Full_Name: JPh Ayanides Version: 2.4.47 OS: Linux Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (195.46.216.78)
Hello, I cannot succeed in making the following configuration to work. Instead of that, openldap crashes.
I have 2 openldap servers in master-slave: the slave is installed on a machine named rada, and a master is installed on another machine named simby. The ppolicy is activated on rada and simby, and I use chain and updateref in order to sync failures in ppolicy coming from rada back to simby. When I test that feature, with trying a bind with a wrong password, openldap on the slave crashes. I failed in understanding why, even with gdb.
Here is the configuration of rada: ---------------------------
allow bind_v2 sizelimit size.hard=10000 sizelimit size.soft=500 # Schema and objectClass definitions include /appli/openldap/etc/openldap/schema/core.schema include /appli/openldap/etc/openldap/schema/cosine.schema include /appli/openldap/etc/openldap/schema/nis.schema include /appli/openldap/etc/openldap/schema/inetorgperson.schema include /appli/openldap/etc/openldap/schema/ppolicy.schema pidfile /appli/openldap-preprod/var/run/slapd.pid
argsfile /appli/openldap-preprod/var/run/slapd.args loglevel -1
conn_max_pending 250 idletimeout 600
timelimit time.soft=60 timelimit time.hard=60
modulepath /appli/openldap/libexec/openldap moduleload back_bdb moduleload ppolicy moduleload back_ldap moduleload pw-sha2
password-hash {SSHA512}
TLSVerifyClient never TLSCertificateKeyFile /appli/openldap-preprod/etc/private/auth.gdr.key TLSCertificateFile /appli/openldap-preprod/etc/certs/auth.gdr.crt TLSCACertificatePath /appli/openldap-preprod/etc/ca/
overlay chain chain-uri ldaps://simby.example:637 chain-idassert-bind bindmethod="simple" binddn="uid=mirrormode,dc=example" credentials="secret" mode="self" tls_reqcert=allow chain-tls none chain-return-error TRUE
database bdb
suffix "dc=example" rootdn "cn=admin,dc=example" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXX
dbconfig set_cachesize 0 128000000 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500
directory "/appli/openldap-preprod/var/openldap-data"
index objectClass,entryCSN,entryUUID eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
overlay ppolicy ppolicy_default "cn=pwdDefault,ou=policies,dc=example" ppolicy_hash_cleartext ppolicy_use_lockout ppolicy_forward_updates
lastmod on
syncrepl rid=002 provider=ldap://simby.example:390 binddn="uid=mirrormode,dc=example" credentials=secret bindmethod=simple searchbase="dc=example" schemachecking=off type=refreshAndPersist retry="60 +" tls_cacert="/appli/openldap-preprod/etc/ca/CADSI.pem" tls_reqcert=allow starttls=yes
updateref ldaps://simby.example:637
access to attrs=userPassword by dn="cn=admin,dc=example" write by dn="cn=acadmin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="uid=rsasecureid,dc=example" auth by anonymous auth by dn="uid=test,ou=People,dc=example" none by * none
access to attrs=shadowLastChange by dn="cn=admin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="uid=test,ou=People,dc=example" none by * read
access to dn="uid=test,ou=People,dc=example" by dn="cn=admin,dc=example" write by * read
database monitor access to * by * read
----------------------------- and here is the configuration file on the master: ----------------------------
allow bind_v2
sizelimit size.hard=10000 sizelimit size.soft=500
include /appli/openldap/etc/openldap/schema/core.schema include /appli/openldap/etc/openldap/schema/cosine.schema include /appli/openldap/etc/openldap/schema/nis.schema include /appli/openldap/etc/openldap/schema/inetorgperson.schema include /appli/openldap/etc/openldap/schema/ppolicy.schema
pidfile /appli/openldap-preprod/var/run/slapd.pid argsfile /appli/openldap-preprod/var/run/slapd.args loglevel -1
modulepath /appli/openldap/libexec/openldap moduleload back_bdb moduleload syncprov moduleload ppolicy moduleload pw-sha2
password-hash {SSHA512}
TLSCertificateKeyFile /appli/openldap-preprod/etc/private/simby.example.key TLSCertificateFile /appli/openldap-preprod/etc/certs/simby.example.pem TLSCACertificatePath /appli/openldap-preprod/etc/ca
TLSverifyClient never
database bdb
suffix "dc=example" rootdn "cn=admin,dc=example" rootpw {SSHA}XXXXXXXXXXXXXXXXXXX
directory "/appli/openldap-preprod/var/openldap-data"
index objectclass,entryCSN,entryUUID eq index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
overlay ppolicy ppolicy_default "cn=pwdDefault,ou=policies,dc=example" ppolicy_use_lockout ppolicy_hash_cleartext
lastmod on
access to attrs=userPassword by dn="cn=admin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="cn=acadmin,dc=example" write by dn="cn=rsasecureid,dc=example" auth by anonymous auth by dn="uid=test,ou=People,dc=example" none by dn="cn=iam,dc=example" write by * none
access to attrs=shadowLastChange by dn="cn=admin,dc=example" write by dn="uid=mirrormode,dc=example" read by dn="cn=acadmin,dc=example" write by dn="uid=test,ou=People,dc=example" none by dn="cn=iam,dc=example" write by * read
access to dn="uid=test,ou=People,dc=example" by dn="cn=admin,dc=example" write by * read
access to * by dn="uid=test,ou=People,dc=example" none by dn="uid=mirrormode,dc=example" read by dn="cn=admin,dc=example" write by dn="cn=acadmin,dc=example" write by dn="cn=iam,dc=example" write by * read
access to dn="ou=People,dc=example" by dn="cn=acadmin,dc=example" write by * read
database monitor access to * by * read
--------------------------- In the log of the slave, I get at the end:
May 17 16:37:12 rada slapd[546]: ==> bdb_bind: dn: uid=user1,ou=People,dc=example May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example") May 17 16:37:12 rada slapd[546]: => access_allowed: result not in cache (userPassword) May 17 16:37:12 rada slapd[546]: => access_allowed: auth access to "uid=user1,ou=People,dc=example" "userPassword" requested May 17 16:37:12 rada slapd[546]: => acl_get: [1] attr userPassword May 17 16:37:12 rada slapd[546]: => acl_mask: access to entry "uid=user1,ou=People,dc=example", attr "userPassword" requested May 17 16:37:12 rada slapd[546]: => acl_mask: to value by "", (=0) May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: cn=admin,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: cn=acadmin,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: uid=mirrormode,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: uid=rsasecureid,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: ou=capge002,ou=application,dc=example May 17 16:37:12 rada slapd[546]: <= check a_dn_pat: anonymous May 17 16:37:12 rada slapd[546]: <= acl_mask: [6] applying auth(=xd) (stop) May 17 16:37:12 rada slapd[546]: <= acl_mask: [6] mask: auth(=xd) May 17 16:37:12 rada slapd[546]: => slap_access_allowed: auth access granted by auth(=xd) May 17 16:37:12 rada slapd[546]: => access_allowed: auth access granted by auth(=xd) May 17 16:37:12 rada slapd[546]: send_ldap_result: conn=1000 op=0 p=3 May 17 16:37:12 rada slapd[546]: send_ldap_result: err=49 matched="" text="" May 17 16:37:12 rada slapd[546]: => bdb_entry_get: ndn: "uid=user1,ou=people,dc=example" May 17 16:37:12 rada slapd[546]: => bdb_entry_get: oc: "(null)", at: "(null)" May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example") May 17 16:37:12 rada slapd[546]: => bdb_entry_get: found entry: "uid=user1,ou=people,dc=example" May 17 16:37:12 rada slapd[546]: bdb_entry_get: rc=0 May 17 16:37:12 rada slapd[546]: bdb_dn2entry("uid=user1,ou=people,dc=example") May 17 16:37:12 rada slapd[546]: send_ldap_result: conn=1000 op=0 p=3 May 17 16:37:12 rada slapd[546]: send_ldap_result: err=10 matched="" text="" May 17 16:37:12 rada slapd[546]: send_ldap_result: referral="ldaps://simby.example:637/uid=user1,ou=People,dc=example" May 17 16:37:12 rada slapd[546]: >>> dnPrettyNormal: <uid=user1,ou=People,dc=example> May 17 16:37:12 rada slapd[546]: <<< dnPrettyNormal: <uid=user1,ou=People,dc=example>, <uid=user1,ou=people,dc=example> May 17 16:37:12 rada slapd[546]: conn=1000 op=0 ldap_chain_op: ref="ldaps://simby.example:637/uid=user1,ou=People,dc=example" -> "ldaps://simby.example:637" May 17 16:37:12 rada slapd[546]: conn=1000 op=0 ldap_chain_op: ref="ldaps://simby.example:637/uid=user1,ou=People,dc=example": URI="ldaps://simby.example:637" found in cache May 17 16:37:12 rada slapd[546]: =>ldap_back_getconn: conn=1000 op=0: lc=0x838b4a8 inserted refcnt=1 rc=0 May 17 16:37:12 rada slapd[546]: daemon: activity on 1 descriptor May 17 16:37:12 rada slapd[546]: daemon: activity on: May 17 16:37:12 rada slapd[546]: May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=7 active_threads=1 tvp=zero May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=8 active_threads=1 tvp=zero May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=9 active_threads=1 tvp=zero May 17 16:37:12 rada slapd[546]: daemon: epoll: listen=10 active_threads=1 tvp=zero
and then the slave crashes with a code 0177
In the log of the master, I get:
May 17 16:37:12 simby slapd[18544]: => slap_access_allowed: auth access granted by auth(=xd) May 17 16:37:12 simby slapd[18544]: => access_allowed: auth access granted by auth(=xd) May 17 16:37:12 simby slapd[18544]: conn=1001 op=0 BIND dn="uid=mirrormode,dc=example" mech=SIMPLE ssf=0 May 17 16:37:12 simby slapd[18544]: do_bind: v3 bind: "uid=mirrormode,dc=example" to "uid=mirrormode,dc=example" May 17 16:37:12 simby slapd[18544]: send_ldap_result: conn=1001 op=0 p=3 May 17 16:37:12 simby slapd[18544]: send_ldap_result: err=0 matched="" text="" May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: ndn: "uid=mirrormode,dc=example" May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: oc: "(null)", at: "(null)" May 17 16:37:12 simby slapd[18544]: bdb_dn2entry("uid=mirrormode,dc=example") May 17 16:37:12 simby slapd[18544]: => bdb_entry_get: found entry: "uid=mirrormode,dc=example" May 17 16:37:12 simby slapd[18544]: bdb_entry_get: rc=0 May 17 16:37:12 simby slapd[18544]: send_ldap_response: msgid=1 tag=97 err=0 May 17 16:37:12 simby slapd[18544]: conn=1001 op=0 RESULT tag=97 err=0 text= May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: activity on 3 descriptors May 17 16:37:12 simby slapd[18544]: daemon: activity on: May 17 16:37:12 simby slapd[18544]: 12r May 17 16:37:12 simby slapd[18544]: 15r May 17 16:37:12 simby slapd[18544]: May 17 16:37:12 simby slapd[18544]: daemon: read active on 12 May 17 16:37:12 simby slapd[18544]: connection_get(12) May 17 16:37:12 simby slapd[18544]: connection_get(12): got connid=1000 May 17 16:37:12 simby slapd[18544]: connection_read(12): checking for input on id=1000 May 17 16:37:12 simby slapd[18544]: ber_get_next on fd 12 failed errno=0 (Success) May 17 16:37:12 simby slapd[18544]: connection_read(12): input error=-2 id=1000, closing. May 17 16:37:12 simby slapd[18544]: connection_closing: readying conn=1000 sd=12 for close May 17 16:37:12 simby slapd[18544]: connection_close: conn=1000 sd=12 May 17 16:37:12 simby slapd[18544]: daemon: removing 12 May 17 16:37:12 simby slapd[18544]: conn=1000 fd=12 closed (connection lost) May 17 16:37:12 simby slapd[18544]: daemon: read active on 15 May 17 16:37:12 simby slapd[18544]: connection_get(15) May 17 16:37:12 simby slapd[18544]: connection_get(15): got connid=1001 May 17 16:37:12 simby slapd[18544]: connection_read(15): checking for input on id=1001 May 17 16:37:12 simby slapd[18544]: ber_get_next on fd 15 failed errno=0 (Success) May 17 16:37:12 simby slapd[18544]: connection_read(15): input error=-2 id=1001, closing. May 17 16:37:12 simby slapd[18544]: connection_closing: readying conn=1001 sd=15 for close May 17 16:37:12 simby slapd[18544]: connection_close: conn=1001 sd=15 May 17 16:37:12 simby slapd[18544]: daemon: removing 15 May 17 16:37:12 simby slapd[18544]: conn=1001 fd=15 closed (connection lost) May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: activity on 1 descriptor May 17 16:37:12 simby slapd[18544]: daemon: activity on: May 17 16:37:12 simby slapd[18544]: May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=7 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=8 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=9 active_threads=0 tvp=NULL May 17 16:37:12 simby slapd[18544]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
----------------------------- I am not sure to using the right configuration, but anyway, openldap should not crash.
-
jpayanidesï¼ prosodie.com