The problem is solved,
in my configuration I wrote:
----------------
dn: olcDatabase={2}mdb,cn=config
objectClass: olcmdbConfig
----------------
but with 2.6 ldapmodify is looking for:
objectClass: olcMdbConfig
so it must be a capital "M". With a small "m" you will get "err=53"
"server unwilling to perform"
@Quanah: In your blog about mmr it's also with a small "m", maybe you
can change it.
Am 07.12.21 um 16:52 schrieb Stefan Kania:
> Hi to all,
>
> is it now save to use mmr of cn=config with OpenLDAP 2.6? I got it
> running with 4 server.
> I'm installing all 4 server with Ansible so I created a basic configuration:
> ------------------
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcLogLevel: sync
> olcLogLevel: stats
> olcPidFile: /var/symas/run/slapd.pid
> olcArgsFile: /var/symas/run/slapd.args
> olcToolThreads: 1
> olcServerID: 4
>
> dn: cn=schema,cn=config
> objectClass: olcSchemaConfig
> cn: schema
>
> # Read all needed schema from variable in default/main.yml
> include: file:///opt/symas/etc/openldap/schema/core.ldif
> include: file:///opt/symas/etc/openldap/schema/cosine.ldif
> include: file:///opt/symas/etc/openldap/schema/nis.ldif
> include: file:///opt/symas/etc/openldap/schema/inetorgperson.ldif
> include: file:///opt/symas/etc/openldap/schema/dyngroup.ldif
> include: file:///opt/symas/etc/openldap/schema/kerberos.openldap.ldif
>
> # Read all modules from variable in default/main.yml
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /opt/symas/lib/openldap
> olcModuleLoad: back_mdb
> olcModuleLoad: back_monitor
> olcModuleLoad: autoca.la
> olcModuleLoad: otp.la
> olcModuleLoad: argon2.la
> olcModuleLoad: syncprov
> olcModuleLoad: back_monitor
> olcModuleLoad: accesslog.la
>
> dn: olcDatabase={-1}frontend,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcFrontendConfig
> olcDatabase: {-1}frontend
> olcSizeLimit: 500
> olcAccess: {0}to *
> by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> manage
> by
> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth
> manage
> by * break
> olcAccess: {1}to dn="" by * read
> olcAccess: {2}to dn.base="cn=subschema" by * read
> olcPasswordHash: {ARGON2}
>
> dn: olcBackend={0}mdb,cn=config
> objectClass: olcBackendConfig
> olcBackend: {0}mdb
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcRootDN: cn=admin,cn=config
> olcRootPW:
> {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
> olcAccess: {0}to *
> by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> manage
> by
> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth
> manage
> by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write
> by * break
>
> dn: olcDatabase={1}monitor,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {1}monitor
> olcAccess: {0}to dn.subtree="cn=monitor"
> by dn.exact=cn=admin,cn=config read
> by dn.exact=cn=admin,dc=example,dc=net read
>
> dn: olcDatabase={2}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcmdbConfig
> olcDatabase: {2}mdb
> olcSuffix: dc=example,dc=net
> olcRootDN: cn=admin,dc=example,dc=net
> olcRootPW:
> {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
> olcSizeLimit: unlimited
> olcTimeLimit: unlimited
> olcDbCheckpoint: 512 30
> olcDbDirectory: /var/symas/openldap-data
> olcDbIndex: default eq
> olcDbIndex: objectClass
> olcDbIndex: entryUUID
> olcDbIndex: entryCSN
> olcDbIndex: cn pres,eq,sub
> olcDbIndex: uid pres,eq,sub
> olcDbIndex: mail pres,eq,sub
> olcDbIndex: sn pres,eq,sub
> olcDbIndex: description pres,eq,sub
> olcDbIndex: title pres,eq,sub
> olcDbIndex: givenName pres,eq,sub
> olcDbMaxSize: 85899345920
> olcAccess: {0} to *
> by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> manage
> by
> dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=external,cn=auth
> manage
> by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write
> by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
> by * break
> olcAccess: {1}to dn.exact="" by * read
> olcAccess: {2}to dn.base="cn=subschema" by * read
> olcAccess: {3} to attrs=userPassword
> by anonymous auth by self write by * none
> olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
> time=unlimited
> size=unlimited
> olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
> time=unlimited
> size=unlimited
>
> ------------------
> The "ServerID" is different for every server, every thing else is
> identical.
>
> Then I created a file to change the serverID:
> ------------------
> dn: cn=config
> changetype: modify
> replace: olcServerID
> olcServerID: 1 ldap://ldap01.example.net
> olcServerID: 2 ldap://ldap02.example.net
> olcServerID: 3 ldap://ldap03.example.net
> olcServerID: 4 ldap://ldap04.example.net
> ------------------
>
> and a file to configure the replication:
> ------------------
> dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
> changetype: add
> objectClass: olcOverlayConfig
> objectClass: olcSyncProvConfig
> olcOverlay: syncprov
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> replace: olcSyncRepl
> olcSyncRepl: rid=1
> provider=ldap://ldap01.example.net
> binddn="cn=admin,cn=config"
> bindmethod=simple
> credentials=secret
> searchbase="cn=config"
> type=refreshAndPersist
> retry="5 5 300 20"
> timeout=1
> starttls=yes
> olcSyncRepl: rid=2
> provider=ldap://ldap02.example.net
> binddn="cn=admin,cn=config"
> bindmethod=simple
> credentials=secret
> searchbase="cn=config"
> type=refreshAndPersist
> retry="5 5 300 20"
> timeout=1
> starttls=yes
> olcSyncRepl: rid=3
> provider=ldap://ldap03.example.net
> binddn="cn=admin,cn=config"
> bindmethod=simple
> credentials=secret
> searchbase="cn=config"
> type=refreshAndPersist
> retry="5 5 300 20"
> timeout=1
> starttls=yes
> olcSyncRepl: rid=4
> provider=ldap://ldap04.example.net
> binddn="cn=admin,cn=config"
> bindmethod=simple
> credentials=secret
> searchbase="cn=config"
> type=refreshAndPersist
> retry="5 5 300 20"
> timeout=1
> starttls=yes
> -
> add: olcMirrorMode
> olcMirrorMode: TRUE
> ------------------
>
> When I configure the server via Ansible (everything in one playbook) the
> replication of cn=config is not working. When I only do the basic
> configuration via Ansible and then add the change of serverID and then
> the replication of cn=config step by step on every single server:
> -------------
> ldapmodify -Y EXTERNAL -H ldapi:/// -f serverid.ldif
> ldapmodify -Y EXTERNAL -H ldapi:/// -f repl_config.ldif
> -------------
> everything is fine. The two files "serverid.ldif" and "repl_config.ldif"
> are the files Ansible created, so the content of the file is the same.
>
> Can it be, that the problem is because Ansible first sets all the
> ServerIDs on all servers and then configure the replication of cn=config
> on all servers?
>
>
> For setting up the configuration I took:
> https://www.openldap.org/devel/admin/replication.html
> Starting at 18.3.3
>
> What I don't understand: Do I realy have to put all Servers in the
> replication, even the server it self? So do I realy have to add on
> Server-01, the Server "server-01, server-02, server-03 ,server-04" to
> the replication? Dosn't it mean that server-01 is replicating to it
> self? If it's correct, can someone explain why? O did I understud
> something wrong on the webpage?
>
> Stefan
>
>
>
>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html
smime.p7s
Description: S/MIME Cryptographic Signature
