Re: Openldap 2.4 -> Openldap 2.6.3 replication hurdles

Wed, 24 Jan 2024 23:49:23 -0800 


> On 24 Jan 2024, at 18:39, Quanah Gibson-Mount <[email protected]> wrote:
> 
> 
> 
> --On Wednesday, January 24, 2024 8:28 AM +0200 Viktor Keremedchiev 
> <[email protected]> wrote:
> 
>> Hello,
>> I'm somewhat not experienced with LDAP on the server side of things
>> I'm importing openldap 2.4. into 2.6.3. (rockylinux 9). My goal is to 2
>> have 2 N-way (or multi-master*) ldap nodes. I've changed hdb to mdb,
>> created accesslog folder, fixed permissions, SSL etc
>> The import doesn't throw any errors. My understanding is that I need to
>> have cn=config replication, as well as my small dc=domain,dc=com,
>> replication as well
> 
> It is not required to have cn=config replication. And I would note that 
> OpenLDAP 2.6.3 is fairly old at this point with significant fixes done to the 
> 2.6 series since its release.  I'd advise using a current release of OpenLDAP 
> 2.6.
> 
Got it


>> The cn=config replication I call via this on both nodes followed by
>> restarts
>> 
>> 
>> dn: cn=config
>> changetype: modify
>> replace: olcServerID
>> olcServerID: 1
> 
> Each server must have its own, unique, serverID.  If you are going to use 
> cn=config replication, then you *must* use the
> 
> olcServerID: # URI
> 

If I use olcServerID: 1 ldaps://prod-ldap1.domain.com - server doesn’t start 
post ldapmodify.
> 
> format.
> 
>> 
>> Now once I do that I've experimented with changing the olcLogLevel and
>> it seems to work. The rid's on each node are different server2 has
>> rid=002, server 1 has rid=001 as well as different olcServerID
> 
> RIDs must be unique INSIDE a particular server, but different servers can use 
> the same RID values.
> 

Got it

>> What am I doing wrong? Perhaps more than one thing
> 
> I'd suggest starting with just getting back-mdb replication working between 
> the nodes.
> 
> Side note, your configuration for the accesslog DB is missing an index on 
> 'reqDN'.
> 

Added
> --Quanah
> 
> 

I think I’ve been trying to add syncprov and acceslogs overlays that I already 
have
dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config
dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config

but then again adding unnecessarily 
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config



I’ve also spotted in the logs that if I have olcMirrorMode twice for cn=config 
and the domain - the log says it is already enabled. But if I remove second one 
it is telling me that I’m missing referral when ldapsearch/update any of the 
nodes.

Viktor

Reply via email to