openldap-software October 2009

openldap-software@openldap.org

44 participants
45 discussions

dynlist overlay and ldapsearch
by ben thielsen 03 Feb '10

03 Feb '10

hi- i'm using the dynlist overlay and am not getting back the search results i expected. i'm using 2.4.11 courtesy of debian. here is my overlay config: >ldapsearch -xWLLLD 'cn=admin,cn=config' -b 'cn=config' "(objectclass=olcdynamiclist)" dn: olcOverlay={5}dynlist,olcDatabase={2}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {5}dynlist olcDLattrSet: {0}groupOfNames memberURL member olcDLattrSet: {1}mailGroup labeledURI here is the entry in question: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' -s base -b 'cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groundnoise,dc=net' dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net objectClass: mailGroup objectClass: top objectClass: extensibleObject cn: abuse member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail ,dc=groundnoise,dc=net labeledURI: ldap:///ou=domains,ou=mail,dc=groundnoise,dc=net?host?sub?(objectC lass=mailDomain) host: phone.dipswitch.net host: luna.mpls.mn.us host: groundnoise.net host: thielsen.org host: sjva1991.org host: dipswitch.net host: bitrate.net searched for another way: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))' host dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net host: phone.dipswitch.net host: luna.mpls.mn.us host: groundnoise.net host: thielsen.org host: sjva1991.org host: dipswitch.net host: bitrate.net however, the results from this search are missing that entry: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=dipswitch.net)' dn dn: host=dipswitch.net,ou=domains,ou=mail,dc=groundnoise,dc=net or another search: ldapsearch -xvWD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(host=*))' host ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: (&(objectclass=mailgroup)(host=*)) requesting: host # extended LDIF # # LDAPv3 # base <dc=groundnoise, dc=net> (default) with scope subtree # filter: (&(objectclass=mailgroup)(host=*)) # requesting: host # # search result search: 2 result: 0 Success # numResponses: 1 if i remove the labeledURI attribute and populate with static entries, things appear to work as expected: here's the entry: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))' dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net objectClass: mailGroup objectClass: top objectClass: extensibleObject cn: abuse member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail ,dc=groundnoise,dc=net host: foo host: bar host: com host: net host: org and a search: >ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=foo)' dn dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun dnoise,dc=net what am i doing wrong? thanks -ben

3 3

Re: solaris compile options
by Brett ＠Google 24 Jan '10

24 Jan '10

i am using CFLAGS="-fast -xtarget=ultraT1 -xarch=sparcvis2 -xcode=pic32 -g -xs -O" one set of solaris docs i read implied that -xarch=sparcvis2 was equivalent to -xarch=v9 (which used to trigger 64 bit), but looking at the sun studio 12 compiler options, the more specific versions of -xarch (ie. other than -xarch=v9 or v9a or v9b) may no longer imply that the 64 bit memory model should be used. so maybe i need to add a -m64 to the above ? (compiling on a Sun T2000, with a homegenous build / execute environment, so favouring speed over cpu compatibility is ok) On Thu, Mar 12, 2009 at 1:31 AM, Aaron Richton <richton(a)nbcs.rutgers.edu>wrote: > On Wed, 11 Mar 2009, Brett @Google wrote: > > /data/openldap/backups/ldap_090302.ldif: Value too large for defined data >> type >> > > man lfcompile, and/or switch to 64-bit binaries? >

2 3

Chain Overlay and SASL Proxy Auth with Multiple Referrals.
by Tim Stewart 02 Nov '09

02 Nov '09

Hello, I have three servers, A, B, and C. C has the master copy of all data. A is set to refer to B, and B will refer to C. I have properly configured SASL on all three systems. All use Kerberos and use their ldap service principal to authenticate. They are properly mapped to in-directory DNs via the authz-regexp directive. Also, I'm sure everything is working because the same SASL config is used for replication. I have configured the chain overlay on servers A and B to use SASL authentication and have chain-uris defined for B and C, respectively. - Scenario 1: A write request is issued to server B. The chain overlay follows the referral and binds using its SASL identity to server C. It then rebinds (allowed via authzTo in the dn for server B's identity) as the user making the request and successfully updates the database. Things work as expected. - Scenario 2: A write request is issued to server A. The chain overlay follows the referral and binds using its SASL identity to server B. It then rebinds (allowed via authzTo in the dn for server A's identity) as the user making the request. Server B's chain overlay then takes over to handle the referral to C. The chain overlay on server B binds to server C as its SASL identity, which succeeds. The overlay then attempts to rebind as *server A*, rather than the original user. This rebind fails as the authzTo in the dn for server B's identity only allows rebinding as normal users in my setup. The update fails. Even if server B's identity were allowed to rebind as server A, the update would fail because server A does not have the appropriate permissions. Regardless, server B should be rebinding as the original user. After some research I have found that this issue feels very similar to ITS#3526, ITS#4070, and ITS#5110. Is there anything I can do to force the second referral to rebind as the correct user? Here are the relevant sections of my configuration: ################################## # Server A overlay chain chain-tls start chain-max-depth 3 chain-uri "ldap://serverB.example.com" chain-idassert-bind bindmethod=sasl saslmech=gssapi mode=self ################################## # Server B overlay chain chain-tls start chain-max-depth 3 chain-uri "ldap://serverC.example.com" chain-idassert-bind bindmethod=sasl saslmech=gssapi mode=self Thanks you, -- -TimS Tim Stewart Stoo Research tim(a)stoo.org

3 4

OpenLDAP ServerSetup with Postgres as backend
by Nikhil Padharia 30 Oct '09

30 Oct '09

I want to setup LDAP server with postgres Backend. I have followed the link http://www.darold.net/projects/ldap_pg/HOWTO/ I am able to successfully configure it till step 4 of this tutorial. And when i make LDAPSearch it returns me an object as well. But when I try to use ldapadd it returns me an error ldap_bind: Invalid credentials (49) The command i use is: ldapadd -x -W -D "cn=admin,dc=domain,dc=com" -f file.ldif This is my slap.conf file at location /usr/local/etc/openldap include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema pidfile /usr/local/var/slapd.pid argsfile /usr/local/var/slapd.args database sql suffix "dc=domain,dc=com" rootdn "cn=admin,dc=domain,dc=com" rootpw EDLEa8yM/upyM9ixUgf8Aui2Cfl66cRV dbname pg_ldap dbuser postgres dbpasswd admin insentry_stmt "insert into ldap_entries (id,dn,oc_map_id,parent,keyval) values ((select max(id)+1 from ldap_entries),?,?,?,?)" upper_func "upper" strcast_func "text" concat_pattern "?||?" has_ldapinfo_dn_ru no file.lidf # begin o=domain, c=com objectClass=organization o=domain description=domain cn=admin, o=domain, c=com objectClass=organizationalRole cn=admin description= manager # end Can anyone please help me. Thanks in advance.

2 1

SSL strangeness
by Victor Mataré 30 Oct '09

30 Oct '09

Hello, I'm seeing some really weird behaviour when using ldaps:// on an openldap-2.3.43 server. It's a Gentoo Linux box with glibc-2.9_p20081201-r2 and openssl-0.9.8k. I have already recompiled the entire system with gcc-4.3.4 (twice to be sure), with no errors. First of all, ldapsearch -H ldaps://bussard.lih.rwth-aachen.de just hangs. The strange part: when I strace -f slapd, from the second retry on, it works. So I went on by debugging with openssl s_client, which exhibits just the same behaviour. However it reveals that slapd falls silent in the middle of sending the certificates. So if I do: $ openssl s_client -connect bussard.lih.rwth-aachen.de:636 -state -status -CAfile /etc/openldap/ssl/rwth-dfn-tcom.crt CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A OCSP response: no response sent SSL_connect:SSLv3 read server hello A depth=3 /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 verify return:1 depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 verify return:1 depth=1 /C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de verify return:1 depth=0 /C=DE/O=RWTH Aachen/OU=Lehrstuhl fuer Ingenieur- und Hydrogeologie/CN=ldap.lih.rwth-aachen.de verify return:1 SSL_connect:SSLv3 read server certificate A ^C Now after I've done "strace -f -p `pidof slapd`" on the server, I get the same as above once. Then when I try a second time: $ openssl s_client -connect bussard.lih.rwth-aachen.de:636 -state -CAfile /etc/openldap/ssl/rwth-dfn-tcom.crt CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=3 /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 verify return:1 depth=2 /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 verify return:1 depth=1 /C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de verify return:1 depth=0 /C=DE/O=RWTH Aachen/OU=Lehrstuhl fuer Ingenieur- und Hydrogeologie/CN=ldap.lih.rwth-aachen.de verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=DE/O=RWTH Aachen/OU=Lehrstuhl fuer Ingenieur- und Hydrogeologie/CN=ldap.lih.rwth-aachen.de i:/C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de 1 s:/C=DE/O=RWTH Aachen/CN=RWTH Aachen CA/emailAddress=ca(a)rwth-aachen.de i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 3 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 --- Server certificate -----BEGIN CERTIFICATE----- ... (lotsa stuff) ... /C=ES/ST=Barcelona/L=Barcelona/O=IPS Internet publishing Services s.l./O=ips(a)mail.ips.es C.I.F. B-60929452/OU=IPS CA Timestamping Certification Authority/CN=IPS CA Timestamping Certification Authority/emailAddress=ips(a)mail.ips.es --- SSL handshake has read 26305 bytes and written 480 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 99...CB400 Session-ID-ctx: Master-Key: 152...A2D Key-Arg : None Start Time: 1256667603 Timeout : 300 (sec) Verify return code: 0 (ok) --- This time the SSL handshake works, just because I'm strace'ing slapd? This looks like some really weird race condition. It's driving me crazy. Should I talk to the openssl people about this? But when I make an openssl testbed with openssl s_server and s_client, everything works fine, so it shouldn't be an openssl issue. Oh and maybe you'd like to see the strace output. This is what it looks like when the SSL client hangs: # strace -f -p `pidof slapd` Process 3339 attached with 3 threads - interrupt to quit [pid 3339] futex(0x8977560, FUTEX_WAIT_PRIVATE, 1, NULL <unfinished ...> [pid 3338] time(NULL) = 1256668096 [pid 3338] epoll_wait(6, <unfinished ...> [pid 3328] futex(0xad15ebd8, FUTEX_WAIT, 3338, NULL <unfinished ...> [pid 3338] <... epoll_wait resumed> {{EPOLLIN, {u32=143663400, u64=143663400}}}, 1024, 1798000) = 1 [pid 3338] accept(7, {sa_family=AF_INET, sin_port=htons(37192), sin_addr=inet_addr("137.226.164.160")}, [16]) = 14 [pid 3338] setsockopt(14, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 [pid 3338] setsockopt(14, SOL_TCP, TCP_NODELAY, [1], 4) = 0 [pid 3338] open("/etc/hosts.allow", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 3338] open("/etc/hosts.deny", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 3338] time(NULL) = 1256668099 [pid 3338] fcntl64(14, F_GETFL) = 0x2 (flags O_RDWR) [pid 3338] fcntl64(14, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 3338] epoll_ctl(6, EPOLL_CTL_ADD, 14, {EPOLLIN, {u32=143700808, u64=143700808}}) = 0 [pid 3338] time(NULL) = 1256668099 [pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700808, u64=143700808}}}, 1024, 1795000) = 1 [pid 3338] time(NULL) = 1256668099 [pid 3338] time(NULL) = 1256668099 [pid 3338] read(14, "\200\214\1\3\1\0c\0\0\0 "..., 11) = 11 [pid 3338] read(14, "\0\0009\0\0008\0\0005\0\0\210\0\0\207\0\0\204\0\0\26\0\0\23\0\0\n\7\0\300\0\0003"..., 131) = 131 [pid 3338] time(NULL) = 1256668099 [pid 3338] time(NULL) = 1256668099 [pid 3338] time(NULL) = 1256668099 [pid 3338] write(14, "\26\3\1\0J\2\0\0F\3\1J\347;\303\310\247w\24<\206!\334\3345\304\327\321\344\36FG\37"..., 4096) = 4096 [pid 3338] write(14, "\"0\r\6\t*\206H\206\367\r\1\1\1\5\0\3\202\1\17\0000\202\1\n\2\202\1\1\0\253\v\243"..., 4096) = 4096 [pid 3338] write(14, "ootCA1\0;091\v0\t\6\3U\4\6\23\2FI1\0170\r\6\3U\4\n\23"..., 12928) = 6288 [pid 3338] write(14, "go1,0*\6\3U\4\v\23#Wells Fargo Certific"..., 6640) = -1 EAGAIN (Resource temporarily unavailable) [pid 3338] write(14, "go1,0*\6\3U\4\v\23#Wells Fargo Certific"..., 6640) = 6640 [pid 3338] write(14, "\26\3\1\24\1ck Halozatbiztonsagi Kft.1\0320"..., 5126) = 2048 [pid 3338] write(14, "\4\n\23\37Software in the Public Intere"..., 3078) = -1 EAGAIN (Resource temporarily unavailable) [pid 3338] time(NULL) = 1256668099 [pid 3338] epoll_wait(6, (Strg-C on the client...) {{EPOLLIN, {u32=143700808, u64=143700808}}}, 1024, 1795000) = 1 [pid 3338] time(NULL) = 1256668102 [pid 3338] time(NULL) = 1256668102 [pid 3338] write(14, "\4\n\23\37Software in the Public Intere"..., 3078) = 3078 [pid 3338] read(14, ""..., 5) = 0 [pid 3338] epoll_ctl(6, EPOLL_CTL_MOD, 14, {0, {u32=143700808, u64=143700808}}) = 0 [pid 3338] write(5, "0"..., 1) = 1 [pid 3338] epoll_ctl(6, EPOLL_CTL_DEL, 14, {0, {u32=143700808, u64=143700808}}) = 0 [pid 3338] shutdown(14, 2 /* send and receive */) = -1 ENOTCONN (Transport endpoint is not connected) [pid 3338] close(14) = 0 [pid 3338] time(NULL) = 1256668102 [pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700768, u64=143700768}}}, 1024, 1792000) = 1 [pid 3338] read(4, "0"..., 8192) = 1 [pid 3338] time(NULL) = 1256668102 [pid 3338] epoll_wait(6, and that's it. Now when I try for the second time (now I get the server cert alright), it looks like this: # strace -f -p `pidof slapd` Process 3354 attached with 4 threads - interrupt to quit [pid 3339] futex(0x8977560, FUTEX_WAIT_PRIVATE, 42, NULL <unfinished ...> [pid 3354] futex(0x8977560, FUTEX_WAIT_PRIVATE, 42, NULL <unfinished ...> [pid 3338] time(NULL) = 1256668222 [pid 3338] epoll_wait(6, <unfinished ...> [pid 3328] futex(0xad15ebd8, FUTEX_WAIT, 3338, NULL <unfinished ...> [pid 3338] <... epoll_wait resumed> {{EPOLLIN, {u32=143663400, u64=143663400}}}, 1024, 1672000) = 1 [pid 3338] accept(7, {sa_family=AF_INET, sin_port=htons(37195), sin_addr=inet_addr("137.226.164.160")}, [16]) = 15 [pid 3338] setsockopt(15, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 [pid 3338] setsockopt(15, SOL_TCP, TCP_NODELAY, [1], 4) = 0 [pid 3338] open("/etc/hosts.allow", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 3338] open("/etc/hosts.deny", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 3338] time(NULL) = 1256668224 [pid 3338] fcntl64(15, F_GETFL) = 0x2 (flags O_RDWR) [pid 3338] fcntl64(15, F_SETFL, O_RDWR|O_NONBLOCK) = 0 [pid 3338] epoll_ctl(6, EPOLL_CTL_ADD, 15, {EPOLLIN, {u32=143700812, u64=143700812}}) = 0 [pid 3338] time(NULL) = 1256668224 [pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700812, u64=143700812}}}, 1024, 1670000) = 1 [pid 3338] time(NULL) = 1256668224 [pid 3338] time(NULL) = 1256668224 [pid 3338] read(15, "\200\214\1\3\1\0c\0\0\0 "..., 11) = 11 [pid 3338] read(15, "\0\0009\0\0008\0\0005\0\0\210\0\0\207\0\0\204\0\0\26\0\0\23\0\0\n\7\0\300\0\0003"..., 131) = 131 [pid 3338] time(NULL) = 1256668224 [pid 3338] time(NULL) = 1256668224 [pid 3338] time(NULL) = 1256668224 [pid 3338] write(15, "\26\3\1\0J\2\0\0F\3\1J\347<@5\352%\335\336\264Q\2263\346\303\335\t\2\34\241\372Q"..., 4096) = 4096 [pid 3338] write(15, "\"0\r\6\t*\206H\206\367\r\1\1\1\5\0\3\202\1\17\0000\202\1\n\2\202\1\1\0\253\v\243"..., 4096) = 4096 [pid 3338] write(15, "ootCA1\0;091\v0\t\6\3U\4\6\23\2FI1\0170\r\6\3U\4\n\23"..., 12928) = 11584 [pid 3338] write(15, "\6\3U\4\6\23\2AU1\0230\21\6\3U\4\10\23\nQueensland1\0210"..., 4096) = 2896 [pid 3338] write(15, "ty1$0\"\6\3U\4\n\23\33Digital Signature Tr"..., 1200) = 1200 [pid 3338] write(15, "\26\31personal-basic(a)thawte.com\0\3210\201\3161"..., 2374) = 2374 [pid 3338] read(15, 0x8a08398, 5) = -1 EAGAIN (Resource temporarily unavailable) [pid 3338] time(NULL) = 1256668224 [pid 3338] epoll_wait(6, {{EPOLLIN, {u32=143700812, u64=143700812}}}, 1024, 1670000) = 1 [pid 3338] time(NULL) = 1256668224 [pid 3338] time(NULL) = 1256668224 [pid 3338] read(15, "\26\3\1\0\7"..., 5) = 5 [pid 3338] read(15, "\v\0\0\3\0\0\0"..., 7) = 7 [pid 3338] read(15, "\26\3\1\1\6"..., 5) = 5 [pid 3338] read(15, "\20\0\1\2\1\0~\246\237\364\202\0\217\345#|\241\273k\34\251\277\224X\346\274\361\300\373\1\24\226\334"..., 262) = 262 [pid 3338] read(15, "\24\3\1\0\1"..., 5) = 5 [pid 3338] read(15, "\1"..., 1) = 1 [pid 3338] read(15, "\26\3\1\0000"..., 5) = 5 [pid 3338] read(15, "\36\337\371\314\260\5\246\233\17\31^P\3027\227\333\257\374\221F\\\20?1\316\207\201BJQ\337\264\224"..., 48) = 48 [pid 3338] write(15, "\24\3\1\0\1\1\26\3\1\0000\356\336\3673\3034w\344\3364e\264\10dP\302\205\3058\357\272c"..., 59) = 59 [pid 3338] time(NULL) = 1256668224 [pid 3338] epoll_wait(6, Hope that someone can make sense of this. Just to be clear: ldapsearch behaves the same way as described above for openssl s_client. Thank you very much for even reading so far.

7 12

Slow replication in mirrormode
by Peter Mogensen 30 Oct '09

30 Oct '09

I've moved to new (FAST*) hardware and I was testing how long it took for a empty mirrormode server to catch up with the other one. (like after a complete failure of one of the nodes) I'm using a database where id2entry.bdb is ~6.6Gb. and it's taking surprisingly long time. After 18 hours it has gotten around 1/4 of the way. I'm wondering if I could speed it up by loading an LDIF backup on the empty server before I start it. Are there anything special I should take into account, like regarding entryCSN and options to slapdadd when I load the backup? /Peter

2 2

Availability of the ldap_initialize(3) interface
by Fredriksson Turbo 29 Oct '09

29 Oct '09

[regarding http://lists.freebsd.org/pipermail/freebsd-stable/2008-March/040976.html ] It states that one needs to use 'the new ldap_initialize API'... I now have a similar problem in 'my' Bind9 LDAP SDB: https://postlister.uninett.no/sympa/arc/dns-ldap/2009-10/ thrd1.html#00000 I'd just like to know _when_ this 'new' API can be used. That is, from which version. Official and Unofficial numbers would be nice, thanx. This so that I can decide if I should ignore the old API, and only go for the new or if I will need to support the old as well.

2 1

Re: syncrepl 2.4 issue from 2.3 master
by FRLinux 29 Oct '09

29 Oct '09

On Thu, Oct 29, 2009 at 3:11 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, October 29, 2009 1:09 AM +0000 FRLinux <frlinux(a)gmail.com> > wrote: > > >> So, am I right in the following assumption that syncrepl now only >> supports TLS instead of plain old SSL ? > > No, that assumption is not correct. There's something blocking your SSL > usage, but I don't have the details in your email to know why. Hello, I am happy to provide anything to fix it. I included my bit of configuration from slapd.conf and also the errors I was getting, what can I also give you to make this work? thanks for your response, Steph

1 0

Re: syncrepl 2.4 issue from 2.3 master
by FRLinux 29 Oct '09

29 Oct '09

On Fri, Sep 25, 2009 at 7:54 AM, FRLinux <frlinux(a)gmail.com> wrote: > On Thu, Sep 24, 2009 at 10:51 AM, FRLinux <frlinux(a)gmail.com> wrote: >> Hello, I am back again on that one as I cannot get it to work. >> >> I am getting: >> >> main: TLS init def ctx failed: 1 >> slapd destroy: freeing system resources. >> slapd stopped. >> connections_destroy: nothing to destroy. >> >> This is my replication config on the slave (2.4 on Debian): >> >> syncrepl rid=124 \ >> provider=ldaps://masterldap.example.com:636 \ >> type=refreshAndPersist \ >> searchbase="dc=example,dc=com" \ >> scope=sub \ >> filter="(objectClass=*)" \ >> attrs="*" \ >> schemachecking=off \ >> tls_cacert=/etc/ldap/cert/cacert.pem \ >> bindmethod=sasl \ >> saslmech=GSSAPI \ >> binddn="cn=LDAPReplicator,dc=example,dc=com" \ >> credentials=xxxxxx >> >> Anything I might be doing wrong? > > Anyone please? > I have tried many options on saslmech, etc... and still cannot use ssl directly on port 636 using the new syncrepl options (where you specify your certs straight in the syncrepl section). So, am I right in the following assumption that syncrepl now only supports TLS instead of plain old SSL ? Please respond to this, I need to get this working... Cheers, Steph

2 1

Mirror Mode, replicas and delta-syncrepl
by Sam Tran 28 Oct '09

28 Oct '09

Hi All, I am looking to upgrade our OL 2.3 platform to OL 2.4. For all write operations, I'd like to have two masters in Mirror Mode configuration and behind a load balancer with a virtual IP (VIP) address. All read operations will be performed on a set of replicas. The replication mode would be delta-syncrepl. I am trying to figure out how to configure replication between the replicas and the masters. I came across those two threads that seem to address this issue: http://www.openldap.org/lists/openldap-devel/200903/msg00085.html http://www.openldap.org/lists/openldap-software/200903/msg00127.html If I understand correctly, there are two possible configurations: 1) On each replica, create a single syncrepl stanza that points to the load balancer VIP. 2) On each replica, creates two syncrepl stanzas, each one pointing to a different master. Could you please confirm that both configurations would work? Should the second configuration be favored over the first for it does not depend on the load balancer? Thanks, Sam

4 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2009