dynlist overlay and ldapsearch
by ben thielsen
hi-
i'm using the dynlist overlay and am not getting back the search results i expected. i'm using 2.4.11 courtesy of debian.
here is my overlay config:
>ldapsearch -xWLLLD 'cn=admin,cn=config' -b 'cn=config' "(objectclass=olcdynamiclist)"
dn: olcOverlay={5}dynlist,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {5}dynlist
olcDLattrSet: {0}groupOfNames memberURL member
olcDLattrSet: {1}mailGroup labeledURI
here is the entry in question:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' -s base -b 'cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groundnoise,dc=net'
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
objectClass: mailGroup
objectClass: top
objectClass: extensibleObject
cn: abuse
member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail
,dc=groundnoise,dc=net
labeledURI: ldap:///ou=domains,ou=mail,dc=groundnoise,dc=net?host?sub?(objectC
lass=mailDomain)
host: phone.dipswitch.net
host: luna.mpls.mn.us
host: groundnoise.net
host: thielsen.org
host: sjva1991.org
host: dipswitch.net
host: bitrate.net
searched for another way:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))' host
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
host: phone.dipswitch.net
host: luna.mpls.mn.us
host: groundnoise.net
host: thielsen.org
host: sjva1991.org
host: dipswitch.net
host: bitrate.net
however, the results from this search are missing that entry:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=dipswitch.net)' dn
dn: host=dipswitch.net,ou=domains,ou=mail,dc=groundnoise,dc=net
or another search:
ldapsearch -xvWD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(host=*))' host
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: (&(objectclass=mailgroup)(host=*))
requesting: host
# extended LDIF
#
# LDAPv3
# base <dc=groundnoise, dc=net> (default) with scope subtree
# filter: (&(objectclass=mailgroup)(host=*))
# requesting: host
#
# search result
search: 2
result: 0 Success
# numResponses: 1
if i remove the labeledURI attribute and populate with static entries, things appear to work as expected:
here's the entry:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))'
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
objectClass: mailGroup
objectClass: top
objectClass: extensibleObject
cn: abuse
member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail
,dc=groundnoise,dc=net
host: foo
host: bar
host: com
host: net
host: org
and a search:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=foo)' dn
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
what am i doing wrong?
thanks
-ben
13 years, 4 months
Re: solaris compile options
by Brett @Google
i am using CFLAGS="-fast -xtarget=ultraT1 -xarch=sparcvis2 -xcode=pic32 -g
-xs -O"
one set of solaris docs i read implied that -xarch=sparcvis2 was equivalent
to -xarch=v9 (which used to trigger 64 bit), but looking at the sun studio
12 compiler options, the more specific versions of -xarch (ie. other than
-xarch=v9 or v9a or v9b) may no longer imply that the 64 bit memory model
should be used. so maybe i need to add a -m64 to the above ?
(compiling on a Sun T2000, with a homegenous build / execute environment, so
favouring speed over cpu compatibility is ok)
On Thu, Mar 12, 2009 at 1:31 AM, Aaron Richton <richton(a)nbcs.rutgers.edu>wrote:
> On Wed, 11 Mar 2009, Brett @Google wrote:
>
> /data/openldap/backups/ldap_090302.ldif: Value too large for defined data
>> type
>>
>
> man lfcompile, and/or switch to 64-bit binaries?
>
13 years, 4 months
Chain Overlay and SASL Proxy Auth with Multiple Referrals.
by Tim Stewart
Hello,
I have three servers, A, B, and C. C has the master copy of all data.
A is set to refer to B, and B will refer to C.
I have properly configured SASL on all three systems. All use
Kerberos and use their ldap service principal to authenticate. They
are properly mapped to in-directory DNs via the authz-regexp
directive. Also, I'm sure everything is working because the same SASL
config is used for replication.
I have configured the chain overlay on servers A and B to use SASL
authentication and have chain-uris defined for B and C, respectively.
- Scenario 1:
A write request is issued to server B. The chain overlay follows
the referral and binds using its SASL identity to server C. It then
rebinds (allowed via authzTo in the dn for server B's identity) as
the user making the request and successfully updates the database.
Things work as expected.
- Scenario 2:
A write request is issued to server A. The chain overlay follows
the referral and binds using its SASL identity to server B. It then
rebinds (allowed via authzTo in the dn for server A's identity) as
the user making the request. Server B's chain overlay then takes
over to handle the referral to C.
The chain overlay on server B binds to server C as its SASL
identity, which succeeds. The overlay then attempts to rebind as
*server A*, rather than the original user. This rebind fails as the
authzTo in the dn for server B's identity only allows rebinding as
normal users in my setup. The update fails.
Even if server B's identity were allowed to rebind as server A, the
update would fail because server A does not have the appropriate
permissions. Regardless, server B should be rebinding as the original
user.
After some research I have found that this issue feels very similar to
ITS#3526, ITS#4070, and ITS#5110. Is there anything I can do to force
the second referral to rebind as the correct user?
Here are the relevant sections of my configuration:
##################################
# Server A
overlay chain
chain-tls start
chain-max-depth 3
chain-uri "ldap://serverB.example.com"
chain-idassert-bind bindmethod=sasl
saslmech=gssapi
mode=self
##################################
# Server B
overlay chain
chain-tls start
chain-max-depth 3
chain-uri "ldap://serverC.example.com"
chain-idassert-bind bindmethod=sasl
saslmech=gssapi
mode=self
Thanks you,
--
-TimS
Tim Stewart
Stoo Research
tim(a)stoo.org
13 years, 7 months
OpenLDAP ServerSetup with Postgres as backend
by Nikhil Padharia
I want to setup LDAP server with postgres Backend.
I have followed the link http://www.darold.net/projects/ldap_pg/HOWTO/
I am able to successfully configure it till step 4 of this tutorial.
And when i make LDAPSearch it returns me an object as well.
But when I try to use ldapadd it returns me an error
ldap_bind: Invalid credentials (49)
The command i use is:
ldapadd -x -W -D "cn=admin,dc=domain,dc=com" -f file.ldif
This is my slap.conf file at location /usr/local/etc/openldap
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
database sql
suffix "dc=domain,dc=com"
rootdn "cn=admin,dc=domain,dc=com"
rootpw EDLEa8yM/upyM9ixUgf8Aui2Cfl66cRV
dbname pg_ldap
dbuser postgres
dbpasswd admin
insentry_stmt "insert into ldap_entries (id,dn,oc_map_id,parent,keyval)
values ((select max(id)+1 from ldap_entries),?,?,?,?)"
upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
file.lidf
# begin
o=domain, c=com
objectClass=organization
o=domain
description=domain
cn=admin, o=domain, c=com
objectClass=organizationalRole
cn=admin
description= manager
# end
Can anyone please help me.
Thanks in advance.
13 years, 7 months
SSL strangeness
by Victor Mataré
Hello,
I'm seeing some really weird behaviour when using ldaps:// on an
openldap-2.3.43 server. It's a Gentoo Linux box with
glibc-2.9_p20081201-r2 and openssl-0.9.8k. I have already recompiled the
entire system with gcc-4.3.4 (twice to be sure), with no errors. First
of all, ldapsearch -H ldaps://bussard.lih.rwth-aachen.de just hangs.
The strange part: when I strace -f slapd, from the second retry on, it
works.
So I went on by debugging with openssl s_client, which exhibits just the
same behaviour. However it reveals that slapd falls silent in the middle
of sending the certificates.
So if I do:
$ openssl s_client -connect bussard.lih.rwth-aachen.de:636 -state
-status -CAfile /etc/openldap/ssl/rwth-dfn-tcom.crt
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
OCSP response: no response sent
SSL_connect:SSLv3 read server hello A
depth=3 /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust
Center/CN=Deutsche Telekom Root CA 2
verify return:1
depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
verify return:1
depth=1 /C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de
verify return:1
depth=0 /C=DE/O=RWTH Aachen/OU=Lehrstuhl fuer Ingenieur- und
Hydrogeologie/CN=ldap.lih.rwth-aachen.de
verify return:1
SSL_connect:SSLv3 read server certificate A
^C
Now after I've done "strace -f -p `pidof slapd`" on the server, I get
the same as above once. Then when I try a second time:
$ openssl s_client -connect bussard.lih.rwth-aachen.de:636 -state
-CAfile /etc/openldap/ssl/rwth-dfn-tcom.crt
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust
Center/CN=Deutsche Telekom Root CA 2
verify return:1
depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
verify return:1
depth=1 /C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de
verify return:1
depth=0 /C=DE/O=RWTH Aachen/OU=Lehrstuhl fuer Ingenieur- und
Hydrogeologie/CN=ldap.lih.rwth-aachen.de
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=DE/O=RWTH Aachen/OU=Lehrstuhl fuer Ingenieur- und
Hydrogeologie/CN=ldap.lih.rwth-aachen.de
i:/C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de
1 s:/C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de
i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
3 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
... (lotsa stuff) ...
/C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services
s.l./O=ips(a)mail.ips.es C.I.F. B-60929452/OU=IPS CA Timestamping
Certification Authority/CN=IPS CA Timestamping Certification
Authority/emailAddress=ips(a)mail.ips.es
---
SSL handshake has read 26305 bytes and written 480 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 99...CB400
Session-ID-ctx:
Master-Key: 152...A2D
Key-Arg : None
Start Time: 1256667603
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
This time the SSL handshake works, just because I'm strace'ing slapd?
This looks like some really weird race condition. It's driving me crazy.
Should I talk to the openssl people about this? But when I make an
openssl testbed with openssl s_server and s_client, everything works
fine, so it shouldn't be an openssl issue.
Oh and maybe you'd like to see the strace output. This is what it looks
like when the SSL client hangs:
# strace -f -p `pidof slapd`
Process 3339 attached with 3 threads - interrupt to quit
[pid 3339] futex(0x8977560, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...>
[pid 3338] time(NULL) = 1256668096
[pid 3338] epoll_wait(6, <unfinished ...>
[pid 3328] futex(0xad15ebd8, FUTEX_WAIT, 3338, NULL <unfinished ...>
[pid 3338] <... epoll_wait resumed> {{EPOLLIN, {u32=143663400,
u64=143663400}}}, 1024, 1798000) = 1
[pid 3338] accept(7, {sa_family=AF_INET, sin_port=htons(37192),
sin_addr=inet_addr("137.226.164.160")}, [16]) = 14
[pid 3338] setsockopt(14, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
[pid 3338] setsockopt(14, SOL_TCP, TCP_NODELAY, [1], 4) = 0
[pid 3338] open("/etc/hosts.allow", O_RDONLY) = -1 ENOENT (No such file
or directory)
[pid 3338] open("/etc/hosts.deny", O_RDONLY) = -1 ENOENT (No such file
or directory)
[pid 3338] time(NULL) = 1256668099
[pid 3338] fcntl64(14, F_GETFL) = 0x2 (flags O_RDWR)
[pid 3338] fcntl64(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 3338] epoll_ctl(6, EPOLL_CTL_ADD, 14, {EPOLLIN, {u32=143700808,
u64=143700808}}) = 0
[pid 3338] time(NULL) = 1256668099
[pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700808, u64=143700808}}},
1024, 1795000) = 1
[pid 3338] time(NULL) = 1256668099
[pid 3338] time(NULL) = 1256668099
[pid 3338] read(14, "\200\214\1\3\1\0c\0\0\0 "..., 11) = 11
[pid 3338] read(14,
"\0\0009\0\0008\0\0005\0\0\210\0\0\207\0\0\204\0\0\26\0\0\23\0\0\n\7\0\300\0\0003"...,
131) = 131
[pid 3338] time(NULL) = 1256668099
[pid 3338] time(NULL) = 1256668099
[pid 3338] time(NULL) = 1256668099
[pid 3338] write(14,
"\26\3\1\0J\2\0\0F\3\1J\347;\303\310\247w\24<\206!\334\3345\304\327\321\344\36FG\37"...,
4096) = 4096
[pid 3338] write(14,
"\"0\r\6\t*\206H\206\367\r\1\1\1\5\0\3\202\1\17\0000\202\1\n\2\202\1\1\0\253\v\243"...,
4096) = 4096
[pid 3338] write(14,
"ootCA1\0;091\v0\t\6\3U\4\6\23\2FI1\0170\r\6\3U\4\n\23"..., 12928) = 6288
[pid 3338] write(14, "go1,0*\6\3U\4\v\23#Wells Fargo Certific"...,
6640) = -1 EAGAIN (Resource temporarily unavailable)
[pid 3338] write(14, "go1,0*\6\3U\4\v\23#Wells Fargo Certific"...,
6640) = 6640
[pid 3338] write(14, "\26\3\1\24\1ck Halozatbiztonsagi Kft.1\0320"...,
5126) = 2048
[pid 3338] write(14, "\4\n\23\37Software in the Public Intere"...,
3078) = -1 EAGAIN (Resource temporarily unavailable)
[pid 3338] time(NULL) = 1256668099
[pid 3338] epoll_wait(6,
(Strg-C on the client...)
{{EPOLLIN, {u32=143700808, u64=143700808}}}, 1024, 1795000) = 1
[pid 3338] time(NULL) = 1256668102
[pid 3338] time(NULL) = 1256668102
[pid 3338] write(14, "\4\n\23\37Software in the Public Intere"...,
3078) = 3078
[pid 3338] read(14, ""..., 5) = 0
[pid 3338] epoll_ctl(6, EPOLL_CTL_MOD, 14, {0, {u32=143700808,
u64=143700808}}) = 0
[pid 3338] write(5, "0"..., 1) = 1
[pid 3338] epoll_ctl(6, EPOLL_CTL_DEL, 14, {0, {u32=143700808,
u64=143700808}}) = 0
[pid 3338] shutdown(14, 2 /* send and receive */) = -1 ENOTCONN
(Transport endpoint is not connected)
[pid 3338] close(14) = 0
[pid 3338] time(NULL) = 1256668102
[pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700768, u64=143700768}}},
1024, 1792000) = 1
[pid 3338] read(4, "0"..., 8192) = 1
[pid 3338] time(NULL) = 1256668102
[pid 3338] epoll_wait(6,
and that's it. Now when I try for the second time (now I get the server
cert alright), it looks like this:
# strace -f -p `pidof slapd`
Process 3354 attached with 4 threads - interrupt to quit
[pid 3339] futex(0x8977560, FUTEX_WAIT_PRIVATE, 42, NULL <unfinished ...>
[pid 3354] futex(0x8977560, FUTEX_WAIT_PRIVATE, 42, NULL <unfinished ...>
[pid 3338] time(NULL) = 1256668222
[pid 3338] epoll_wait(6, <unfinished ...>
[pid 3328] futex(0xad15ebd8, FUTEX_WAIT, 3338, NULL <unfinished ...>
[pid 3338] <... epoll_wait resumed> {{EPOLLIN, {u32=143663400,
u64=143663400}}}, 1024, 1672000) = 1
[pid 3338] accept(7, {sa_family=AF_INET, sin_port=htons(37195),
sin_addr=inet_addr("137.226.164.160")}, [16]) = 15
[pid 3338] setsockopt(15, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
[pid 3338] setsockopt(15, SOL_TCP, TCP_NODELAY, [1], 4) = 0
[pid 3338] open("/etc/hosts.allow", O_RDONLY) = -1 ENOENT (No such file
or directory)
[pid 3338] open("/etc/hosts.deny", O_RDONLY) = -1 ENOENT (No such file
or directory)
[pid 3338] time(NULL) = 1256668224
[pid 3338] fcntl64(15, F_GETFL) = 0x2 (flags O_RDWR)
[pid 3338] fcntl64(15, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 3338] epoll_ctl(6, EPOLL_CTL_ADD, 15, {EPOLLIN, {u32=143700812,
u64=143700812}}) = 0
[pid 3338] time(NULL) = 1256668224
[pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700812, u64=143700812}}},
1024, 1670000) = 1
[pid 3338] time(NULL) = 1256668224
[pid 3338] time(NULL) = 1256668224
[pid 3338] read(15, "\200\214\1\3\1\0c\0\0\0 "..., 11) = 11
[pid 3338] read(15,
"\0\0009\0\0008\0\0005\0\0\210\0\0\207\0\0\204\0\0\26\0\0\23\0\0\n\7\0\300\0\0003"...,
131) = 131
[pid 3338] time(NULL) = 1256668224
[pid 3338] time(NULL) = 1256668224
[pid 3338] time(NULL) = 1256668224
[pid 3338] write(15,
"\26\3\1\0J\2\0\0F\3\1J\347<@5\352%\335\336\264Q\2263\346\303\335\t\2\34\241\372Q"...,
4096) = 4096
[pid 3338] write(15,
"\"0\r\6\t*\206H\206\367\r\1\1\1\5\0\3\202\1\17\0000\202\1\n\2\202\1\1\0\253\v\243"...,
4096) = 4096
[pid 3338] write(15,
"ootCA1\0;091\v0\t\6\3U\4\6\23\2FI1\0170\r\6\3U\4\n\23"..., 12928) = 11584
[pid 3338] write(15,
"\6\3U\4\6\23\2AU1\0230\21\6\3U\4\10\23\nQueensland1\0210"..., 4096) = 2896
[pid 3338] write(15, "ty1$0\"\6\3U\4\n\23\33Digital Signature Tr"...,
1200) = 1200
[pid 3338] write(15,
"\26\31personal-basic(a)thawte.com\0\3210\201\3161"..., 2374) = 2374
[pid 3338] read(15, 0x8a08398, 5) = -1 EAGAIN (Resource
temporarily unavailable)
[pid 3338] time(NULL) = 1256668224
[pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700812, u64=143700812}}},
1024, 1670000) = 1
[pid 3338] time(NULL) = 1256668224
[pid 3338] time(NULL) = 1256668224
[pid 3338] read(15, "\26\3\1\0\7"..., 5) = 5
[pid 3338] read(15, "\v\0\0\3\0\0\0"..., 7) = 7
[pid 3338] read(15, "\26\3\1\1\6"..., 5) = 5
[pid 3338] read(15,
"\20\0\1\2\1\0~\246\237\364\202\0\217\345#|\241\273k\34\251\277\224X\346\274\361\300\373\1\24\226\334"...,
262) = 262
[pid 3338] read(15, "\24\3\1\0\1"..., 5) = 5
[pid 3338] read(15, "\1"..., 1) = 1
[pid 3338] read(15, "\26\3\1\0000"..., 5) = 5
[pid 3338] read(15,
"\36\337\371\314\260\5\246\233\17\31^P\3027\227\333\257\374\221F\\\20?1\316\207\201BJQ\337\264\224"...,
48) = 48
[pid 3338] write(15,
"\24\3\1\0\1\1\26\3\1\0000\356\336\3673\3034w\344\3364e\264\10dP\302\205\3058\357\272c"...,
59) = 59
[pid 3338] time(NULL) = 1256668224
[pid 3338] epoll_wait(6,
Hope that someone can make sense of this. Just to be clear: ldapsearch
behaves the same way as described above for openssl s_client.
Thank you very much for even reading so far.
13 years, 7 months
Slow replication in mirrormode
by Peter Mogensen
I've moved to new (FAST*) hardware and I was testing how long it took
for a empty mirrormode server to catch up with the other one. (like
after a complete failure of one of the nodes)
I'm using a database where id2entry.bdb is ~6.6Gb. and it's taking
surprisingly long time.
After 18 hours it has gotten around 1/4 of the way.
I'm wondering if I could speed it up by loading an LDIF backup on the
empty server before I start it.
Are there anything special I should take into account, like regarding
entryCSN and options to slapdadd when I load the backup?
/Peter
13 years, 7 months
Re: syncrepl 2.4 issue from 2.3 master
by FRLinux
On Thu, Oct 29, 2009 at 3:11 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, October 29, 2009 1:09 AM +0000 FRLinux <frlinux(a)gmail.com>
> wrote:
>
>
>> So, am I right in the following assumption that syncrepl now only
>> supports TLS instead of plain old SSL ?
>
> No, that assumption is not correct. There's something blocking your SSL
> usage, but I don't have the details in your email to know why.
Hello,
I am happy to provide anything to fix it. I included my bit of
configuration from slapd.conf and also the errors I was getting, what
can I also give you to make this work?
thanks for your response,
Steph
13 years, 7 months
Re: syncrepl 2.4 issue from 2.3 master
by FRLinux
On Fri, Sep 25, 2009 at 7:54 AM, FRLinux <frlinux(a)gmail.com> wrote:
> On Thu, Sep 24, 2009 at 10:51 AM, FRLinux <frlinux(a)gmail.com> wrote:
>> Hello, I am back again on that one as I cannot get it to work.
>>
>> I am getting:
>>
>> main: TLS init def ctx failed: 1
>> slapd destroy: freeing system resources.
>> slapd stopped.
>> connections_destroy: nothing to destroy.
>>
>> This is my replication config on the slave (2.4 on Debian):
>>
>> syncrepl rid=124 \
>> provider=ldaps://masterldap.example.com:636 \
>> type=refreshAndPersist \
>> searchbase="dc=example,dc=com" \
>> scope=sub \
>> filter="(objectClass=*)" \
>> attrs="*" \
>> schemachecking=off \
>> tls_cacert=/etc/ldap/cert/cacert.pem \
>> bindmethod=sasl \
>> saslmech=GSSAPI \
>> binddn="cn=LDAPReplicator,dc=example,dc=com" \
>> credentials=xxxxxx
>>
>> Anything I might be doing wrong?
>
> Anyone please?
>
I have tried many options on saslmech, etc... and still cannot use ssl
directly on port 636 using the new syncrepl options (where you specify
your certs straight in the syncrepl section).
So, am I right in the following assumption that syncrepl now only
supports TLS instead of plain old SSL ?
Please respond to this, I need to get this working...
Cheers,
Steph
13 years, 7 months
Mirror Mode, replicas and delta-syncrepl
by Sam Tran
Hi All,
I am looking to upgrade our OL 2.3 platform to OL 2.4.
For all write operations, I'd like to have two masters in Mirror Mode
configuration and behind a load balancer with a virtual IP (VIP)
address. All read operations will be performed on a set of replicas.
The replication mode would be delta-syncrepl. I am trying to figure
out how to configure replication between the replicas and the masters.
I came across those two threads that seem to address this issue:
http://www.openldap.org/lists/openldap-devel/200903/msg00085.html
http://www.openldap.org/lists/openldap-software/200903/msg00127.html
If I understand correctly, there are two possible configurations:
1) On each replica, create a single syncrepl stanza that points to the
load balancer VIP.
2) On each replica, creates two syncrepl stanzas, each one pointing to
a different master.
Could you please confirm that both configurations would work? Should
the second configuration be favored over the first for it does not
depend on the load balancer?
Thanks,
Sam
13 years, 7 months