Hi, For security reason we do a slapcat every night on our main ldapserver and… we have a small desynchronization between our servers during the slapcat…
There is no need for authentication to get the constextCSN and if you use ldapi you don’t need network. f.g. > Le 13 oct. 2023 à 15:20, cYuSeDfZfb cYuSeDfZfb <[email protected]> a écrit > : > > Hi, > > We are running replication checks, including one where we compare "slapcat | > grep contextCSN" output across our 4 different openldap 2.5 MRR servers. > > Relevant config (on each server identically through ansible) > > database mdb > maxsize 10737418240 > suffix "o=company,c=com > rootdn "cn=ldapadmin,o=company,c=com" > rootpw {SSHA}h9xyz..... > directory /var/symas/openldap-data > overlay syncprov > syncprov-checkpoint 100 1 > > Now using this config, we would expect the contextCSN to be faily up-to-date > across all servers, however, this is not always the case. > > There are occasions where servers contextCSN become 'outdated', while others > are up-to-date. > If we query contextCSN though ldapsearch, the correct contextCSN is returned > on all servers. > > This situation can remain for long, and restarting openldap solves it > immediately. > > We could of course change our logging to query contextCSN through an > ldapsearch, but we see advantages (no network, no authentication, etc, etc) > in using slapcat as well. > > Is there anything we can do to update on-disk contextCSN more often..? > We would expect " syncprov-checkpoint 100 1" to take care of this..? > > Have a nice weekend, everybody! > > MJ > — Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11
