Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
--On Thursday, January 25, 2024 9:48 AM +0200 Viktor Keremedchiev wrote: If I use olcServerID: 1 ldaps://prod-ldap1.domain.com - server doesn't start post ldapmodify. Sounds like this doesn't match the options passed to slapd at startup. I do note your missing a port at the end of the URI which may be why. --Quanah
Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
> On 24 Jan 2024, at 18:39, Quanah Gibson-Mount wrote: > > > > --On Wednesday, January 24, 2024 8:28 AM +0200 Viktor Keremedchiev > wrote: > >> Hello, >> I'm somewhat not experienced with LDAP on the server side of things >> I'm importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2 >> have 2 N-way (or multi-master*) ldap nodes. I've changed hdb to mdb, >> created accesslog folder, fixed permissions, SSL etc >> The import doesn't throw any errors. My understanding is that I need to >> have cn=config replication, as well as my small dc=domain,dc=com, >> replication as well > > It is not required to have cn=config replication. And I would note that > OpenLDAP 2.6.3 is fairly old at this point with significant fixes done to the > 2.6 series since its release. I'd advise using a current release of OpenLDAP > 2.6. > Got it >> The cn=config replication I call via this on both nodes followed by >> restarts >> >> >> dn: cn=config >> changetype: modify >> replace: olcServerID >> olcServerID: 1 > > Each server must have its own, unique, serverID. If you are going to use > cn=config replication, then you *must* use the > > olcServerID: # URI > If I use olcServerID: 1 ldaps://prod-ldap1.domain.com - server doesn’t start post ldapmodify. > > format. > >> >> Now once I do that I've experimented with changing the olcLogLevel and >> it seems to work. The rid's on each node are different server2 has >> rid=002, server 1 has rid=001 as well as different olcServerID > > RIDs must be unique INSIDE a particular server, but different servers can use > the same RID values. > Got it >> What am I doing wrong? Perhaps more than one thing > > I'd suggest starting with just getting back-mdb replication working between > the nodes. > > Side note, your configuration for the accesslog DB is missing an index on > 'reqDN'. > Added > --Quanah > > I think I’ve been trying to add syncprov and acceslogs overlays that I already have dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config but then again adding unnecessarily dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config I’ve also spotted in the logs that if I have olcMirrorMode twice for cn=config and the domain - the log says it is already enabled. But if I remove second one it is telling me that I’m missing referral when ldapsearch/update any of the nodes. Viktor
RE: [EXTERNAL] Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
--On Wednesday, January 24, 2024 4:42 PM + Bradley T Gill wrote: We stay in the 2.5 LTS branch. 2.6 is more of a Dev Branch if I understand it correctly. 2.5 is the current LTS release. 2.6 was the new 'feature' branch. It may become the next LTS. I've personally run it in production at a high volume 100% uptime environment for over 2 years. --Quanah
RE: [EXTERNAL] Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
We stay in the 2.5 LTS branch. 2.6 is more of a Dev Branch if I understand it correctly. From: Quanah Gibson-Mount Sent: Wednesday, January 24, 2024 11:39 AM To: Viktor Keremedchiev ; openldap-technical@openldap.org Subject: [EXTERNAL] Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles --On Wednesday, January 24, 2024 8: 28 AM +0200 Viktor Keremedchiev wrote: > Hello, > I'm somewhat not experienced with LDAP on the server side of things > I'm importing openldap 2. 4. into 2. 6. 3. --On Wednesday, January 24, 2024 8:28 AM +0200 Viktor Keremedchiev mailto:vkeremedch...@adaptavist.com>> wrote: > Hello, > I'm somewhat not experienced with LDAP on the server side of things > I'm importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2 > have 2 N-way (or multi-master*) ldap nodes. I've changed hdb to mdb, > created accesslog folder, fixed permissions, SSL etc > The import doesn't throw any errors. My understanding is that I need to > have cn=config replication, as well as my small dc=domain,dc=com, > replication as well It is not required to have cn=config replication. And I would note that OpenLDAP 2.6.3 is fairly old at this point with significant fixes done to the 2.6 series since its release. I'd advise using a current release of OpenLDAP 2.6. > The cn=config replication I call via this on both nodes followed by > restarts > > > dn: cn=config > changetype: modify > replace: olcServerID > olcServerID: 1 Each server must have its own, unique, serverID. If you are going to use cn=config replication, then you *must* use the olcServerID: # URI format. > > Now once I do that I've experimented with changing the olcLogLevel and > it seems to work. The rid's on each node are different server2 has > rid=002, server 1 has rid=001 as well as different olcServerID RIDs must be unique INSIDE a particular server, but different servers can use the same RID values. > What am I doing wrong? Perhaps more than one thing I'd suggest starting with just getting back-mdb replication working between the nodes. Side note, your configuration for the accesslog DB is missing an index on 'reqDN'. --Quanah
Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles
--On Wednesday, January 24, 2024 8:28 AM +0200 Viktor Keremedchiev wrote: Hello, I'm somewhat not experienced with LDAP on the server side of things I'm importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2 have 2 N-way (or multi-master*) ldap nodes. I've changed hdb to mdb, created accesslog folder, fixed permissions, SSL etc The import doesn't throw any errors. My understanding is that I need to have cn=config replication, as well as my small dc=domain,dc=com, replication as well It is not required to have cn=config replication. And I would note that OpenLDAP 2.6.3 is fairly old at this point with significant fixes done to the 2.6 series since its release. I'd advise using a current release of OpenLDAP 2.6. The cn=config replication I call via this on both nodes followed by restarts dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 Each server must have its own, unique, serverID. If you are going to use cn=config replication, then you *must* use the olcServerID: # URI format. Now once I do that I've experimented with changing the olcLogLevel and it seems to work. The rid's on each node are different server2 has rid=002, server 1 has rid=001 as well as different olcServerID RIDs must be unique INSIDE a particular server, but different servers can use the same RID values. What am I doing wrong? Perhaps more than one thing I'd suggest starting with just getting back-mdb replication working between the nodes. Side note, your configuration for the accesslog DB is missing an index on 'reqDN'. --Quanah
Openldap 2.4 -> Openldap 2.6.3 replication hurdles
Hello, I'm somewhat not experienced with LDAP on the server side of things I’m importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2 have 2 N-way (or multi-master*) ldap nodes. I’ve changed hdb to mdb, created accesslog folder, fixed permissions, SSL etc The import doesn’t throw any errors. My understanding is that I need to have cn=config replication, as well as my small dc=domain,dc=com, replication as well The cn=config replication I call via this on both nodes followed by restarts dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=002 provider=ldaps://prod-ldap2.domain.com:636 bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=N… searchbase="cn=config" schemachecking=on type=refreshAndPersist retry="10 10 60 +" tls_reqcert=allow keepalive=240:10:30 olcSyncRepl: rid=001 provider=ldaps://prod-ldap1.domain.com:636 bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=N…… searchbase="cn=config" schemachecking=on type=refreshAndPersist retry="10 10 60 +" tls_reqcert=allow keepalive=240:10:30 - add: olcMirrorMode olcMirrorMode: TRUE Now once I do that I’ve experimented with changing the olcLogLevel and it seems to work. The rid’s on each node are different server2 has rid=002, server 1 has rid=001 as well as different olcServerID The part I run into issues is when I enable replication to the dc=domain,dc=com via dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {2}syncprov olcSpCheckpoint: 20 10 olcSpSessionlog: 1000 dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=021 provider=ldaps://prod-ldap1.domain.com:636 bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=N…. searchbase="dc=domain,dc=com" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="5 10 60 +" tls_reqcert=allow keepalive=240:10:30 olcSyncRepl: rid=022 provider=ldaps://prod-ldap2.domain.com:636 bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=N…. searchbase="dc=domain,dc=com" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="5 10 60 +" tls_reqcert=allow keepalive=240:10:30 - add: olcMirrorMode olcMirrorMode: TRUE I have 2 sets rids 001/002 and 021/022 and I have olcMirrorMode set to true on both cn=config and domain replication I’m pasting the relevant code around accesslog and syncprov that I think I’m getting wrong dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {3}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {4}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 07+00:00 01+00:00 olcAccessLogSuccess: TRUE structuralObjectClass: olcAccessLogConfig dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=adaptavist,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart structuralObjectClass: olcMdbConfig dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig Replication works from node1 to node2, and in reverse. But it stops after 20 minutes or so After replication stops I see the on accesslog on one node has 4 records, on the other it has 3 and it never catches up even if I restart although at first it all works regardless of which node I update (change a random password) What am I doing wrong? Perhaps more than one thing Thank you