0

I configured my system in this way: Master OpenLDAP 10.100.1.6 and slave OpenLDAP 10.100.1.7

I used this guide: https://www.itzgeek.com/how-tos/linux/configure-openldap-master-slave-replication.html and configured them so as:

    vim rpuser.ldif (Master and Slave)
    dn: uid=rpuser,dc=mydomain,dc=com
    objectClass: simpleSecurityObject
    objectclass: account
    uid: rpuser
    description: Replication Admin User
    userPassword: secret

ldapadd -x -W -D "cn=Manager,dc=mydomain,dc=com" -f rpuser.ldif

Enable logging (Slave)
echo "local4.* /var/log/ldap.log" >> /etc/rsyslog.conf 
systemctl restart rsyslog



vim /etc/default/slapd (Master)
    SLAPD_SERVICES="ldapi:// ldap://LDAP01.mydomain.com"

vim /etc/default/slapd (Slave)
    SLAPD_SERVICES="ldapi:// ldap://LDAP02.mydomain.com"

vim syncprov_mod.ldif  (Master and Slave)
    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulePath: /usr/lib64/openldap
    olcModuleLoad: syncprov.la

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif

vim syncprov.ldif  (Master and Slave)
    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
    objectClass: olcOverlayConfig
    objectClass: olcSyncProvConfig
    olcOverlay: syncprov
    olcSpSessionLog: 100

ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif

vim olcserverid.ldif (Master)
    dn: cn=config
    changetype: modify
    add: olcServerID
    olcServerID: 101

ldapmodify -Y EXTERNAL -H ldapi:/// -f olcserverid.ldif

vim olcserverid.ldif (Slave)
    dn: cn=config
    changetype: modify
    add: olcServerID
    olcServerID: 102

ldapmodify -Y EXTERNAL -H ldapi:/// -f olcserverid.ldif


vim rp.ldif  (Slave)
    dn: olcDatabase={2}hdb,cn=config
    changetype: modify
    add: olcSyncRepl
    olcSyncRepl: rid=101
    provider=ldap://ldap01.mydomain.com:389/
    bindmethod=simple
    binddn="uid=rpuser,dc=mydomain,dc=com"
    credentials=secret
    searchbase="dc=mydomain,dc=com"
    scope=sub
    schemachecking=on
    type=refreshAndPersist
    retry="30 5 300 3"
    interval=00:00:05:00

ldapmodify -Y EXTERNAL  -H ldapi:/// -f rp.ldif

The system worked for a few days but now no longer syncs.

This is the ldap.log

Sep 20 12:47:06 BCA-PRD-LDAP02 slapd[5348]: <= bdb_equality_candidates: (entryUUID) not indexed Sep 20 12:47:06 BCA-PRD-LDAP02 slapd[5348]: do_syncrep2: rid=101 LDAP_RES_SEARCH_RESULT (4) Size limit exceeded Sep 20 12:47:06 BCA-PRD-LDAP02 slapd[5348]: do_syncrep2: rid=101 (4) Size limit exceeded Sep 20 12:47:06 BCA-PRD-LDAP02 slapd[5348]: do_syncrepl: rid=101 rc -2 retrying (1 retries left) Sep 20 12:52:06 BCA-PRD-LDAP02 slapd[5348]: <= bdb_equality_candidates: (entryUUID) not indexed

Marco Ferrara
  • 169
  • 6
  • If you're going to do replication you'll want a couple more indexes `olcDbIndex: entryUUID,entryCSN eq`. – 84104 Sep 21 '19 at 16:02

2 Answers2

1

I found a solution:

vim dbsyzelimit.ldif (Master)

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: 50000

ldapmodify -Y EXTERNAL -H ldapi:/// -f dbsyzelimit.ldif

Marco Ferrara
  • 169
  • 6
1

Rather than modifying the entire server, I tend to use olcLimits.

Typically I'll use group as the selector, but dn.exact seems to be what you're going for, at least for now.

dn.exact example:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcLimits: {0}dn.exact=uid=rpuser,dc=example,dc=com size=unlimited time=unlimited

group example:

$ldapsearch -b cn=config olcLimits=* olcLimits 

dn: olcDatabase={0}config,cn=config
olcLimits: {0}group=cn=ldap-admins,ou=groups,dc=example,dc=com size=unlimited
olcLimits: {1}group=cn=ldap-servers,ou=groups,dc=example,dc=com size=unlimited time=unlimited

dn: olcDatabase={2}mdb,cn=config
olcLimits: {0}group=cn=ldap-admins,ou=groups,dc=example,dc=com size=unlimited
olcLimits: {1}group=cn=ldap-servers,ou=groups,dc=example,dc=com size=unlimited time=unlimited
84104
  • 12,905
  • 6
  • 45
  • 76