Now it works :-) Thanks for the help. Some problems had been in front of the monitor and some problem Ansible specific. Just do verify, here is my configuration:
first the provider:
-------------------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcLogLevel: sync
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem
olcTLSCertificateFile: /etc/ssl/certificates/ldapmaster-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapmaster-key.pem
olcToolThreads: 1
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}syncprov.la
olcModuleLoad: {2}accesslog.la
olcModuleLoad: {3}back_monitor
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
....
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth write by
dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr
ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
* none
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryCSN,entryUUID eq
olcDbMaxSize: 1073741824
dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 300
dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 01+00:00 00+04:00
olcAccessLogSuccess: TRUE
dn: olcDatabase={2}Monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}Monitor
olcAccess: {0} to dn.subtree="cn=monitor" by
dn.exact="cn=ldap-admin,ou=users,
dc=example,dc=net" read
dn: olcDatabase={3}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
olcDatabase: {3}mdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcAccess: {0} to dn.sub=cn=accesslog by
dn.exact=cn=repl-user,ou=users,dc=exa
mple,dc=net read by dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net read
olcLastMod: TRUE
olcReadOnly: FALSE
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcMonitoring: TRUE
olcDbCheckpoint: 0 0
olcDbIndex: reqStart,reqEnd,reqDN,reqResult,entryCSN,objectClass eq
olcDbMode: 0600
olcDbSearchStack: 16
dn: olcOverlay={0}syncprov,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
-------------------------
Now one of the consumers:
-----------------------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcLogLevel: sync
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem
olcTLSCertificateFile: /etc/ssl/certificates/ldapslave-01-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapslave-01-key.pem
olcToolThreads: 1
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}back_monitor
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
...
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth write by
dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr
ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
* none
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a
olcSyncrepl: {0}rid=1 provider=ldaps://ldapmaster.example.net
type=refreshAndP
ersist retry="5 5 300 +" filter="(ObjectClass=*)" scope=sub
bindmethod=simple
searchbase="dc=example,dc=net"
binddn="cn=repl-user,ou=users,dc=example,dc=n
et" credentials=geheim syncdata=accesslog logbase="cn=accesslog"
logfilter="(
&(objectClass=auditWriteObject)(reqResult=0))
olcUpdateRef: ldaps://ldapmaster.example.net
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryCSN,entryUUID eq
olcDbMaxSize: 1073741824
dn: olcDatabase={2}Monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}Monitor
olcAccess: {0} to dn.subtree="cn=monitor" by
dn.exact="cn=ldap-admin,ou=users,
dc=example,dc=net" read
-----------------------------
For me the biggst problem was to put the setup into Ansible-roles.
Ansible is creating for every change a singe task, to setup TLS there is
one task for the tls-key and one task for the tls-certificate. The first
task is configuring the key and then slapd reeeds the configuriation and
is running into an error because the certificate is missing then the
task for putting the certificate into the configuration. So Ansible must
be configured to ignore the error end then rerun the tasks.
Another problem was, that the ldap_entry module from Ansible is creating
a new accesslog-db everytime the playbook is running. The module is not
looking if the databes exists.
After I got it finaly running I got the slapd-error 53 that the consumer
is newer then provider, that was because Ansible is running task on all
ldap-server parallel so it can hppend that the consumers will be created
befor the provider, so I had to stop the consumers, delete the dab-files
and restart the service befor starting the replication.
Now I will put some more commends into my ansible-roles and write a
litte docomentation on it. A soon as I'm finished I will post a link.
Again thank's for your help
Stefan
Am 15.09.20 um 21:12 schrieb Quanah Gibson-Mount:
>
>
> --On Tuesday, September 15, 2020 1:10 PM -0700 Quanah Gibson-Mount
> <[email protected]> wrote:
>
>> To summarize:
>>
>> For delta-syncrepl, the PRIMARY db must have a SYNCPROV and ACCESSLOG
>> overlay defined. The ACCESSLOG db must have a SYNCPROV overlay defined
>> and it MUST set olcSpNoPresent to TRUE and olcSpReloadHint to TRUE.
>
> Also, overlay order matters. For any replicated database, the
> SYNCPROV overlay should always be in the {0} index slot (primary or
> accesslog db). If it is delta-syncrepl, the ACCESSLOG overlay should
> be in the {1} index slot on the primary db.
>
> Regards,
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre.
Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
smime.p7s
Description: S/MIME Cryptographic Signature
