Followup: I had added a ppolicy module to Master but not to Consumer. Thus the message about pwdChangeTime. Adding the module to consumer fixed replication.
-danny On Fri, Jan 12, 2018 at 4:33 PM, Daniel Howard <[email protected]> wrote: > Hello, > > He have OpenLDAP replication set up based on the docs at > https://help.ubuntu.com/lts/serverguide/openldap-server. > html#openldap-server-replication > > I noticed recently a symptom, whereby a new user exists only on the > primary. > > So, I started to debug: > > Master: (ldap0) > > 0-16:23 djh@ldap0 ~$ ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base > -b dc=qxxxxxxxxd,dc=com contextCSN > dn: dc=qxxxxxxxxd,dc=com > contextCSN: 20180113002606.399160Z#000000#000#000000 > > Consumer: (ldap1) > > 0-16:23 djh@ldap1 ~$ ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base > -b dc=qxxxxxxxxd,dc=com contextCSN > dn: dc=qxxxxxxxxd,dc=com > contextCSN: 20171121212631.416502Z#000000#000#000000 > > Ooohhh, my! > > I have a lot of messages like this on the consumer: > > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_message_to_entry: rid=317 DN: > uid=djh,ou=People,dc=qxxxxxxxxd,dc=com, UUID: 29f7fc06-7c2a-1035-83e5- > 9d6082b37970 > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 > LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 inserted UUID > 29f7fc06-7c2a-1035-83e5-9d6082b37970 > Jan 12 16:28:55 ldap1 slapd[5383]: dn_callback : entries have identical > CSN uid=djh,ou=People,dc=qxxxxxxxxd,dc=com 20180113002133.183992Z#000000# > 000#000000 > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 be_search (0) > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 > uid=djh,ou=People,dc=qxxxxxxxxd,dc=com > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_entry: rid=317 entry > unchanged, ignored (uid=djh,ou=People,dc=qxxxxxxxxd,dc=com) > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_message_to_entry: rid=317 DN: > uid=john,ou=People,dc=qxxxxxxxxd,dc=com, UUID: ddaae880-7c2f-1035-83ed- > 9d6082b37970 > Jan 12 16:28:55 ldap1 slapd[5383]: syncrepl_message_to_entry: rid=317 mods > check (pwdChangedTime: attribute type undefined) > Jan 12 16:28:55 ldap1 slapd[5383]: do_syncrepl: rid=317 rc 17 retrying > > What is funny is I can, for example, change the loginshell on my account, > and that replicates. > > Is the latter message about pwdChangedTime a clue that maybe I had a > schema change on Master that hasn't been applied to Consumer? > > Please advise on where to look next? Thanks! > > -danny > > -- > http://dannyman.toldme.com > -- http://dannyman.toldme.com
