syncprov ... changed by peer, ignored
by CHIROSSEL Olivier
Hi
I have a replication problem:
i use Refresh and Persist mode
openldap 2.4.17 ( i test 2.4.19 same thing)
When the slave re init the communication with the master, because the master restart for example, and an entry is delete and recreate on the master,
the new entry is delete on the slave but not add when the slave resynchronise .
for example i add
dn: msisdn=6666666660,suffix=0,dc=sfr.com
msisdn: 6666666660
ApnOption: 5;1;1;1;1;0;0
ApnOption: 4;1;1;1;1;0;0
objectClass: msisdnobj
structuralObjectClass: msisdnobj
entryUUID: 6f8be02e-5d15-102e-9d25-8f1958adb04d
creatorsName: cn=admin,cn=config
createTimestamp: 20091103223905Z
entryCSN: 20091103223905.082394Z#000000#001#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20091103223905Z
entryDN: msisdn=6666666660,suffix=0,dc=sfr.com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
i restart the master
and
and
delete msisdn=6666666660,suffix=0,dc=sfr.com
add :
dn: msisdn=6666666660,suffix=0,dc=sfr.com
msisdn: 6666666660
ApnOption: 5;2;2;2;2;0;0
ApnOption: 4;2;2;2;2;0;0
objectClass: msisdnobj
structuralObjectClass: msisdnobj
entryUUID: f150221e-5d15-102e-9d26-8f1958adb04d
creatorsName: cn=admin,cn=config
createTimestamp: 20091103224242Z
entryCSN: 20091103224242.794679Z#000000#001#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20091103224242Z
entryDN: msisdn=6666666660,suffix=0,dc=sfr.com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
when the slave reconnect to the master :
i can't see any entry for msisdn=6666666660,suffix=0,dc=sfr.com on the slave and see on the master log
Entry msisdn=6666666660,suffix=0,dc=sfr.com changed by peer, ignored
my conf on the master (i have 11 backend and two master in mirror mode configuration, the 10.143.73.9 is the vip master):
config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/slapd.d
olcArgsFile: /var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/slapd.pid
olcReadOnly: FALSE
olcServerID: 1
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 32
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcToolThreads: 16
olcWriteTimeout: 0
olcLogLevel: 0x1 0x4000
structuralObjectClass: olcGlobal
entryUUID: 172e9a72-2c12-102e-9eca-fd5064191963
creatorsName: cn=config
createTimestamp: 20090902134141Z
entryCSN: 20090902134141.365317Z#000000#002#000000
modifiersName: cn=config
modifyTimestamp: 20090902134141Z
cn\=config/olcDatabase\=\{2\}hdb.ldif
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: suffix=0,dc=sfr.com
olcSubordinate: TRUE
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,cn=config
olcSyncrepl: rid=001 provider=ldap://10.143.73.69 bindmethod=simple timeout=0
network-timeout=0 binddn="cn=admin,cn=config" credentials="secret" starttls=
no searchbase="suffix=0,dc=sfr.com" scope=sub schemach
ecking=on type=refreshAndPersist retry="60 +"
olcMirrorMode: TRUE
olcMonitoring: TRUE
olcDbDirectory: /u10/openldap
#olcDbCacheSize: 200000
olcDbConfig: {0}set_cachesize 0 10000 1
#olcDbConfig: {1}set_shm_key 1
olcDbConfig: {2}set_lg_regionmax 1048576
olcDbConfig: {3}set_lg_max 52428800
olcDbConfig: {4}set_lg_bsize 2097152
olcDbConfig: {5}set_tx_max 100
olcDbConfig: {6}set_lg_dir /u9/db-logs
olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: contextCSN eq
olcDbIndex: msisdn eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
#olcDbShmKey: 1
#olcDbCacheFree: 10000
olcDbDNcacheSize: 0
structuralObjectClass: olcHdbConfig
entryUUID: 172fc906-2c12-102e-9ed1-fd5064191963
creatorsName: cn=config
createTimestamp: 20090902134141Z
entryCSN: 20090902134141.365317Z#000000#002#000000
modifiersName: cn=config
modifyTimestamp: 20090902134141Z
my conf on the slave :
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /etc/openldap/slapd.conf
olcConfigDir: /etc/openldap/slapd.d
olcArgsFile: /var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPidFile: /var/run/slapd.pid
#olcReadOnly: FALSE
olcReadOnly: TRUE
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 32
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcToolThreads: 16
olcWriteTimeout: 0
olcAllows: bind_v2
olcLogLevel: 0x1 0x4000
structuralObjectClass: olcGlobal
entryUUID: 172e9a72-2c12-102e-9eca-fd5064191963
creatorsName: cn=config
createTimestamp: 20090902134141Z
entryCSN: 20090902134141.365317Z#000000#002#000000
modifiersName: cn=config
modifyTimestamp: 20090902134141Z
cn\=config/olcDatabase\=\{2\}hdb.ldif
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: suffix=0,dc=sfr.com
olcSubordinate: TRUE
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,cn=config
olcSyncrepl: rid=001 provider=ldap://10.143.73.9 bindmethod=simple timeout=0
network-timeout=0 binddn="cn=admin,cn=config" credentials="secret" starttls=
no searchbase="suffix=0,dc=sfr.com" scope=sub schemach
ecking=on type=refreshAndPersist retry="60 +"
olcUpdateRef: ldap://10.143.73.9
olcMonitoring: TRUE
olcDbDirectory: /u10/openldap
#olcDbCacheSize: 200000
olcDbConfig: {0}set_cachesize 0 10000 1
#olcDbConfig: {1}set_shm_key 1
olcDbConfig: {2}set_lg_regionmax 1048576
olcDbConfig: {3}set_lg_max 52428800
olcDbConfig: {4}set_lg_bsize 2097152
olcDbConfig: {5}set_tx_max 100
olcDbConfig: {6}set_lg_dir /u9/db-logs
olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: contextCSN eq
olcDbIndex: msisdn eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
#olcDbShmKey: 1
#olcDbCacheFree: 10000
olcDbDNcacheSize: 0
structuralObjectClass: olcHdbConfig
entryUUID: 172fc906-2c12-102e-9ed1-fd5064191963
creatorsName: cn=config
createTimestamp: 20090902134141Z
entryCSN: 20090902134141.365317Z#000000#002#000000
modifiersName: cn=config
modifyTimestamp: 20090902134141Z
regards,
Olivier
13 years, 7 months
Mirror of Master 2.4 and slave 2.3: slave silently exits(0)
by Покотиленко Костик
I've set up 2 slapd in mirror mode. All worked fine until some moment.
Now slave server exists(0) just after start and sync. Master is 2.4,
slave is 2.3. During sync there are alot of "bdb_search: ## does not
match filter" log entries. What may cause this?
Last lines on slave:
bdb_search: 92 does not match filter
send_ldap_result: conn=-1 op=0 p=0
--
Покотиленко Костик <casper(a)meteor.dp.ua>
13 years, 7 months
refint overlay not working (revisited)
by lee_yiu_chung@yahoo.com
Last time I have asked for any suggestion why refint is not working
(http://www.openldap.org/lists/openldap-software/200910/msg00112.html). Today I have revisited this
issue, turned on logging, and found some strange error logs:
Nov 5 12:03:44 localhost slapd[26252]: refint_search_cb <NOTHING>
Nov 5 12:03:44 localhost slapd[26252]: bdb_dn2entry("cn=bbb,ou=emailaliases,dc=iwt,dc=local")
Nov 5 12:03:44 localhost slapd[26252]: bdb_modify_internal: 0x0000006c:
cn=bbb,ou=emailAliases,dc=example,dc=com
Nov 5 12:03:44 localhost slapd[26252]: hdb_modify: modify failed (50)
Nov 5 12:03:44 localhost slapd[26252]: send_ldap_result: conn=-1 op=0 p=0
Nov 5 12:03:44 localhost slapd[26252]: refint_repair: dependent modify failed: 50
After some research, I found a hint from
http://www.openldap.org/lists/openldap-technical/200909/msg00022.html (although seems unrelated to
refint overlay). Refint overlay works immediately after rootdn is configured.
I have read the documentation afterwards, and seems that the documentation doesn't mention refint
overlay works only if rootdn is configured. I would like to ask if it is (undocumented) requirement
or a software bug?
13 years, 7 months
sync replication questions
by Edward Capriolo
All,
I had an event happen I would like to understand how openldap handled
this and why.
We have two openldap nodes doing sync replication (configuration is
below). One node locked up this weekend no response to ping etc. This
in itself is a problem (since this server is not very high load)
however I do not have any diagnostics on this so I will move on.
ldap1 crashed. It stayed off for a good part of the weekend. On
returning to work ldap1 rebooted and openldap was started.
At this point changes made to ldap2 were propagating to ldap1. However
changes to ldap1 were not replicating to ldap2.
I restarted ldap1 with only replication debug on. I saw this... (dont
mind the header upfront we are using daemon tools)
[root@nyldap1 ~]# tail -f /service/openldap/log/main/current
@400000004af1d1582b3c9c74 bdb_db_open: warning - no DB_CONFIG file found in dire
ctory /usr/local/openldap/var/openldap-data: (2).
@400000004af1d1582b3caffc Expect poor performance for suffix "o=ec,c=US".
@400000004af1d1582b88090c bdb_monitor_db_open: monitoring disabled; configure mo
nitor database to enable
@400000004af1d1582b8bfcc4 slapd starting
@400000004af1d1592bf58c34 slap_client_connect: URI=ldap://nyldap1.ops.ec.com
DN="cn=root,o=ec,c=us" ldap_sasl_bind_s failed (-5)
@400000004af1d15a00006f54 do_syncrepl: rid=003 rc -5 retrying (4 retries left)
@400000004af1d15a00022ca4 do_syncrep2: rid=004 LDAP_RES_INTERMEDIATE - REFRESH_D
ELETE
@400000004af1d15a2aac52f4 TLS: can't accept: (null).
@400000004af1d15f2ab0f674 TLS: can't accept: (null).
@400000004af1d15f2ab8f16c do_syncrep2: rid=003 LDAP_RES_INTERMEDIATE - REFRESH_D
ELETE
@400000004af1d1642aafae54 TLS: can't accept: (null).
@400000004af1d1692ab2fa14 TLS: can't accept: (null).
Changes from nyldap1 were still not propagating to nyldap2.
Then I restarted nyldap2. replication was again working in both directions.
I based my setup on these notes:
http://www.linuxtopia.org/online_books//network_administration_guides/lda...
syncrepl rid=004
provider=ldap://nyldap2.ops.ec.com
binddn="cn=root,o=ec,c=US"
bindmethod=simple
credentials=XXXXXXXX
searchbase="o=ec,c=US"
type=refreshAndPersist
starttls=no
tls_reqcert=never
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
mirrormode true
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
So our database is very very low on write/update activity. I think I
understand that syncprov-checkpoint timed out. I am going to change
this to
syncprov-checkpoint 10000 9000
syncprov-sessionlog 10000
As I said our database is very low write, we add users periodically
and peoples passwords expire that is all the writes/updates that
happen.
My openldap is 2.4.16 build from source.
So important questions :
1) Why did two way replication not restart ? If this is the correct
behavior for my configuration or a bug. Can I configure openldap to
always start refresh and persist?
2) Could some entries be out of sync now? If yes
2a) Can I use a tool to confirm these systems are in sync? "slapcat &
diff" (better option)
2b) if one side is out of sync can i force one side to replicate over the other?
13 years, 7 months
Re: syncrepl 2.4 issue from 2.3 master
by FRLinux
On Wed, Nov 4, 2009 at 4:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> 2.4.11? Seriously? You can't even replicate 2.3 to 2.4 with that old of a
> release, and if it is Debian/Ubuntu based, there's been all sorts of fixes
> to the GnuTLS support since then.
Well, this is what Debian stable gives me. I usually have OpenLDAP on
FreeBSD but unfortunately, we use Debian also for slave servers. This
is a practical production choice.
Now, moving to testing, i got OpenLDAP 2.4.17 and it does indeed try
to negociate now, but still fails, thanks for your help:
ldaptest:~# slapd -d 1
@(#) $OpenLDAP: slapd 2.4.17 (Jul 28 2009 11:07:38) $
@borges:/home/devel/openldap/build-area/openldap-2.4.17/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=ldaptest, r=0
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=example,dc=com>
<<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
>>> dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>,
<cn=admin,dc=cp,dc=example,dc=com>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 114: rootdn is always granted unlimited privileges.
>>> dnNormalize: <>
<<< dnNormalize: <>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 131: rootdn is always granted unlimited privileges.
>>> dnNormalize: <dc=example,dc=com>
<<< dnNormalize: <dc=example,dc=com>
>>> dnNormalize: <cn=ldaprep,dc=example,dc=com>
<<< dnNormalize: <cn=ldaprep,dc=example,dc=com>
syncrepl rid=124 searchbase="dc=example,dc=com": no retry defined, using default
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse:
( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
2.5.13.39 (certificateListMatch): 2.5.13.38
(certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME
'certificateListExactMatch' APPLIES ( authorityRevocationList $
certificateRevocationList $ deltaRevocationList ) )
2.5.13.35 (certificateMatch): 2.5.13.34
(certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse:
( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedControl $ supportedExtension $ supportedFeatures $
ldapSyntaxes $ supportedApplicationContext ) )
2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: (
2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27
NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $
modifyTimestamp ) )
2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20
NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $
mobile $ pager ) )
2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $
gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth
$ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $
olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring
$ olcReadOnly $ olcReverseLookup $ olcDbChecksum $ olcDbNoSync $
olcDbDirtyRead $ olcDbLinearIndex ) )
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber )
)
2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6
NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $
olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm
$ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $
olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory
$ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber
$ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode
$ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $
houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $
drink $ roomNumber $ userClass $ host $ documentIdentifier $
documentTitle $ documentVersion $ documentLocation $ personalTitle $
co $ uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4
NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3
NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $
olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm
$ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $
olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory
$ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber
$ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode
$ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $
houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $
drink $ roomNumber $ userClass $ host $ documentIdentifier $
documentTitle $ documentVersion $ documentLocation $ personalTitle $
co $ uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1
(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $
dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $
olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $
roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $
dITRedirect ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $
supportedExtension $ supportedFeatures $ supportedApplicationContext )
)
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=module{0}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}nis"
config_build_entry: "cn={3}inetorgperson"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}bdb"
backend_startup_one: starting "dc=example,dc=com"
bdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap).
slapd starting
=>do_syncrepl rid=124
ldap_create
ldap_url_parse_ext(ldaps://ldapmaster.cp.example.com:636)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapmaster.cp.example.com:636
ldap_new_socket: 14
ldap_prepare_socket: 14
ldap_connect_to_host: Trying 2001:770:60:1:214:5eff:fe0a:bec 636
ldap_pvt_connect: fd: 14 tm: -1 async: 0
ldap_int_sasl_open: host=ldapmaster.cp.example.com
slap_client_connect: URI=ldaps://ldapmaster.example.com:636
ldap_sasl_interactive_bind_s failed (-6)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 14
ldap_free_connection: actually freed
do_syncrepl: rid=124 rc -6 retrying
^Cdaemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd shutdown: initiated
====> bdb_cache_release_all
slapd destroy: freeing system resources.
syncinfo_free: rid=124
13 years, 7 months
Re: syncrepl 2.4 issue from 2.3 master
by FRLinux
On Thu, Oct 29, 2009 at 3:11 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, October 29, 2009 1:09 AM +0000 FRLinux <frlinux(a)gmail.com>
> wrote:
>
>
>> So, am I right in the following assumption that syncrepl now only
>> supports TLS instead of plain old SSL ?
>
> No, that assumption is not correct. There's something blocking your SSL
> usage, but I don't have the details in your email to know why.
Hello Quanah, please find my configuration file and the error with a :
slapd -d 1
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}pass_in_md5_format
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"
TLSCACertificateFile /etc/ldap/cert/cacert.pem
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=example,dc=com" write
by * read
syncrepl rid=124 \
provider=ldaps://masterldap.example.com:636 \
type=refreshAndPersist \
searchbase="dc=example,dc=com" \
scope=sub \
filter="(objectClass=*)" \
attrs="*" \
schemachecking=off \
tls_cacert=/etc/ldap/cert/cacert.pem \
saslmech=GSSAPI \
bindmethod=sasl \
binddn="cn=ldaprep,dc=example,dc=com" \
credentials=password
ldaptest:/etc/ldap# slapd -d 1
@(#) $OpenLDAP: slapd 2.4.11 (Oct 11 2008 10:18:55) $
vorlon@borges:/home/devel/openldap/build-area/openldap-2.4.11/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=ldaptest, r=0
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=example,dc=com>
<<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
>>> dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>,
<cn=admin,dc=cp,dc=example,dc=com>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 114: rootdn is always granted unlimited privileges.
>>> dnNormalize: <>
<<< dnNormalize: <>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 131: rootdn is always granted unlimited privileges.
>>> dnNormalize: <dc=example,dc=com>
<<< dnNormalize: <dc=example,dc=com>
>>> dnNormalize: <cn=ldaprep,dc=example,dc=com>
<<< dnNormalize: <cn=ldaprep,dc=example,dc=com>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse:
( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
2.5.13.35 (certificateMatch): 2.5.13.34
(certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse:
( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedControl $ supportedExtension $ supportedFeatures $
ldapSyntaxes $ supportedApplicationContext ) )
2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: (
2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27
NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $
modifyTimestamp ) )
2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20
NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $
mobile $ pager ) )
2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $
gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth
$ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcHidden $
olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $
olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex ) )
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber )
)
2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6
NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $
olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps
$ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $
olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile
$ olcTLSCACertificatePath $ olcTLSCertificateFile $
olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $
olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $
olcDbCryptFile $ olcDbIndex $ olcDbLockDetect $ knowledgeInformation $
sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $
businessCategory $ postalCode $ postOfficeBox $
physicalDeliveryOfficeName $ destinationIndicator $ givenName $
initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber
$ userClass $ host $ documentIdentifier $ documentTitle $
documentVersion $ documentLocation $ personalTitle $ co $
uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4
NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3
NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $
olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps
$ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $
olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile
$ olcTLSCACertificatePath $ olcTLSCertificateFile $
olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $
olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $
olcDbCryptFile $ olcDbIndex $ olcDbLockDetect $ knowledgeInformation $
sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $
businessCategory $ postalCode $ postOfficeBox $
physicalDeliveryOfficeName $ destinationIndicator $ givenName $
initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber
$ userClass $ host $ documentIdentifier $ documentTitle $
documentVersion $ documentLocation $ personalTitle $ co $
uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1
(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $
dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $
olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $
roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $
dITRedirect ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $
supportedExtension $ supportedFeatures $ supportedApplicationContext )
)
main: TLS init def ctx failed: 1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Cheers,
Steph
13 years, 7 months
changes no longer replicated between the masters
by Kent Tong
Hi,
I've set up two openldap servers (ldap1.cpttm and ldap2.cpttm)
for multi-master replication. It seems to work fine initially.
However, later on it seems the replication has stopped: I can
add new entries or change attribute values on ldap1.cpttm but
ldap2.cpttm won't see the changes.
I confirmed that they are talking to each other with both
tcpdump and syslog.
The configuration and the trace level log is attached below.
Any idea to further troubleshoot this issue? Thanks in advance
for any hint!
Both are running slapd 2.4.9-0ubuntu0.
Configuration
=============
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=cpttm,dc=org,dc=mo
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,dc=cpttm,dc=org,dc=mo
olcRootPW: {SSHA}<DELETED>
olcSyncrepl: {0}rid=003 provider=ldaps://ldap1.cpttm
binddn="cn=admin,dc=cpttm,dc=org,dc=mo" bindmethod=simple
credentials=<DELETED>
searchbase="dc=cpttm,dc=org,dc=mo" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=004 provider=ldaps://ldap2.cpttm
binddn="cn=admin,dc=cpttm,dc=org,dc=mo" bindmethod=simple
credentials=<DELETED>
searchbase="dc=cpttm,dc=org,dc=mo" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
syslog
======
Nov 4 12:42:55 hoadms004 slapd[20835]: =>do_syncrep2 rid=003
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_get(24): got
connid=13594
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_read(24): checking
for input on id=13594
Nov 4 12:42:55 hoadms004 slapd[20835]: conn=13594 op=1 do_search
Nov 4 12:42:55 hoadms004 slapd[20835]: >>> dnPrettyNormal:
<dc=cpttm,dc=org,dc=mo>
Nov 4 12:42:55 hoadms004 slapd[20835]: <<< dnPrettyNormal:
<dc=cpttm,dc=org,dc=mo>, <dc=cpttm,dc=org,dc=mo>
Nov 4 12:42:55 hoadms004 slapd[20835]: => get_ctrls
Nov 4 12:42:55 hoadms004 slapd[20835]: => get_ctrls:
oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical)
Nov 4 12:42:55 hoadms004 slapd[20835]: <= get_ctrls: n=1 rc=0 err=""
Nov 4 12:42:55 hoadms004 slapd[20835]: send_ldap_result: conn=13594
op=1 p=3
Nov 4 12:42:55 hoadms004 slapd[20835]: send_ldap_response: msgid=2
tag=101 err=0
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_get(24): got
connid=13594
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_read(24): checking
for input on id=13594
Nov 4 12:42:55 hoadms004 slapd[20835]: ber_get_next on fd 24 failed
errno=0 (Success)
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_closing: readying
conn=13594 sd=24 for close
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_close: deferring
conn=13594 sd=24
Nov 4 12:42:55 hoadms004 slapd[20835]: conn=13594 op=2 do_unbind
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_resched: attempting
closing conn=13594 sd=24
Nov 4 12:42:55 hoadms004 slapd[20835]: connection_close: conn=13594 sd=24
--
Kent Tong
Useful news for software developers at
http://www2.cpttm.org.mo/cyberlab/softdev/newsletter
13 years, 7 months
cannot allocate 0 byte
by Edgar Fuß
Today, one of our OpenLDAP syncrepl consumers died (again) with "ch_malloc of 0 bytes failed".
Are there any known issues in 2.4.15 leading to that? It's somewhat annoying since it's the replication out mail servers are using.
The last lines before the server dies are:
Nov 2 16:38:09 kinzig slapd[17902]: conn=570825 fd=215 closed (connection lost)
Nov 2 16:38:12 kinzig slapd[17902]: do_syncrep2: cookie=rid=001,csn=20091102153812.781434Z#000000#000#000000
Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 be_search (0)
Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 cn=<CENSORED>
Nov 2 16:38:12 kinzig slapd[17902]: slap_queue_csn: queing 0xa296a00 20091102153812.781434Z#000000#000#000000
Nov 2 16:38:12 kinzig slapd[17902]: slap_graduate_commit_csn: removing 0x11ac34c0 20091102153812.781434Z#000000#000#000000
Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 be_modrdn (0)
Nov 2 16:38:12 kinzig slapd[17902]: slap_queue_csn: queing 0xa296a00 20091102153812.781434Z#000000#000#000000
Nov 2 16:38:12 kinzig slapd[17902]: ch_malloc of 0 bytes failed
13 years, 7 months
Data access issue
by Vincent DEBOUT
Hi,
I have an issue to get data from my LDAP server. With root account
everything is fine:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "cn=Directory
Manager,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=personnes,dc=morinie,dc=fr> with scope subtree
# filter: uid=vincent
# requesting: ALL
#
# vincent, personnes, morinie.fr
dn: uid=vincent,ou=personnes,dc=morinie,dc=fr
...
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
But when I try with my own account, I get no result:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D
"uid=vincent,ou=personnes,dc=morinie,dc=fr" -b
"ou=personnes,dc=morinie,dc=fr" uid=vincent
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=personnes,dc=morinie,dc=fr> with scope subtree
# filter: uid=vincent
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Here is my access configuration file:
# The root DIT should be accessible to all clients
access to dn.exact=""
by * read
# So should the schema
access to dn.subtree="cn=Subschema"
by * read
access to attr=userpassword
by self write
by anonymous auth
by * none
access to attr=x500uniqueIdentifier
by self write
by * none
access to dn.one="ou=personnes, dc=morinie, dc=fr"
by anonymous auth
by self write
by users write
I don't understand why I can't get the data!
Can you help me on this?
Best regards,
Vincent
13 years, 7 months
Chain Overlay and SASL Proxy Auth with Multiple Referrals.
by Tim Stewart
Hello,
I have three servers, A, B, and C. C has the master copy of all data.
A is set to refer to B, and B will refer to C.
I have properly configured SASL on all three systems. All use
Kerberos and use their ldap service principal to authenticate. They
are properly mapped to in-directory DNs via the authz-regexp
directive. Also, I'm sure everything is working because the same SASL
config is used for replication.
I have configured the chain overlay on servers A and B to use SASL
authentication and have chain-uris defined for B and C, respectively.
- Scenario 1:
A write request is issued to server B. The chain overlay follows
the referral and binds using its SASL identity to server C. It then
rebinds (allowed via authzTo in the dn for server B's identity) as
the user making the request and successfully updates the database.
Things work as expected.
- Scenario 2:
A write request is issued to server A. The chain overlay follows
the referral and binds using its SASL identity to server B. It then
rebinds (allowed via authzTo in the dn for server A's identity) as
the user making the request. Server B's chain overlay then takes
over to handle the referral to C.
The chain overlay on server B binds to server C as its SASL
identity, which succeeds. The overlay then attempts to rebind as
*server A*, rather than the original user. This rebind fails as the
authzTo in the dn for server B's identity only allows rebinding as
normal users in my setup. The update fails.
Even if server B's identity were allowed to rebind as server A, the
update would fail because server A does not have the appropriate
permissions. Regardless, server B should be rebinding as the original
user.
After some research I have found that this issue feels very similar to
ITS#3526, ITS#4070, and ITS#5110. Is there anything I can do to force
the second referral to rebind as the correct user?
Here are the relevant sections of my configuration:
##################################
# Server A
overlay chain
chain-tls start
chain-max-depth 3
chain-uri "ldap://serverB.example.com"
chain-idassert-bind bindmethod=sasl
saslmech=gssapi
mode=self
##################################
# Server B
overlay chain
chain-tls start
chain-max-depth 3
chain-uri "ldap://serverC.example.com"
chain-idassert-bind bindmethod=sasl
saslmech=gssapi
mode=self
Thanks you,
--
-TimS
Tim Stewart
Stoo Research
tim(a)stoo.org
13 years, 7 months