openldap-software November 2009

openldap-software@openldap.org

38 participants
30 discussions

syncprov ... changed by peer, ignored
by CHIROSSEL Olivier 07 Nov '09

07 Nov '09

Hi I have a replication problem: i use Refresh and Persist mode openldap 2.4.17 ( i test 2.4.19 same thing) When the slave re init the communication with the master, because the master restart for example, and an entry is delete and recreate on the master, the new entry is delete on the slave but not add when the slave resynchronise . for example i add dn: msisdn=6666666660,suffix=0,dc=sfr.com msisdn: 6666666660 ApnOption: 5;1;1;1;1;0;0 ApnOption: 4;1;1;1;1;0;0 objectClass: msisdnobj structuralObjectClass: msisdnobj entryUUID: 6f8be02e-5d15-102e-9d25-8f1958adb04d creatorsName: cn=admin,cn=config createTimestamp: 20091103223905Z entryCSN: 20091103223905.082394Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20091103223905Z entryDN: msisdn=6666666660,suffix=0,dc=sfr.com subschemaSubentry: cn=Subschema hasSubordinates: FALSE i restart the master and and delete msisdn=6666666660,suffix=0,dc=sfr.com add : dn: msisdn=6666666660,suffix=0,dc=sfr.com msisdn: 6666666660 ApnOption: 5;2;2;2;2;0;0 ApnOption: 4;2;2;2;2;0;0 objectClass: msisdnobj structuralObjectClass: msisdnobj entryUUID: f150221e-5d15-102e-9d26-8f1958adb04d creatorsName: cn=admin,cn=config createTimestamp: 20091103224242Z entryCSN: 20091103224242.794679Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20091103224242Z entryDN: msisdn=6666666660,suffix=0,dc=sfr.com subschemaSubentry: cn=Subschema hasSubordinates: FALSE when the slave reconnect to the master : i can't see any entry for msisdn=6666666660,suffix=0,dc=sfr.com on the slave and see on the master log Entry msisdn=6666666660,suffix=0,dc=sfr.com changed by peer, ignored my conf on the master (i have 11 backend and two master in mirror mode configuration, the 10.143.73.9 is the vip master): config.ldif dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcArgsFile: /var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcPidFile: /var/run/slapd.pid olcReadOnly: FALSE olcServerID: 1 olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 32 olcTLSCRLCheck: none olcTLSVerifyClient: never olcToolThreads: 16 olcWriteTimeout: 0 olcLogLevel: 0x1 0x4000 structuralObjectClass: olcGlobal entryUUID: 172e9a72-2c12-102e-9eca-fd5064191963 creatorsName: cn=config createTimestamp: 20090902134141Z entryCSN: 20090902134141.365317Z#000000#002#000000 modifiersName: cn=config modifyTimestamp: 20090902134141Z cn\=config/olcDatabase\=\{2\}hdb.ldif dn: olcDatabase={2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcSuffix: suffix=0,dc=sfr.com olcSubordinate: TRUE olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcSyncrepl: rid=001 provider=ldap://10.143.73.69 bindmethod=simple timeout=0 network-timeout=0 binddn="cn=admin,cn=config" credentials="secret" starttls= no searchbase="suffix=0,dc=sfr.com" scope=sub schemach ecking=on type=refreshAndPersist retry="60 +" olcMirrorMode: TRUE olcMonitoring: TRUE olcDbDirectory: /u10/openldap #olcDbCacheSize: 200000 olcDbConfig: {0}set_cachesize 0 10000 1 #olcDbConfig: {1}set_shm_key 1 olcDbConfig: {2}set_lg_regionmax 1048576 olcDbConfig: {3}set_lg_max 52428800 olcDbConfig: {4}set_lg_bsize 2097152 olcDbConfig: {5}set_tx_max 100 olcDbConfig: {6}set_lg_dir /u9/db-logs olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: contextCSN eq olcDbIndex: msisdn eq olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 #olcDbShmKey: 1 #olcDbCacheFree: 10000 olcDbDNcacheSize: 0 structuralObjectClass: olcHdbConfig entryUUID: 172fc906-2c12-102e-9ed1-fd5064191963 creatorsName: cn=config createTimestamp: 20090902134141Z entryCSN: 20090902134141.365317Z#000000#002#000000 modifiersName: cn=config modifyTimestamp: 20090902134141Z my conf on the slave : dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcArgsFile: /var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcPidFile: /var/run/slapd.pid #olcReadOnly: FALSE olcReadOnly: TRUE olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 32 olcTLSCRLCheck: none olcTLSVerifyClient: never olcToolThreads: 16 olcWriteTimeout: 0 olcAllows: bind_v2 olcLogLevel: 0x1 0x4000 structuralObjectClass: olcGlobal entryUUID: 172e9a72-2c12-102e-9eca-fd5064191963 creatorsName: cn=config createTimestamp: 20090902134141Z entryCSN: 20090902134141.365317Z#000000#002#000000 modifiersName: cn=config modifyTimestamp: 20090902134141Z cn\=config/olcDatabase\=\{2\}hdb.ldif dn: olcDatabase={2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcSuffix: suffix=0,dc=sfr.com olcSubordinate: TRUE olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcSyncrepl: rid=001 provider=ldap://10.143.73.9 bindmethod=simple timeout=0 network-timeout=0 binddn="cn=admin,cn=config" credentials="secret" starttls= no searchbase="suffix=0,dc=sfr.com" scope=sub schemach ecking=on type=refreshAndPersist retry="60 +" olcUpdateRef: ldap://10.143.73.9 olcMonitoring: TRUE olcDbDirectory: /u10/openldap #olcDbCacheSize: 200000 olcDbConfig: {0}set_cachesize 0 10000 1 #olcDbConfig: {1}set_shm_key 1 olcDbConfig: {2}set_lg_regionmax 1048576 olcDbConfig: {3}set_lg_max 52428800 olcDbConfig: {4}set_lg_bsize 2097152 olcDbConfig: {5}set_tx_max 100 olcDbConfig: {6}set_lg_dir /u9/db-logs olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: contextCSN eq olcDbIndex: msisdn eq olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 #olcDbShmKey: 1 #olcDbCacheFree: 10000 olcDbDNcacheSize: 0 structuralObjectClass: olcHdbConfig entryUUID: 172fc906-2c12-102e-9ed1-fd5064191963 creatorsName: cn=config createTimestamp: 20090902134141Z entryCSN: 20090902134141.365317Z#000000#002#000000 modifiersName: cn=config modifyTimestamp: 20090902134141Z regards, Olivier

2 1

Mirror of Master 2.4 and slave 2.3: slave silently exits(0)
by Покотиленко Костик 06 Nov '09

06 Nov '09

I've set up 2 slapd in mirror mode. All worked fine until some moment. Now slave server exists(0) just after start and sync. Master is 2.4, slave is 2.3. During sync there are alot of "bdb_search: ## does not match filter" log entries. What may cause this? Last lines on slave: bdb_search: 92 does not match filter send_ldap_result: conn=-1 op=0 p=0 -- Покотиленко Костик <casper(a)meteor.dp.ua>

2 2

refint overlay not working (revisited)
by lee_yiu_chung＠yahoo.com 05 Nov '09

05 Nov '09

Last time I have asked for any suggestion why refint is not working (http://www.openldap.org/lists/openldap-software/200910/msg00112.html). Today I have revisited this issue, turned on logging, and found some strange error logs: Nov 5 12:03:44 localhost slapd[26252]: refint_search_cb <NOTHING> Nov 5 12:03:44 localhost slapd[26252]: bdb_dn2entry("cn=bbb,ou=emailaliases,dc=iwt,dc=local") Nov 5 12:03:44 localhost slapd[26252]: bdb_modify_internal: 0x0000006c: cn=bbb,ou=emailAliases,dc=example,dc=com Nov 5 12:03:44 localhost slapd[26252]: hdb_modify: modify failed (50) Nov 5 12:03:44 localhost slapd[26252]: send_ldap_result: conn=-1 op=0 p=0 Nov 5 12:03:44 localhost slapd[26252]: refint_repair: dependent modify failed: 50 After some research, I found a hint from http://www.openldap.org/lists/openldap-technical/200909/msg00022.html (although seems unrelated to refint overlay). Refint overlay works immediately after rootdn is configured. I have read the documentation afterwards, and seems that the documentation doesn't mention refint overlay works only if rootdn is configured. I would like to ask if it is (undocumented) requirement or a software bug?

2 1

sync replication questions
by Edward Capriolo 05 Nov '09

05 Nov '09

All, I had an event happen I would like to understand how openldap handled this and why. We have two openldap nodes doing sync replication (configuration is below). One node locked up this weekend no response to ping etc. This in itself is a problem (since this server is not very high load) however I do not have any diagnostics on this so I will move on. ldap1 crashed. It stayed off for a good part of the weekend. On returning to work ldap1 rebooted and openldap was started. At this point changes made to ldap2 were propagating to ldap1. However changes to ldap1 were not replicating to ldap2. I restarted ldap1 with only replication debug on. I saw this... (dont mind the header upfront we are using daemon tools) [root@nyldap1 ~]# tail -f /service/openldap/log/main/current @400000004af1d1582b3c9c74 bdb_db_open: warning - no DB_CONFIG file found in dire ctory /usr/local/openldap/var/openldap-data: (2). @400000004af1d1582b3caffc Expect poor performance for suffix "o=ec,c=US". @400000004af1d1582b88090c bdb_monitor_db_open: monitoring disabled; configure mo nitor database to enable @400000004af1d1582b8bfcc4 slapd starting @400000004af1d1592bf58c34 slap_client_connect: URI=ldap://nyldap1.ops.ec.com DN="cn=root,o=ec,c=us" ldap_sasl_bind_s failed (-5) @400000004af1d15a00006f54 do_syncrepl: rid=003 rc -5 retrying (4 retries left) @400000004af1d15a00022ca4 do_syncrep2: rid=004 LDAP_RES_INTERMEDIATE - REFRESH_D ELETE @400000004af1d15a2aac52f4 TLS: can't accept: (null). @400000004af1d15f2ab0f674 TLS: can't accept: (null). @400000004af1d15f2ab8f16c do_syncrep2: rid=003 LDAP_RES_INTERMEDIATE - REFRESH_D ELETE @400000004af1d1642aafae54 TLS: can't accept: (null). @400000004af1d1692ab2fa14 TLS: can't accept: (null). Changes from nyldap1 were still not propagating to nyldap2. Then I restarted nyldap2. replication was again working in both directions. I based my setup on these notes: http://www.linuxtopia.org/online_books//network_administration_guides/ldap_… syncrepl rid=004 provider=ldap://nyldap2.ops.ec.com binddn="cn=root,o=ec,c=US" bindmethod=simple credentials=XXXXXXXX searchbase="o=ec,c=US" type=refreshAndPersist starttls=no tls_reqcert=never interval=00:00:00:10 retry="5 5 300 5" timeout=1 mirrormode true overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 So our database is very very low on write/update activity. I think I understand that syncprov-checkpoint timed out. I am going to change this to syncprov-checkpoint 10000 9000 syncprov-sessionlog 10000 As I said our database is very low write, we add users periodically and peoples passwords expire that is all the writes/updates that happen. My openldap is 2.4.16 build from source. So important questions : 1) Why did two way replication not restart ? If this is the correct behavior for my configuration or a bug. Can I configure openldap to always start refresh and persist? 2) Could some entries be out of sync now? If yes 2a) Can I use a tool to confirm these systems are in sync? "slapcat & diff" (better option) 2b) if one side is out of sync can i force one side to replicate over the other?

2 1

Re: syncrepl 2.4 issue from 2.3 master
by FRLinux 04 Nov '09

04 Nov '09

On Wed, Nov 4, 2009 at 4:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > 2.4.11? Seriously? You can't even replicate 2.3 to 2.4 with that old of a > release, and if it is Debian/Ubuntu based, there's been all sorts of fixes > to the GnuTLS support since then. Well, this is what Debian stable gives me. I usually have OpenLDAP on FreeBSD but unfortunately, we use Debian also for slave servers. This is a practical production choice. Now, moving to testing, i got OpenLDAP 2.4.17 and it does indeed try to negociate now, but still fails, thanks for your help: ldaptest:~# slapd -d 1 @(#) $OpenLDAP: slapd 2.4.17 (Jul 28 2009 11:07:38) $ @borges:/home/devel/openldap/build-area/openldap-2.4.17/debian/build/servers/slapd ldap_pvt_gethostbyname_a: host=ldaptest, r=0 daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 2 listeners opened ldap_create slapd init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008) bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=example,dc=com> <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> >>> dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com> <<< dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>, <cn=admin,dc=cp,dc=example,dc=com> >>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> <<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> /etc/ldap/slapd.conf: line 114: rootdn is always granted unlimited privileges. >>> dnNormalize: <> <<< dnNormalize: <> >>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> <<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> /etc/ldap/slapd.conf: line 131: rootdn is always granted unlimited privileges. >>> dnNormalize: <dc=example,dc=com> <<< dnNormalize: <dc=example,dc=com> >>> dnNormalize: <cn=ldaprep,dc=example,dc=com> <<< dnNormalize: <cn=ldaprep,dc=example,dc=com> syncrepl rid=124 searchbase="dc=example,dc=com": no retry defined, using default >>> dnNormalize: <cn=Subschema> <<< dnNormalize: <cn=subschema> matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 2.5.13.39 (certificateListMatch): 2.5.13.38 (certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) ) 2.5.13.35 (certificateMatch): 2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex ) ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) ) 2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) ) 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) slapd startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open config_build_entry: "cn=config" config_build_entry: "cn=module{0}" config_build_entry: "cn=schema" config_build_entry: "cn={0}core" config_build_entry: "cn={1}cosine" config_build_entry: "cn={2}nis" config_build_entry: "cn={3}inetorgperson" config_build_entry: "olcDatabase={-1}frontend" config_build_entry: "olcDatabase={0}config" config_build_entry: "olcDatabase={1}bdb" backend_startup_one: starting "dc=example,dc=com" bdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap). slapd starting =>do_syncrepl rid=124 ldap_create ldap_url_parse_ext(ldaps://ldapmaster.cp.example.com:636) ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapmaster.cp.example.com:636 ldap_new_socket: 14 ldap_prepare_socket: 14 ldap_connect_to_host: Trying 2001:770:60:1:214:5eff:fe0a:bec 636 ldap_pvt_connect: fd: 14 tm: -1 async: 0 ldap_int_sasl_open: host=ldapmaster.cp.example.com slap_client_connect: URI=ldaps://ldapmaster.example.com:636 ldap_sasl_interactive_bind_s failed (-6) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 14 ldap_free_connection: actually freed do_syncrepl: rid=124 rc -6 retrying ^Cdaemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd shutdown: initiated ====> bdb_cache_release_all slapd destroy: freeing system resources. syncinfo_free: rid=124

2 2

Re: syncrepl 2.4 issue from 2.3 master
by FRLinux 04 Nov '09

04 Nov '09

On Thu, Oct 29, 2009 at 3:11 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, October 29, 2009 1:09 AM +0000 FRLinux <frlinux(a)gmail.com> > wrote: > > >> So, am I right in the following assumption that syncrepl now only >> supports TLS instead of plain old SSL ? > > No, that assumption is not correct. There's something blocking your SSL > usage, but I don't have the details in your email to know why. Hello Quanah, please find my configuration file and the error with a : slapd -d 1 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb database bdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {MD5}pass_in_md5_format password-hash {CRYPT} password-crypt-salt-format "$1$%.8s" TLSCACertificateFile /etc/ldap/cert/cacert.pem directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30 access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=example,dc=com" write by * read syncrepl rid=124 \ provider=ldaps://masterldap.example.com:636 \ type=refreshAndPersist \ searchbase="dc=example,dc=com" \ scope=sub \ filter="(objectClass=*)" \ attrs="*" \ schemachecking=off \ tls_cacert=/etc/ldap/cert/cacert.pem \ saslmech=GSSAPI \ bindmethod=sasl \ binddn="cn=ldaprep,dc=example,dc=com" \ credentials=password ldaptest:/etc/ldap# slapd -d 1 @(#) $OpenLDAP: slapd 2.4.11 (Oct 11 2008 10:18:55) $ vorlon@borges:/home/devel/openldap/build-area/openldap-2.4.11/debian/build/servers/slapd ldap_pvt_gethostbyname_a: host=ldaptest, r=0 daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 2 listeners opened ldap_create slapd init: initiated server. slap_sasl_init: initialized! bdb_back_initialize: initialize BDB backend bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=example,dc=com> <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> >>> dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com> <<< dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>, <cn=admin,dc=cp,dc=example,dc=com> >>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> <<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> /etc/ldap/slapd.conf: line 114: rootdn is always granted unlimited privileges. >>> dnNormalize: <> <<< dnNormalize: <> >>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> <<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com> /etc/ldap/slapd.conf: line 131: rootdn is always granted unlimited privileges. >>> dnNormalize: <dc=example,dc=com> <<< dnNormalize: <dc=example,dc=com> >>> dnNormalize: <cn=ldaprep,dc=example,dc=com> <<< dnNormalize: <cn=ldaprep,dc=example,dc=com> >>> dnNormalize: <cn=Subschema> <<< dnNormalize: <cn=subschema> matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) ) 2.5.13.35 (certificateMatch): 2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex ) ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbIndex $ olcDbLockDetect $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) ) 2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbIndex $ olcDbLockDetect $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) ) 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) main: TLS init def ctx failed: 1 slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. Cheers, Steph

2 1

changes no longer replicated between the masters
by Kent Tong 04 Nov '09

04 Nov '09

Hi, I've set up two openldap servers (ldap1.cpttm and ldap2.cpttm) for multi-master replication. It seems to work fine initially. However, later on it seems the replication has stopped: I can add new entries or change attribute values on ldap1.cpttm but ldap2.cpttm won't see the changes. I confirmed that they are talking to each other with both tcpdump and syslog. The configuration and the trace level log is attached below. Any idea to further troubleshoot this issue? Thanks in advance for any hint! Both are running slapd 2.4.9-0ubuntu0. Configuration ============= dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=cpttm,dc=org,dc=mo olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,dc=cpttm,dc=org,dc=mo olcRootPW: {SSHA}<DELETED> olcSyncrepl: {0}rid=003 provider=ldaps://ldap1.cpttm binddn="cn=admin,dc=cpttm,dc=org,dc=mo" bindmethod=simple credentials=<DELETED> searchbase="dc=cpttm,dc=org,dc=mo" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=004 provider=ldaps://ldap2.cpttm binddn="cn=admin,dc=cpttm,dc=org,dc=mo" bindmethod=simple credentials=<DELETED> searchbase="dc=cpttm,dc=org,dc=mo" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE syslog ====== Nov 4 12:42:55 hoadms004 slapd[20835]: =>do_syncrep2 rid=003 Nov 4 12:42:55 hoadms004 slapd[20835]: connection_get(24): got connid=13594 Nov 4 12:42:55 hoadms004 slapd[20835]: connection_read(24): checking for input on id=13594 Nov 4 12:42:55 hoadms004 slapd[20835]: conn=13594 op=1 do_search Nov 4 12:42:55 hoadms004 slapd[20835]: >>> dnPrettyNormal: <dc=cpttm,dc=org,dc=mo> Nov 4 12:42:55 hoadms004 slapd[20835]: <<< dnPrettyNormal: <dc=cpttm,dc=org,dc=mo>, <dc=cpttm,dc=org,dc=mo> Nov 4 12:42:55 hoadms004 slapd[20835]: => get_ctrls Nov 4 12:42:55 hoadms004 slapd[20835]: => get_ctrls: oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical) Nov 4 12:42:55 hoadms004 slapd[20835]: <= get_ctrls: n=1 rc=0 err="" Nov 4 12:42:55 hoadms004 slapd[20835]: send_ldap_result: conn=13594 op=1 p=3 Nov 4 12:42:55 hoadms004 slapd[20835]: send_ldap_response: msgid=2 tag=101 err=0 Nov 4 12:42:55 hoadms004 slapd[20835]: connection_get(24): got connid=13594 Nov 4 12:42:55 hoadms004 slapd[20835]: connection_read(24): checking for input on id=13594 Nov 4 12:42:55 hoadms004 slapd[20835]: ber_get_next on fd 24 failed errno=0 (Success) Nov 4 12:42:55 hoadms004 slapd[20835]: connection_closing: readying conn=13594 sd=24 for close Nov 4 12:42:55 hoadms004 slapd[20835]: connection_close: deferring conn=13594 sd=24 Nov 4 12:42:55 hoadms004 slapd[20835]: conn=13594 op=2 do_unbind Nov 4 12:42:55 hoadms004 slapd[20835]: connection_resched: attempting closing conn=13594 sd=24 Nov 4 12:42:55 hoadms004 slapd[20835]: connection_close: conn=13594 sd=24 -- Kent Tong Useful news for software developers at http://www2.cpttm.org.mo/cyberlab/softdev/newsletter

2 1

cannot allocate 0 byte
by Edgar Fuß 04 Nov '09

04 Nov '09

Today, one of our OpenLDAP syncrepl consumers died (again) with "ch_malloc of 0 bytes failed". Are there any known issues in 2.4.15 leading to that? It's somewhat annoying since it's the replication out mail servers are using. The last lines before the server dies are: Nov 2 16:38:09 kinzig slapd[17902]: conn=570825 fd=215 closed (connection lost) Nov 2 16:38:12 kinzig slapd[17902]: do_syncrep2: cookie=rid=001,csn=20091102153812.781434Z#000000#000#000000 Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 be_search (0) Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 cn=<CENSORED> Nov 2 16:38:12 kinzig slapd[17902]: slap_queue_csn: queing 0xa296a00 20091102153812.781434Z#000000#000#000000 Nov 2 16:38:12 kinzig slapd[17902]: slap_graduate_commit_csn: removing 0x11ac34c0 20091102153812.781434Z#000000#000#000000 Nov 2 16:38:12 kinzig slapd[17902]: syncrepl_entry: rid=001 be_modrdn (0) Nov 2 16:38:12 kinzig slapd[17902]: slap_queue_csn: queing 0xa296a00 20091102153812.781434Z#000000#000#000000 Nov 2 16:38:12 kinzig slapd[17902]: ch_malloc of 0 bytes failed

3 2

Data access issue
by Vincent DEBOUT 03 Nov '09

03 Nov '09

Hi, I have an issue to get data from my LDAP server. With root account everything is fine: [vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "cn=Directory Manager,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL # # vincent, personnes, morinie.fr dn: uid=vincent,ou=personnes,dc=morinie,dc=fr ... # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 But when I try with my own account, I get no result: [vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "uid=vincent,ou=personnes,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 Here is my access configuration file: # The root DIT should be accessible to all clients access to dn.exact="" by * read # So should the schema access to dn.subtree="cn=Subschema" by * read access to attr=userpassword by self write by anonymous auth by * none access to attr=x500uniqueIdentifier by self write by * none access to dn.one="ou=personnes, dc=morinie, dc=fr" by anonymous auth by self write by users write I don't understand why I can't get the data! Can you help me on this? Best regards, Vincent

6 7

Chain Overlay and SASL Proxy Auth with Multiple Referrals.
by Tim Stewart 02 Nov '09

02 Nov '09

Hello, I have three servers, A, B, and C. C has the master copy of all data. A is set to refer to B, and B will refer to C. I have properly configured SASL on all three systems. All use Kerberos and use their ldap service principal to authenticate. They are properly mapped to in-directory DNs via the authz-regexp directive. Also, I'm sure everything is working because the same SASL config is used for replication. I have configured the chain overlay on servers A and B to use SASL authentication and have chain-uris defined for B and C, respectively. - Scenario 1: A write request is issued to server B. The chain overlay follows the referral and binds using its SASL identity to server C. It then rebinds (allowed via authzTo in the dn for server B's identity) as the user making the request and successfully updates the database. Things work as expected. - Scenario 2: A write request is issued to server A. The chain overlay follows the referral and binds using its SASL identity to server B. It then rebinds (allowed via authzTo in the dn for server A's identity) as the user making the request. Server B's chain overlay then takes over to handle the referral to C. The chain overlay on server B binds to server C as its SASL identity, which succeeds. The overlay then attempts to rebind as *server A*, rather than the original user. This rebind fails as the authzTo in the dn for server B's identity only allows rebinding as normal users in my setup. The update fails. Even if server B's identity were allowed to rebind as server A, the update would fail because server A does not have the appropriate permissions. Regardless, server B should be rebinding as the original user. After some research I have found that this issue feels very similar to ITS#3526, ITS#4070, and ITS#5110. Is there anything I can do to force the second referral to rebind as the correct user? Here are the relevant sections of my configuration: ################################## # Server A overlay chain chain-tls start chain-max-depth 3 chain-uri "ldap://serverB.example.com" chain-idassert-bind bindmethod=sasl saslmech=gssapi mode=self ################################## # Server B overlay chain chain-tls start chain-max-depth 3 chain-uri "ldap://serverC.example.com" chain-idassert-bind bindmethod=sasl saslmech=gssapi mode=self Thanks you, -- -TimS Tim Stewart Stoo Research tim(a)stoo.org

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software November 2009