Hi!
Actually when trying to "fix" my configuration, I completely messed it up 8-(
Probably because I could not really understand the relationship and/or meaning
of some configuration attributes:
In an MMR configuration I thought I don't need olcUpdateRef (server sends
updates to another one) because the syncrepl configuration would propagate any
changes.
Likewise I'm unsure about olcMirrorMode (olcMultiProvider): Is it needed for
MMR?
The odd thing is that I have a database configure similar to cn=config (using
MDB), and I can apply a change to config that is accepted, but I cannot apply
the corresponding change to {1}mdb.
The configuration has no updateref,syncrepl, or multiprovider attributes set.
The change tries to add {5}mdb to be used as accesslog, and the server
complains:
adding new entry "olcDatabase={5}mdb,cn=config"
ldap_add: Server is unwilling to perform (53)
additional info: shadow context; no update referral
The failed change looks like this:
ldapmodify -Y EXTERNAL -H ldapi:/// <<LDIF || exit
dn: olcDatabase={5}mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {5}mdb
olcAccess:
{0}
to *
by dn.exact="uid=syncrepl,ou=system,$CONTEXT" read
by * break
olcDbDirectory: /var/lib/ldap/changelog-1
olcDbIndex: objectclass eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcLimits:
dn.exact="uid=syncrepl,ou=system,$CONTEXT"
size.soft=unlimited
olcDbMaxSize: 104857600
olcRootDN: cn=changelog-1
olcRootPW: log-1
olcSecurity: ssf=128 update_ssf=128 simple_bind=128
olcSuffix: cn=changelog-1
LDIF
I don't understand.
Mit freundlichen Grüßen
Ulrich Windl
> -----Original Message-----
> From: Ondřej Kuzník <[email protected]>
> Sent: Friday, April 4, 2025 1:01 PM
> To: Windl, Ulrich <[email protected]>
> Cc: [email protected]
> Subject: [EXT] Re: Message "slapd[2734]: config error processing
> olcDatabase={0}config,cn=config: <olcMultiProvider> database is not a
> shadow"
>
> On Fri, Apr 04, 2025 at 05:29:03AM +0000, Windl, Ulrich wrote:
> > Hi!
> >
> > While setting up an OpenLDAP-2.5-based MMR configuration I had set up
> > the master node, then dumped the config database, copied the LDIF to
> > the other node. However when starting slapd, it failed with the
> > message
> > slapd[2734]: config error processing olcDatabase={0}config,cn=config:
> > <olcMultiProvider> database is not a shadow
> >
> > See also https://stackoverflow.com/q/6792212/6607497
> >
> > The context of olcMultiProvider is:
> > dn: olcDatabase={0}config,cn=config
> > objectClass: olcDatabaseConfig
> > olcDatabase: {0}config
> > ...
> > olcMultiProvider: TRUE
> >
> > On the first node I had updated the config using this LDIF:
> > dn: olcDatabase=${db},cn=config
> > changetype: modify
> > delete: olcMirrorMode
> > olcMirrorMode: TRUE
> > -
> > add: olcMultiProvider
> > olcMultiProvider: TRUE
>
> Hi Ulrich,
> olcMirrorMode and olcMultiProvider are two names for the same attribute,
> you can get switched over just by slapcat+slapadd'ing the configuration.
>
> > So I don't understand why this won't work on the second node.
> > Specifically I can restart the first node without an issue. The only
> > difference is that the primary node has a patch against crashing on an
> > invalid olcAuthzRegexp (I had reported).
> >
> > Well can anybody explain what this message means?
>
> It's saying you probably don't have an effective olcSyncrepl attribute
> on the database in question so it's not a "shadow" (doesn't replicate
> from anyone). This requirement will be softened somewhat in 2.7 (see
> ITS#9729).
>
> Regards,
>
> --
> Ondřej Kuzník
> Senior Software Engineer
> Symas Corporation http://www.symas.com
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP
