proxied syncrepl: consumers sometimes missing all kinds of entries

Mon, 01 Feb 2021 09:09:11 -0800 

Hi,
We're using a proxied sync-repl installation to populate various consumers from our single master. 


For some time now, we've been seeing all kind of strange phenomenons, 
mostly with missing objects on some (not all consumers). Previously, our 
consumers and our master hadn't been identical with regards to the 
OpenLDAP version and the operating system used. While, according to the 
specs, this should have worked, we decided to rule out one source of 
trouble and upgrade our infrastructure and so right now, we're using 
OpenLDAP 2.4.47 on debian buster on all involved boxes:


% dpkg -l slapd
[...]

ii  slapd          2.4.47+dfsg-3+deb10u4 amd64        OpenLDAP server 
(slapd)



One of the issue we're currently seeing is that memberOf queries don't 
work as expected. Different consumers yield different results, which 
again are different from what the master has.


See for example:

# on the master

root@minerva:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x 
uid=ssebastian memberof

dn: uid=ssebastian,ou=People,dc=example,dc=com
memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com
memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com
memberOf: cn=qube,ou=Group,dc=example,dc=com

# consumer #1

root@demeter:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x 
uid=ssebastian memberof

dn: uid=ssebastian,ou=People,dc=example,dc=com

# consumer #2

root@peta:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x 
uid=ssebastian memberof

dn: uid=ssebastian,ou=People,dc=example,dc=com
memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com
memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com


However, when I investigate the group, I see the user listed in every 
one of them:


# on the master
root@minerva:~# ldapsearch -LLL -x cn=qube
dn: cn=qube,ou=Group,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
objectClass: posixGroup
cn: qube
gidNumber: 1602
[...]
member: uid=ssebastian,ou=People,dc=example,dc=com
[...]

# on consumer #1
root@demeter:~# ldapsearch -LLL -x cn=qube
dn: cn=qube,ou=Group,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
objectClass: posixGroup
cn: qube
gidNumber: 1602
[...]
member: uid=ssebastian,ou=People,dc=example,dc=com
[...]

# on consumer #2
root@peta:~# ldapsearch -LLL -x cn=qube
dn: cn=qube,ou=Group,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
objectClass: posixGroup
cn: qube
gidNumber: 1602
[...]
member: uid=ssebastian,ou=People,dc=example,dc=com
[...]


The master only shares the relevant part of the DIT to the consumers, so 
unfortunately I cannot 1:1 compare them using slapcat. But if I again 
apply a group filter, slapcat delivers correct results on all instances 
as well (ie slapcat -a 'cn=qube')



My first idea was an index issue, but running slapindex didn't change 
anything.


Any ideas what might be wrong and/or how to debug this issue?


Additionally - bear with me - we're not using cn=config, but the old 
style slapd.conf configuration.


Thanks

Udo

--
Udo Rader, CTO
BestSolution.at EDV Systemhaus GmbH
Eduard-Bodem-Gasse 5-7, A-6020 Innsbruck
http://www.bestsolution.at/
Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck






















					Reply via email to