Okay, I changed olcSyncrepl type to refreshAndPersist, and remove interval settings.
It seems to work now, although I don't really understand why. Thanks for your help on ACLs Regards, Vincent Le 15/01/2020 à 17:27, Vincent Ducot a écrit : > > Hi, > > You can find below my full config. > > To be more precise, my problem is : > > - I add a user on node1, it's replicated on node2 > - I add a second user (or group) on node2, it's not replicated on node2. > In the logs, I get > > Jan 15 16:11:21 node2 slapd[2465]: do_syncrep2: rid=102 > LDAP_RES_SEARCH_RESULT > Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 > LDAP_RES_INTERMEDIATE - SYNC_ID_SET > Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 > LDAP_RES_SEARCH_RESULT > Jan 15 16:11:22 node2 slapd[2465]: do_syncrep2: rid=101 > cookie=rid=101,csn=20200115102817.516155Z#000000#000#000000 > Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 > present UUID 90915624-c578-1039-97ac-bb4be13c2c82, dn dc=foo,dc=bar > Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 > present UUID 90952132-c578-1039-8aef-6f411f63000a, dn > cn=admin,dc=foo,dc=bar > Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 > present UUID 909a0760-c578-1039-8af0-6f411f63000a, dn > ou=people,dc=foo,dc=bar > Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 > present UUID 909b4666-c578-1039-8af1-6f411f63000a, dn > ou=groups,dc=foo,dc=bar > Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 > present UUID 9a1f5e84-c578-1039-918d-7129ec86f31a, dn > uid=appadmin,ou=people,dc=foo,dc=bar > Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 > present UUID 9a48db24-c578-1039-918e-7129ec86f31a, dn > cn=admins-for-app,ou=groups,dc=foo,dc=bar > Jan 15 16:11:22 node2 slapd[2465]: nonpresent_callback: rid=101 > present UUID 3032f6b0-cbcd-1039-952e-fb0cd8c5af02, dn > uid=testuser,dc=foo,dc=bar > Jan 15 16:11:22 node2 slapd[2465]: slap_queue_csn: queueing > 0x7f4628103420 20200115102817.516155Z#000000#000#000000 > Jan 15 16:11:22 node2 slapd[2465]: slap_graduate_commit_csn: removing > 0x7f4628103420 20200115102817.516155Z#000000#000#000000 > > What means "nonpresent_callback" ? > > I also tested with replication user in a different database, as > suggested in this mailing list, but the result is the same. > > > Regards, > > Vincent > > > # config > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcDisallows: bind_anon > olcLogLevel: any > olcPidFile: /var/run/slapd/slapd.pid > olcRequires: authc > olcToolThreads: 1 > olcServerID: 0 ldap:/// > olcServerID: 1 ldap://node1-vpn > olcServerID: 2 ldap://node2-vpn > > # module{0}, config > dn: cn=module{0},cn=config > objectClass: olcModuleList > cn: module{0} > olcModulePath: /usr/lib/ldap > olcModuleLoad: {0}back_mdb > > # module{1}, config > dn: cn=module{1},cn=config > objectClass: olcModuleList > cn: module{1} > olcModuleLoad: {0}syncprov.la > > # {0}mdb, config > dn: olcBackend={0}mdb,cn=config > objectClass: olcBackendConfig > olcBackend: {0}mdb > > # {-1}frontend, config > dn: olcDatabase={-1}frontend,cn=config > objectClass: olcDatabaseConfig > objectClass: olcFrontendConfig > olcDatabase: {-1}frontend > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external > ,cn=auth manage by * break > olcAccess: {1}to dn.exact="" by * read > olcAccess: {2}to dn.base="cn=Subschema" by * read > olcSizeLimit: 500 > > # {0}config, config > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external > ,cn=auth manage by * break > > # {1}mdb, config > dn: olcDatabase={1}mdb,cn=config > objectClass: olcDatabaseConfig > objectClass: olcMdbConfig > olcDatabase: {1}mdb > olcDbDirectory: /var/lib/ldap > olcSuffix: dc=nodomain > olcAccess: {0}to attrs=userPassword by self write by anonymous auth by > * none > olcAccess: {1}to attrs=shadowLastChange by self write by * read > olcAccess: {2}to * by * read > olcLastMod: TRUE > olcRequires: authc > olcRootDN: cn=admin,dc=nodomain > olcRootPW: {SSHA}HdZbPd66TxCjeYEIAASbAQTnvFh3GOTw > olcDbCheckpoint: 512 30 > olcDbIndex: objectClass eq > olcDbIndex: cn,uid eq > olcDbIndex: uidNumber,gidNumber eq > olcDbIndex: member,memberUid eq > olcDbMaxSize: 1073741824 > > # {2}mdb, config > dn: olcDatabase={2}mdb,cn=config > objectClass: olcDatabaseConfig > objectClass: olcMdbConfig > olcDatabase: {2}mdb > olcDbDirectory: /var/foobar/ldap > olcSuffix: dc=foo,dc=bar > olcAccess: {0}to attrs=userPassword by anonymous auth by self write > by dn.exact="cn=rpuser,dc=foo,dc=bar" read > olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self write > by users read by * none > olcLastMod: TRUE > olcLimits: {0}dn.exact="uid=rpuser,dc=foo,dc=bar" time.soft=unlimited > time.h > ard=unlimited size.soft=unlimited size.hard=unlimited > olcRequires: authc > olcRootDN: cn=admin,dc=foo,dc=bar > olcRootPW: {SSHA}zL8CSrnkBacsebLUsJ+dzva6eQ7xcyZJ > olcSyncrepl: {0}rid=101 provider=ldap://node1-vpn > binddn="uid=rpuser,dc=foo, > dc=bar" bindmethod=simple credentials=rppwd > searchbase="dc=foo,dc=bar" type=r > efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1 > olcSyncrepl: {1}rid=102 provider=ldap://node2-vpn > binddn="uid=rpuser,dc=foo, > dc=bar" bindmethod=simple credentials=rppwd > searchbase="dc=foo,dc=bar" type=r > efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1 > olcMirrorMode: TRUE > olcDbCheckpoint: 512 30 > olcDbIndex: objectClass eq > olcDbIndex: entryUUID eq > olcDbIndex: entryCSN eq > olcDbMaxSize: 1073741824 > > # {0}syncprov, {2}mdb, config > dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: {0}syncprov > > > Le 13/01/2020 à 20:31, Quanah Gibson-Mount a écrit : >> >> >> --On Monday, January 13, 2020 6:32 PM +0100 Vincent Ducot >> <[email protected]> wrote: >> >>> >>> Ok, I thought the rule matched if "by" also matched. Thanks to light >>> it. >>> >>> I apply the olcAccess you proposed. >>> >>> I still have the problem of deletion of "dc=foo,dc=bar" tree on node2, >>> for example when I add a user on node1. Any idea why ? >> >> Not off the top of my head. Without full configs for both servers or >> an understanding of the state of the replicated databases on each >> server, it would all be random speculation. >> >> --Quanah >> >> -- >> >> Quanah Gibson-Mount >> Product Architect >> Symas Corporation >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP: >> <http://www.symas.com>
