Hello, list.
I'm experiencing synchronization problem with my ldap provider-consumer
setup.
Both nodes are running OpenLDAP 2.4.38 (using mdb backend) at x86_64
under Linux 3.7.10.
Both servers synchronize their time with one NTP server, so clocks are in
sync.
I have cn=dhcp,dc=my,dc=org containter which I would like to replicate to
openldap
consumer.
Consumer uses old-fasioned slapd.conf file:
# [... include, acl and logging settings skipped ...]
rootdn "cn=root,dc=my,dc=org"
rootpw [ skipped ]
index objectClass eq
index entryCSN eq
index entryUUID eq
index dlzHostname eq
index dlzZoneName eq
index dlzIPAddr eq
index dlzType eq
index dhcpHWAddress eq
index cn eq,approx,sub
syncrepl rid=1
...
syncrepl rid=2
provider=ldap://172.20.20.207
type=refreshAndPersist
interval=00:00:01:00
retry="60 +"
searchbase="cn=dhcp,dc=my,dc=org"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=dhcpd,ou=services,dc=my,dc=org"
credentials="[ skipped ]"
Problem is that not all changes (adding new objects and changing attributes
of existing
objects) are replicated from master to consumer. I make change on master
by hand, but
I do not see log entries on consumer that changed attribute was replicated.
LDAP provider setup (uses online configuartion):
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my,dc=org
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcLimits: {0}group/groupOfNames/member="cn=ldap
admins,ou=groups,dc=my,dc=org" size=unlimited
olcLimits: {1}group/groupOfNames/member="cn=ldap
admins,ou=groups,dc=my,dc=org" time=unlimited
olcLimits:
{2}group/groupOfNames/member="cn=admins,ou=mail,ou=groups,dc=my,dc=org"
size=unlimited
olcLimits:
{3}group/groupOfNames/member="cn=replicators,ou=groups,dc=my,dc=org"
size=unlimited time=unlimited
User uid=dhcpd,ou=services,dc=my,dc=org is member of group
cn=replicators,ou=groups,dc=my,dc=org.
dn: cn=Replicators,ou=Groups,dc=my,dc=org
cn: Replicators
member: uid=dhcpd,ou=services,dc=my,dc=org
Indices on master server:
olcDbIndex: dhcpHWAddress,dhcpClassData eq
ACL for cn=dhcp,dc=my,dc=org container (I have only one ACL entry, that
mentions cn=dhcp,dc=my,dc=org):
...
olcAccess: {15}to dn.subtree="cn=dhcp,dc=my,dc=org"
by group/groupOfNames/member.exact="cn=dhcp
readers,ou=dhcp,ou=groups,dc=my,dc=org" read
by group/groupOfNames/member.exact="cn=dhcp
writers,ou=dhcp,ou=groups,dc=my,dc=org" write
...
dn: cn=dhcp readers,ou=dhcp,ou=Groups,dc=my,dc=org
cn: dhcp readers
objectClass: groupOfNames
objectClass: top
member: uid=dhcpd,ou=Services,dc=my,dc=org
So for now I checked following:
1. Clocks on both server (both are in sync)
2. ACL for replication DN (replication user is able to read all needed
data).
3. Size and time limits for replication DN (replication user has no limits
on operations).
4. Schema (objectClasses and attrubutes) on both servers (both nodes use
same schemas).
5. Disable indices on consumer server for replicated attributes from
cn=dhcp,dc=my,dc=org container (not helped)
What else I can check?
BTW, I would be pleased if someone give somekind of systematic approach for
troubleshooting OpenLDAP replication issues.
