Hi to all, I still experimenting with openldap 2.6 and the deltasyncrepl with four hosts. I use debian 11 and the symas packages.
I set up all four hosts with the following ldif-files.
Starting with the basic settings:
---------------------------------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcLogLevel: sync
olcLogLevel: stats
olcPidFile: /var/symas/run/slapd.pid
olcArgsFile: /var/symas/run/slapd.args
olcToolThreads: 1
# create cn=config
#dn: olcBackend={0}mdb,cn=config
#objectClass: olcBackendConfig
#olcBackend: {0}mdb
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /opt/symas/lib/openldap
olcModuleLoad: back_mdb
olcModuleLoad: back_monitor
olcModuleLoad: autoca.la
olcModuleLoad: otp.la
olcModuleLoad: argon2.la
olcModuleLoad: syncprov
olcModuleLoad: back_monitor
olcModuleLoad: accesslog.la
include: file:///opt/symas/etc/openldap/schema/core.ldif
include: file:///opt/symas/etc/openldap/schema/cosine.ldif
include: file:///opt/symas/etc/openldap/schema/nis.ldif
include: file:///opt/symas/etc/openldap/schema/inetorgperson.ldif
include: file:///opt/symas/etc/openldap/schema/dyngroup.ldif
include: file:///opt/symas/etc/openldap/schema/kerberos.openldap.ldif
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcSizeLimit: 500
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage
by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth
manage
by * break
olcAccess: {1}to dn="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcPasswordHash: {ARGON2}
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcRootPW:
{ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
olcAccess: {0}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage
by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth
manage
by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write
by * break
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to dn.subtree="cn=monitor"
by dn.exact=cn=admin,cn=config read
by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcmdbConfig
olcDatabase: {2}mdb
olcSuffix: dc=example,dc=net
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW:
{ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcDbCheckpoint: 512 30
olcDbDirectory: /var/symas/openldap-data
olcDbIndex: default eq
olcDbIndex: objectClass
olcDbIndex: entryUUID
olcDbIndex: entryCSN
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: description pres,eq,sub
olcDbIndex: title pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbMaxSize: 85899345920
olcAccess: {0} to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage
by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth
manage
by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write
by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword
by anonymous auth by self write by * none
olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
time=unlimited
size=unlimited
olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
time=unlimited
size=unlimited
---------------------------------------
After all four host have the same basic settings I change the "serverId"
with the following LDIF-File. My problem is the same, even when I put
the serverIds into the basic setup. The reason why I split the serverId
from the basic settings is because I use Ansible to configure all hosts.
-------------------------
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap01.example.net
olcServerID: 2 ldap://ldap02.example.net
olcServerID: 3 ldap://ldap03.example.net
olcServerID: 4 ldap://ldap04.example.net
-------------------------
The next step is setting up the deltasync replication with the following
LDIf-file:
-------------------------
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1
dn: olcDatabase={3}mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {3}mdb
olcDbDirectory: /var/symas/accesslog
olcSuffix: cn=accesslog
olcAccess: {0}to dn.subtree="cn=accesslog"
by dn.exact="uid=repl-user,ou=users,dc={first_dc}},dc=net" read
by dn.exact="cn=admin,dc=example,dc=net" read
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcLimits: dn.exact="cn=uid=repl-user,dc=example,dc=net" time=unlimited
size=unlimited
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcMonitoring: TRUE
olcDbCheckpoint: 0 0
olcDbIndex: entryCSN eq
olcDbIndex: objectClass eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbIndex: reqStart eq
olcDbIndex: reqDN eq
olcDbMode: 0600
olcDbSearchStack: 16
olcDbMaxsize: 85899345920
dn: olcOverlay=syncprov,olcDatabase={3}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 200
dn: olcOverlay={1}accesslog,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 01+00:00 00+04:00
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl: rid=102
provider=ldap://ldap02.example.net
bindmethod=simple
timeout=0
network-timeout=0
binddn=uid=repl-user,ou=users,dc=example,dc=net
credentials=secret
filter="(objectclass=*)"
searchbase="dc=example,dc=net"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
logbase=cn=accesslog
scope=sub
schemachecking=off
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
keepalive=240:10:30
starttls=yes
olcSyncrepl: rid=103
provider=ldap://ldap03.example.net
bindmethod=simple
timeout=0
network-timeout=0
binddn=uid=repl-user,ou=users,dc=example,dc=net
credentials=secret
filter="(objectclass=*)"
searchbase="dc=example,dc=net"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
logbase=cn=accesslog
scope=sub
schemachecking=off
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
keepalive=240:10:30
starttls=yes
olcSyncrepl: rid=104
provider=ldap://ldap04.example.net
bindmethod=simple
timeout=0
network-timeout=0
binddn=uid=repl-user,ou=users,dc=example,dc=net
credentials=secret
filter="(objectclass=*)"
searchbase="dc=example,dc=net"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
logbase=cn=accesslog
scope=sub
schemachecking=off
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
keepalive=240:10:30
starttls=yes
-
replace: olcMirrorMode
olcMirrorMode: TRUE
-------------------------
The olcSyncrepl is different on each host this one is from
ldap01.example.net so the host is not in the list.
On each other host everything is setup the same.
When in Start slapd I always getting this error messsages (on server ldap1:
---------------------
ez 09 15:20:56 ldap01 slapd[2406]: conn=1035 fd=18 ACCEPT from
IP=192.168.56.48:56760 (IP=0.0.0.0:389)
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=0 STARTTLS
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=0 RESULT oid= err=0
qtime=0.000024 etime=0.000299 text=
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 fd=18 TLS established
tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=1 BIND
dn="uid=repl-user,ou=users,dc=example,dc=net" method=128
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=1 BIND
dn="uid=repl-user,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=1 RESULT tag=97 err=0
qtime=0.000033 etime=0.026849 text=
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 SRCH
base="cn=accesslog" scope=2 deref=0
filter="(&(objectClass=auditWriteObject)(reqResult=0))"
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 SRCH attr=reqDN
reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior reqControls entryCSN
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 syncprov_op_search:
got a persistent search with a
cookie=rid=101,sid=004,csn=20211208190517.239632Z#000000#001#000000
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 syncprov_findbase:
searching
Dez 09 15:20:56 ldap01 slapd[2406]: findbase failed! 32
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=2 SEARCH RESULT tag=101
err=32 qtime=0.000019 etime=0.000166 nentries=0 text=
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 op=3 UNBIND
Dez 09 15:20:56 ldap01 slapd[2406]: conn=1035 fd=18 closed
---------------------
The rid 101 is NOT configured on this host, because it's ldap01
The same configuration is working on a Debian 10 with the
openldpa-packages from debian.
One more thing on debian 10 I see_
----------------------
root@hm-01:~# ss -a | grep ldap | awk '{print$1 " " $2 " " $5 " " $6}'
u_str LISTEN /var/run/slapd/ldapi 13381
tcp LISTEN 0.0.0.0:ldaps 0.0.0.0:*
tcp LISTEN 0.0.0.0:ldap 0.0.0.0:*
tcp ESTAB 192.168.56.41:ldap 192.168.56.44:35400
tcp ESTAB 192.168.56.41:ldap 192.168.56.42:57096
tcp ESTAB 192.168.56.41:ldap 192.168.56.43:54992
tcp ESTAB 192.168.56.41:33408 192.168.56.42:ldap
tcp ESTAB 192.168.56.41:50268 192.168.56.43:ldap
tcp LISTEN [::]:ldaps [::]:*
tcp LISTEN [::]:ldap [::]:*
----------------------
What i expected because of "refreshAndPersist" on the Debian 11 host
with the symas packages I see:
---------------------
root@ldap01:~# ss -a | grep ldap | awk '{print$1 " " $2 " " $5 " " $6}'
u_str LISTEN /var/symas/run/ldapi 14159
tcp LISTEN 0.0.0.0:ldaps 0.0.0.0:*
tcp LISTEN 0.0.0.0:ldap 0.0.0.0:*
tcp LISTEN [::]:ldaps [::]:*
tcp LISTEN [::]:ldap [::]:*
---------------------
So there is no permanent connection, that also shows the log.
Error 32 means "no such object" but which object is missing. The
accesslog DB files are there.
The slapd is NOT running as rootI change all the permissions and
settings to run slapd as unprivileged user.
I'm lost :-)
Stefan
smime.p7s
Description: S/MIME Cryptographic Signature
