Discussion:
Complex multi-master topology
Patrick
2015-10-01 15:26:16 UTC
Permalink
I've been trying to create a complex multi-master replication of
cn=config for a week now... I'm using the core debian package: slapd
2.4.40+dfsg-1+deb8u1


I've seen someone claiming it could work but cannot find configs related
to this kind of topology.
http://www.slideshare.net/ghenry/openldap-replication-strategies
(slide #24)


When building a simple multimaster (two or three nodes) everything works
as planned. But in the case some nodes cannot talk to others, i cannot
find a way to make it works.


Let's take this example

+-------+ +-------+ +-------+
| ldap1 | <---> | ldap2 | <---> | ldap3 |
+-------+ +-------+ +-------+

and say:
olcSyncRepl: rid=001
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap1
olcSyncRepl: rid=002
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap2
olcSyncRepl: rid=003
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap3

Where initialy:
ldap1 have rid=002
ldap2 have rid=001 and rid=003
ldap3 have rid=002


Soon everyone get rid=001 rid=002 rid=003 and ldap3 cannot talk to ldap1
and it does not work...

And even if i don't care about the connexion between ldap1 and ldap3
failing, the replication does not work either... if ldap1 change
something, it gets replicated to ldap2 but not ldap3.


Also, i've been trying to use exattrs=Syncrepl but if someone change his
Syncrepl, it get deleted on the other node... Someone seems to have
seen this with memberof overlay ?

http://www.openldap.org/lists/openldap-technical/201505/msg00124.html



Anyone have references to help me get to my goal?
--
Patrick Brideau
Administrateur SystÚme
Kronos Technologies - http://www.kronos-web.com
tel: 418 877-5400 p.216
Quanah Gibson-Mount
2015-10-01 20:48:00 UTC
Permalink
Content preview: --On Thursday, October 01, 2015 12:26 PM -0400 Patrick <***@kronostechnologies.com>
wrote: > > I've been trying to create a complex multi-master replication
of > cn=config for a week now... I'm using the core debian package: slapd
2.4.40+dfsg-1+deb8u1 > > > I've seen someone claiming it could work but
cannot find configs related > to this kind of topology. > http://www.slideshare.net/ghenry/openldap-replication-strategies
(slide #24) > > > When building a simple multimaster (two or three nodes)
everything works > as planned. But in the case some nodes cannot talk to
others, i cannot > find a way to make it works. > > > Let's take this example
+-------+ +-------+ +-------+ >| ldap1 | <---> | ldap2 | <---> | ldap3
| > +-------+ +-------+ +-------+ > > and say: > olcSyncRepl: rid=001 > searchbase="cn=config"
type=refreshAndPersist > provider=ldap://ldap1 > olcSyncRepl: rid=002 >
searchbase="cn=config" > type=refreshAndPersist > provider=ldap://ldap2 >
olcSyncRepl: rid=003 > searchbase="cn=config" > type=refreshAndPersist >
provider=ldap://ldap3 > > Where initialy: > ldap1 have rid=002 > ldap2 have
rid=001 and rid=003 > ldap3 have rid=002 > > > Soon everyone get rid=001
rid=002 rid=003 and ldap3 cannot talk to ldap1 > and it does not work... >
And even if i don't care about the connexion between ldap1 and ldap3 >
failing, the replication does not work either... if ldap1 change > something,
it gets replicated to ldap2 but not ldap3. > > > Also, i've been trying to
use exattrs=Syncrepl but if someone change his > Syncrepl, it get deleted
on the other node... Someone seems to have > seen this with memberof overlay
? > > http://www.openldap.org/lists/openldap-technical/201505/msg00124.html
Anyone have references to help me get to my goal? [...]
Content analysis details: (-4.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[162.209.122.174 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: slideshare.net]
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

--On Thursday, October 01, 2015 12:26 PM -0400 Patrick
I've been trying to create a complex multi-master replication of
cn=config for a week now... I'm using the core debian package: slapd
2.4.40+dfsg-1+deb8u1
I've seen someone claiming it could work but cannot find configs related
to this kind of topology.
http://www.slideshare.net/ghenry/openldap-replication-strategies
(slide #24)
When building a simple multimaster (two or three nodes) everything works
as planned. But in the case some nodes cannot talk to others, i cannot
find a way to make it works.
Let's take this example
+-------+ +-------+ +-------+
| ldap1 | <---> | ldap2 | <---> | ldap3 |
+-------+ +-------+ +-------+
olcSyncRepl: rid=001
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap1
olcSyncRepl: rid=002
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap2
olcSyncRepl: rid=003
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap3
ldap1 have rid=002
ldap2 have rid=001 and rid=003
ldap3 have rid=002
Soon everyone get rid=001 rid=002 rid=003 and ldap3 cannot talk to ldap1
and it does not work...
And even if i don't care about the connexion between ldap1 and ldap3
failing, the replication does not work either... if ldap1 change
something, it gets replicated to ldap2 but not ldap3.
Also, i've been trying to use exattrs=Syncrepl but if someone change his
Syncrepl, it get deleted on the other node... Someone seems to have
seen this with memberof overlay ?
http://www.openldap.org/lists/openldap-technical/201505/msg00124.html
Anyone have references to help me get to my goal?
While I avoid replicating cn=config, we have several customers with 3+ MMR
setups for their back-mdb databases that work just fine. You fail to note
what your *serverID* is set to on each master, as that's required to be
different.

I would suggest you set your log level to "sync stats" and determine why
the various masters are unable to talk to one another.

--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Patrick
2015-10-02 14:42:04 UTC
Permalink
Post by Quanah Gibson-Mount
--On Thursday, October 01, 2015 12:26 PM -0400 Patrick
Post by Patrick
I've been trying to create a complex multi-master replication of
cn=config for a week now... I'm using the core debian package: slapd
2.4.40+dfsg-1+deb8u1
I've seen someone claiming it could work but cannot find configs related
to this kind of topology.
http://www.slideshare.net/ghenry/openldap-replication-strategies
(slide #24)
When building a simple multimaster (two or three nodes) everything works
as planned. But in the case some nodes cannot talk to others, i cannot
find a way to make it works.
Let's take this example
+-------+ +-------+ +-------+
| ldap1 | <---> | ldap2 | <---> | ldap3 |
+-------+ +-------+ +-------+
olcSyncRepl: rid=001
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap1
olcSyncRepl: rid=002
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap2
olcSyncRepl: rid=003
searchbase="cn=config"
type=refreshAndPersist
provider=ldap://ldap3
ldap1 have rid=002
ldap2 have rid=001 and rid=003
ldap3 have rid=002
Soon everyone get rid=001 rid=002 rid=003 and ldap3 cannot talk to ldap1
and it does not work...
And even if i don't care about the connexion between ldap1 and ldap3
failing, the replication does not work either... if ldap1 change
something, it gets replicated to ldap2 but not ldap3.
Also, i've been trying to use exattrs=Syncrepl but if someone change his
Syncrepl, it get deleted on the other node... Someone seems to have
seen this with memberof overlay ?
http://www.openldap.org/lists/openldap-technical/201505/msg00124.html
Anyone have references to help me get to my goal?
While I avoid replicating cn=config, we have several customers with 3+
MMR setups for their back-mdb databases that work just fine. You fail
to note what your *serverID* is set to on each master, as that's
required to be different.
I would suggest you set your log level to "sync stats" and determine why
the various masters are unable to talk to one another.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Thanks for the reply.


the serverID config where all set as:

dn: cn=config
objectClass: olcGlobal
[...]
olcServerID: 1 ldap://ldap1
olcServerID: 2 ldap://ldap2
olcServerID: 3 ldap://ldap3


Sorry it was not clear enough, it is by design that ldap1 and ldap3
cannot talk. They are in different networks and ldap2 is the one in
between every networks.


Without sync of cn=config, you replicate olcAccess,schemas,olcDbIndex,
etc manually between servers?



Patrick Brideau
Administrateur SystÚme
Kronos Technologies - http://www.kronos-web.com
tel: 418 877-5400 p.216
Michael Ströder
2015-10-02 18:35:12 UTC
Permalink
Post by Patrick
dn: cn=config
objectClass: olcGlobal
[...]
olcServerID: 1 ldap://ldap1
olcServerID: 2 ldap://ldap2
olcServerID: 3 ldap://ldap3
Note that

1. you should probably use FQDNs instead of short names

2. you must explicitly start slapd to -h ldap://ldap1 etc. to really assign
the server-ID to a certain replica.

BTW: Personally I prefer to not replicate cn=config (I'm using static
configuration anyway) and just add one server ID per instance to avoid the
strong dependency on -h option.

Ciao, Michael.
Geert Hendrickx
2015-10-03 05:59:13 UTC
Permalink
2. you must explicitly start slapd to -h ldap://ldap1 etc. to really >
assign the server-ID to a certain replica. Not in my experience, we have multiple
serverID's in the config and use just -h ldap:/// on each. The serverID matching
the system's hostname is used. This allows for identical configuration everywhere.
[...]

Content analysis details: (-2.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: hendrickx.be]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Cc: Patrick <***@kronostechnologies.com>, openldap-***@openldap.org
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.8 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
2. you must explicitly start slapd to -h ldap://ldap1 etc. to really >
assign the server-ID to a certain replica. Not in my experience, we have multiple
serverID's in the config and use just -h ldap:/// on each. The serverID matching
the system's hostname is used. This allows for identical configuration everywhere.
[...]

Content analysis details: (-1.8 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: hendrickx.be]
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
2. you must explicitly start slapd to -h ldap://ldap1 etc. to really
assign the server-ID to a certain replica.
Not in my experience, we have multiple serverID's in the config and
use just -h ldap:/// on each. The serverID matching the system's
hostname is used. This allows for identical configuration everywhere.


Geert
--
geert.hendrickx.be :: ***@hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
Michael Ströder
2015-10-03 07:20:32 UTC
Permalink
Post by Geert Hendrickx
Post by Michael Ströder
2. you must explicitly start slapd to -h ldap://ldap1 etc. to really
assign the server-ID to a certain replica.
Not in my experience, we have multiple serverID's in the config and
use just -h ldap:/// on each. The serverID matching the system's
hostname is used. This allows for identical configuration everywhere.
Yes, this works.

But in many cases the system's canonical hostname is not the service's
hostname. This will be even more true with today's IPv6 setups.

Ciao, Michael.
Geert Hendrickx
2015-10-03 07:26:05 UTC
Permalink
Yes, this works. > > But in many cases the system's canonical hostname
is not the service's > hostname. This will be even more true with today's
IPv6 setups. [...]

Content analysis details: (-2.0 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: hendrickx.be]
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Cc: openldap-***@openldap.org
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.8 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Yes, this works. > > But in many cases the system's canonical hostname
is not the service's > hostname. This will be even more true with today's
IPv6 setups. [...]

Content analysis details: (-1.8 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: hendrickx.be]
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
Yes, this works.
But in many cases the system's canonical hostname is not the service's
hostname. This will be even more true with today's IPv6 setups.
We use the canonical hostnames for replication between the servers,
exactly because the serverID is tied to the system itself.
And we use service hostnames for queries from external LDAP clients,
because they can float between servers for failover.


Geert
--
geert.hendrickx.be :: ***@hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
Patrick
2015-10-02 18:47:03 UTC
Permalink
Post by Michael Ströder
Post by Patrick
dn: cn=config
objectClass: olcGlobal
[...]
olcServerID: 1 ldap://ldap1
olcServerID: 2 ldap://ldap2
olcServerID: 3 ldap://ldap3
Note that
1. you should probably use FQDNs instead of short names
2. you must explicitly start slapd to -h ldap://ldap1 etc. to really assign
the server-ID to a certain replica.
BTW: Personally I prefer to not replicate cn=config (I'm using static
configuration anyway) and just add one server ID per instance to avoid the
strong dependency on -h option.
Ciao, Michael.
Yeah, for simplicity purpose, i removed the fqdn, ssl stuff and
everything from my post... i see i should have included it all.

but yeah, it is all present, starting with -h ldaps://ldap1.fdqn,
getting my /etc/hosts with the required stuff.

it works when every master talk to each other, but i'm one step further
where not every ldap will be available to talk to each other in our prod
environment


This works:

+-------------------------------+
v V
+-------+ +-------+ +-------+
| ldap1 | <---> | ldap2 | <---> | ldap3 |
+-------+ +-------+ +-------+



this doesn.t:

+-------+ +-------+ +-------+
| ldap1 | <---> | ldap2 | <---> | ldap3 |
+-------+ +-------+ +-------+



Patrick Brideau
Administrateur SystÚme
Kronos Technologies - http://www.kronos-web.com
tel: 418 877-5400 p.216
Howard Chu
2015-10-04 18:00:21 UTC
Permalink
Patrick wrote: >>> dn: cn=config >>> objectClass: olcGlobal >>> [...]
3 ldap://ldap3 >> >> Note that >> >> 1. you should probably use FQDNs instead
of short names >> >> 2. you must explicitly start slapd to -h ldap://ldap1
etc. to really assign >> the server-ID to a certain replica. >> >> BTW: Personally
I prefer to not replicate cn=config (I'm using static >> configuration anyway)
and just add one server ID per instance to avoid the >> strong dependency
on -h option. >> >> Ciao, Michael. >> > > Yeah, for simplicity purpose, i
removed the fqdn, ssl stuff and > everything from my post... i see i should
have included it all. > > but yeah, it is all present, starting with -h ldaps://ldap1.fdqn,
getting my /etc/hosts with the required stuff. > > it works when every
master talk to each other, but i'm one step further > where not every ldap
will be available to talk to each other in our prod > environment > > > This
works: > > ++ > v V > +-------+ +-------+ +-------+ > | ldap1 | <---> | ldap2
| <---> | ldap3 | > +-------+ +-------+ +-------+ > > > > this doesn.t: >
+-------+ +-------+ +-------+ > | ldap1 | <---> | ldap2 | <---> | ldap3
| > +-------+ +-------+ +-------+ [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Patrick wrote: >>> dn: cn=config >>> objectClass: olcGlobal >>> [...]
3 ldap://ldap3 >> >> Note that >> >> 1. you should probably use FQDNs instead
of short names >> >> 2. you must explicitly start slapd to -h ldap://ldap1
etc. to really assign >> the server-ID to a certain replica. >> >> BTW: Personally
I prefer to not replicate cn=config (I'm using static >> configuration anyway)
and just add one server ID per instance to avoid the >> strong dependency
on -h option. >> >> Ciao, Michael. >> > > Yeah, for simplicity purpose, i
removed the fqdn, ssl stuff and > everything from my post... i see i should
have included it all. > > but yeah, it is all present, starting with -h ldaps://ldap1.fdqn,
getting my /etc/hosts with the required stuff. > > it works when every
master talk to each other, but i'm one step further > where not every ldap
will be available to talk to each other in our prod > environment > > > This
works: > > ++ > v V > +-------+ +-------+ +-------+ > | ldap1 | <---> | ldap2
| <---> | ldap3 | > +-------+ +-------+ +-------+ > > > > this doesn.t: >
+-------+ +-------+ +-------+ > | ldap1 | <---> | ldap2 | <---> | ldap3
| > +-------+ +-------+ +-------+ [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Patrick
dn: cn=config
objectClass: olcGlobal
[...]
olcServerID: 1 ldap://ldap1
olcServerID: 2 ldap://ldap2
olcServerID: 3 ldap://ldap3
Note that
1. you should probably use FQDNs instead of short names
2. you must explicitly start slapd to -h ldap://ldap1 etc. to really assign
the server-ID to a certain replica.
BTW: Personally I prefer to not replicate cn=config (I'm using static
configuration anyway) and just add one server ID per instance to avoid the
strong dependency on -h option.
Ciao, Michael.
Yeah, for simplicity purpose, i removed the fqdn, ssl stuff and
everything from my post... i see i should have included it all.
but yeah, it is all present, starting with -h ldaps://ldap1.fdqn,
getting my /etc/hosts with the required stuff.
it works when every master talk to each other, but i'm one step further
where not every ldap will be available to talk to each other in our prod
environment
+-------------------------------+
v V
+-------+ +-------+ +-------+
| ldap1 | <---> | ldap2 | <---> | ldap3 |
+-------+ +-------+ +-------+
+-------+ +-------+ +-------+
| ldap1 | <---> | ldap2 | <---> | ldap3 |
+-------+ +-------+ +-------+
Yeah, replicating cn=config is only viable if all servers work with identical
configuration. Making this configuration work would require adding a qualifier
to the syncrepl config to restrict which server nodes it activates on. I think
it would be worthwhile to add a feature for this, but it doesn't exist at the
moment. Feel free to submit an Enhancement request to the ITS.
Patrick Brideau
Administrateur Système
Kronos Technologies - http://www.kronos-web.com
tel: 418 877-5400 p.216
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Michael Ströder
2015-10-04 20:33:42 UTC
Permalink
Post by Howard Chu
Yeah, replicating cn=config is only viable if all servers work with identical
configuration. Making this configuration work would require adding a qualifier
to the syncrepl config to restrict which server nodes it activates on. I think
it would be worthwhile to add a feature for this, but it doesn't exist at the
moment. Feel free to submit an Enhancement request to the ITS.
Wouldn't it make more sense to introduce configuration vars with some filled
by querying system parameters?

Hmm..better not re-invent configuration mgmt systems though...

Ciao, Michael.
Howard Chu
2015-10-04 20:49:44 UTC
Permalink
Content preview: Michael Ströder wrote: > Howard Chu wrote: >> Yeah, replicating
cn=config is only viable if all servers work with identical >> configuration.
Making this configuration work would require adding a qualifier >> to the
syncrepl config to restrict which server nodes it activates on. I think >>
it would be worthwhile to add a feature for this, but it doesn't exist at
the >> moment. Feel free to submit an Enhancement request to the ITS. > >
Wouldn't it make more sense to introduce configuration vars with some filled
by querying system parameters? [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Michael Ströder wrote: > Howard Chu wrote: >> Yeah, replicating
cn=config is only viable if all servers work with identical >> configuration.
Making this configuration work would require adding a qualifier >> to the
syncrepl config to restrict which server nodes it activates on. I think >>
it would be worthwhile to add a feature for this, but it doesn't exist at
the >> moment. Feel free to submit an Enhancement request to the ITS. > >
Wouldn't it make more sense to introduce configuration vars with some filled
by querying system parameters? [...]
Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Post by Howard Chu
Yeah, replicating cn=config is only viable if all servers work with identical
configuration. Making this configuration work would require adding a qualifier
to the syncrepl config to restrict which server nodes it activates on. I think
it would be worthwhile to add a feature for this, but it doesn't exist at the
moment. Feel free to submit an Enhancement request to the ITS.
Wouldn't it make more sense to introduce configuration vars with some filled
by querying system parameters?
No. That would require a lot of platform-dependent system knowledge and it's
not even needed here.
Hmm..better not re-invent configuration mgmt systems though...
The particular config could be implemented just by adding a serverID keyword
to the syncrepl config clause. Then that particular consumer instance would
only activate if the current server matches the specified serverID(s).
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Loading...