are going to use cn=config replication, then you *must* use the olcServerID: # URI format. > > Now once I do that I've experimented with changing the olcLogLevel and > it seems to work. The rid's on each node are different server2 has > rid=002, server 1 has rid=001 as well as different olcServerID RIDs must be unique INSIDE a particular server, but different servers can use the same RID values. > What am I doing wrong? Perhaps more than one thing I'd suggest starting with just getting back-mdb replication working between the nodes. Side note, your configuration for the accesslog DB is missing an index on 'reqDN'. --Quanah
Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
--On Wednesday, January 24, 2024 8:28 AM +0200 Viktor Keremedchiev wrote: Hello, I'm somewhat not experienced with LDAP on the server side of things I'm importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2 have 2 N-way (or multi-master*) ldap nodes. I've changed hdb to mdb, created accesslog folder, fixed permissions, SSL etc The import doesn't throw any errors. My understanding is that I need to have cn=config replication, as well as my small dc=domain,dc=com, replication as well It is not required to have cn=config replication. And I would note that OpenLDAP 2.6.3 is fairly old at this point with significant fixes done to the 2.6 series since its release. I'd advise using a current release of OpenLDAP 2.6. The cn=config replication I call via this on both nodes followed by restarts dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 Each server must have its own, unique, serverID. If you are going to use cn=config replication, then you *must* use the olcServerID: # URI format. Now once I do that I've experimented with changing the olcLogLevel and it seems to work. The rid's on each node are different server2 has rid=002, server 1 has rid=001 as well as different olcServerID RIDs must be unique INSIDE a particular server, but different servers can use the same RID values. What am I doing wrong? Perhaps more than one thing I'd suggest starting with just getting back-mdb replication working between the nodes. Side note, your configuration for the accesslog DB is missing an index on 'reqDN'. --Quanah
Openldap 2.4 -> Openldap 2.6.3 replication hurdles
Hello,
I'm somewhat not experienced with LDAP on the server side of things
I’m importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2 have 2
N-way (or multi-master*) ldap nodes. I’ve changed hdb to mdb, created accesslog
folder, fixed permissions, SSL etc
The import doesn’t throw any errors. My understanding is that I need to have
cn=config replication, as well as my small dc=domain,dc=com, replication as well
The cn=config replication I call via this on both nodes followed by restarts
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=002 provider=ldaps://prod-ldap2.domain.com:636
bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=N…
searchbase="cn=config" schemachecking=on type=refreshAndPersist retry="10 10 60
+" tls_reqcert=allow keepalive=240:10:30 olcSyncRepl: rid=001
provider=ldaps://prod-ldap1.domain.com:636 bindmethod=simple
binddn="cn=admin,dc=domain,dc=com" credentials=N…… searchbase="cn=config"
schemachecking=on type=refreshAndPersist retry="10 10 60 +" tls_reqcert=allow
keepalive=240:10:30
- add: olcMirrorMode
olcMirrorMode: TRUE
Now once I do that I’ve experimented with changing the olcLogLevel and it seems
to work. The rid’s on each node are different server2 has rid=002, server 1 has
rid=001 as well as different olcServerID
The part I run into issues is when I enable replication to the dc=domain,dc=com
via
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {2}syncprov
olcSpCheckpoint: 20 10
olcSpSessionlog: 1000
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=021 provider=ldaps://prod-ldap1.domain.com:636
bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=N….
searchbase="dc=domain,dc=com"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="5 10 60 +" tls_reqcert=allow keepalive=240:10:30
olcSyncRepl: rid=022 provider=ldaps://prod-ldap2.domain.com:636
bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=N….
searchbase="dc=domain,dc=com"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="5 10 60 +" tls_reqcert=allow keepalive=240:10:30
-
add: olcMirrorMode
olcMirrorMode: TRUE
I have 2 sets rids 001/002 and 021/022 and I have olcMirrorMode set to true on
both cn=config and domain replication
I’m pasting the relevant code around accesslog and syncprov that I think I’m
getting wrong
dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {3}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
structuralObjectClass: olcSyncProvConfig
dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {4}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 07+00:00 01+00:00
olcAccessLogSuccess: TRUE
structuralObjectClass: olcAccessLogConfig
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=adaptavist,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
structuralObjectClass: olcMdbConfig
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
structuralObjectClass: olcSyncProvConfig
Replication works from node1 to node2, and in reverse. But it stops after 20
minutes or so
After replication stops I see the on accesslog on one node has 4 records, on
the other it has 3 and it never catches up even if I restart although at first
it all works regardless of which node I update (change a random password)
What am I doing wrong? Perhaps more than one thing
Thank you
