openldap-software March 2009

openldap-software@openldap.org

56 participants
62 discussions

Openldap 2.4.15, TLS, SASL EXTERNAL and authzregexp = segfaults
by Mathieu MILLET 02 Mar '09

02 Mar '09

Hi everyone, We have a configuration with 2 Openldap in Multimaster Replication mode, using TLS, client certificate and SASL EXTERNAL to secure the replication. (Two sets of certificate are used to differentiate the replication of cn=config and the data backend) It is working in 2.4.13 (on Red Hat Entreprise Linux 4.5 and Debian 5), compiled from sources, with openssl libs (not gnutls). Being affected by ITS#5906 (slapo-rwm with back-config) and ITS#5843 (slapd syncrepl MMR with deleted entries), I decided to try on a (test) environment this new version. With 2.4.15 (and also reproduced in 2.4.14), our configuration segfaults on one of the two nodes at a short period of time after the 1st replication. When restarting the segfaulted node, the other segfaults and so on. The segfault happens when just adding the syncrepl configuration for the cn=config backend, but some times they are alive long enough to enable syncrepl options for the databackend, but then again, segfaults always happen. During some segfaults, I got some backtraces that follow : *** glibc detected *** /usr/local/libexec/slapd: realloc(): invalid pointer: 0xb6db9260 *** ======= Backtrace: ========= /lib/i686/cmov/libc.so.6[0xb6ccf624] /lib/i686/cmov/libc.so.6(realloc+0x242)[0xb6cd3c82] /usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6e224c5] /usr/lib/i686/cmov/libcrypto.so.0.9.8(CRYPTO_realloc+0xab)[0xb6e22c0b] /usr/lib/i686/cmov/libcrypto.so.0.9.8(BUF_MEM_grow+0x75)[0xb6e83415] /usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6ea95a4] /usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x14d)Abandon or *** glibc detected *** /usr/local/libexec/slapd: realloc(): invalid pointer: 0xb6de4260 *** ======= Backtrace: ========= /lib/i686/cmov/libc.so.6[0xb6cfa624] /lib/i686/cmov/libc.so.6(realloc+0x242)[0xb6cfec82] /usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6e4d4c5] /usr/lib/i686/cmov/libcrypto.so.0.9.8(CRYPTO_realloc+0xab)[0xb6e4dc0b] /usr/lib/i686/cmov/libcrypto.so.0.9.8(BUF_MEM_grow+0x75)[0xb6eae415] /usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6ed45a4] /usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x14d)[0xb6edbfbd] /usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6edc5b5] /usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x2f3)[0xb6edc163] /usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6edc5b5] /usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x2f3)[0xb6edc163] /usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_i2d+0x53)[0xb6edc923] /usr/lib/i686/cmov/libcrypto.so.0.9.8(i2d_X509+0x2e)[0xb6ed506e] /usr/lib/i686/cmov/libssl.so.0.9.8(ssl3_output_cert_chain+0x3d4)[0xb6f7b824] /usr/lib/i686/cmov/libssl.so.0.9.8(ssl3_send_client_certificate+0x142)[0xb6f721b2] /usr/lib/i686/cmov/libssl.so.0.9.8(ssl3_connect+0xb3)[0xb6f759d3] /usr/lib/i686/cmov/libssl.so.0.9.8(SSL_connect+0x2a)[0xb6f89c1a] /usAbandon It definitely has something to do with TLS stuff. After more testing, the ldap* clients also segfault when performing TLS and SASL External with Client Certificate. Has anybody encounter this behaviour ? Thanks in advance for any help, Sincerely yours, Mathieu MILLET. ******************* Startup config (of one node) ************** ---------------- slapd.d/cn=config/olcDatabase={-1}frontend.ldif ---------------- dn: olcDatabase={-1}frontend objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=subschema" by * read olcAccess: {2}to * by self write by users read by anonymous auth olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: 10002a99-3485-4805-a247-9e4ee777135d creatorsName: cn=config createTimestamp: 20090224192423Z entryCSN: 20090224192423.202231Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20090224192423Z ---------------- slapd.d/cn=config/olcDatabase={0}config.ldif ---------------- dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by * none olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcRootPW:: c2VjcmV0 olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: fc35a505-ba8f-4bbf-828e-b061bb3aabba creatorsName: cn=config createTimestamp: 20090224192423Z entryCSN: 20090224192423.202231Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20090224192423Z ---------------- slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}ppolicy.ldif ---------------- dn: olcOverlay={0}ppolicy objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=htam,dc=net olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE structuralObjectClass: olcPPolicyConfig entryUUID: 8078dd1d-369e-4c62-9fdc-1ce6820482d8 creatorsName: cn=config createTimestamp: 20090302125140Z entryCSN: 20090302125140.681319Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20090302125140Z ---------------- slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={1}memberof.ldif ---------------- dn: olcOverlay={1}memberof objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {1}memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember olcMemberOfMemberOfAD: memberOf structuralObjectClass: olcMemberOf entryUUID: b0a0abdd-77ef-47f6-a1e1-52637e30ebcc creatorsName: cn=config createTimestamp: 20090302125140Z entryCSN: 20090302125140.683800Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20090302125140Z ---------------- slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={2}refint.ldif ---------------- dn: olcOverlay={2}refint objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {2}refint olcRefintAttribute: uniqueMember olcRefintNothing: cn=Manager,dc=htam,dc=net structuralObjectClass: olcRefintConfig entryUUID: 13d0a0a0-8284-447c-9d49-426e37692f57 creatorsName: cn=config createTimestamp: 20090302125140Z entryCSN: 20090302125140.685440Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20090302125140Z ---------------- slapd.d/cn=config/cn=module{0}.ldif ---------------- dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: {0}memberof.la olcModuleLoad: {1}ppolicy.la olcModuleLoad: {2}refint.la olcModuleLoad: {3}retcode.la olcModuleLoad: {4}rwm.la olcModuleLoad: {5}syncprov.la olcModuleLoad: {6}unique.la olcModuleLoad: {7}back_monitor.la olcModuleLoad: {8}back_hdb.la olcModuleLoad: {9}back_relay.la structuralObjectClass: olcModuleList entryUUID: 353f4a38-3a12-446f-9176-570021c59341 creatorsName: cn=config createTimestamp: 20090224192423Z entryCSN: 20090224192423.202231Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20090224192423Z ---------------- slapd.d/cn=config/olcDatabase={2}hdb.ldif ---------------- dn: olcDatabase={2}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /usr/local/var/openldap-data/ olcSuffix: dc=htam,dc=net olcAccess: {0}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=ldapadmins,ou=groups,dc=htam,dc=net" write by dn.subtree="ou=replicators,d c=htam,dc=net" read by dn.subtree="ou=computers,dc=htam,dc=net" auth by self =xwd by anonymous auth olcAccess: {1}to attrs=entry,objectClass,uid,uidNumber,gidNumber,loginShell,cn ,gecos,description,homeDirectory by group/groupOfUniqueNames/uniqueMember="cn =ldapadmins,ou=groups,dc=htam,dc=net" write by dn.subtree="ou=replicators,dc= htam,dc=net" read by dn.subtree="ou=computers,dc=htam,dc=net" read by self re ad olcAccess:: ezJ9dG8gYXR0cnM9dW5pcXVlTWVtYmVyIGJ5IGdyb3VwL2dyb3VwT2ZVbmlxdWVOYW 1lcy91bmlxdWVNZW1iZXI9ImNuPWxkYXBhZG1pbnMsb3U9Z3JvdXBzLGRjPWh0YW0sZGM9bmV0IiB 3cml0ZSBieSBkbi5zdWJ0cmVlPSJvdT1yZXBsaWNhdG9ycyxkYz1odGFtLGRjPW5ldCIgcmVhZCBi eSBkbi5zdWJ0cmVlPSJvdT1jb21wdXRlcnMsZGM9aHRhbSxkYz1uZXQiIHJlYWQg olcAccess: {3}to * by group/groupOfUniqueNames/uniqueMember="cn=ldapadmins,ou= groups,dc=htam,dc=net" write by dn.subtree="ou=replicators,dc=htam,dc=net" re ad by self read olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=Manager,dc=htam,dc=net olcRootPW:: c2VjcmV0 olcMonitoring: TRUE olcDbCacheSize: 1000 olcDbConfig: {0}set_cachesize 0 268435456 1 olcDbConfig: {1}set_lg_regionmax 262144 olcDbConfig: {2}set_lg_bsize 2097152 olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE olcDbIndex: objectClass eq olcDbIndex: uid pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: givenname pres,eq,sub olcDbIndex: uniqueMember pres,eq olcDbIndex: memberUid pres,eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: ipServicePort eq olcDbIndex: ipServiceProtocol eq olcDbIndex: oncRpcNumber eq olcDbIndex: ipProtocolNumber eq structuralObjectClass: olcHdbConfig entryUUID: 9f1eb1ca-a001-46db-aa58-4fc7897c64cc creatorsName: cn=config createTimestamp: 20090302125140Z entryCSN: 20090302125140.183122Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20090302125140Z ---------------- slapd.d/cn=config/olcDatabase={1}monitor.ldif ---------------- dn: olcDatabase={1}monitor objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="cn=Manager,dc=htam,dc=net" read by * none olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: 6d366d19-e3ce-417b-a0b6-fd41bc690d83 creatorsName: cn=config createTimestamp: 20090302125140Z entryCSN: 20090302125140.118423Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20090302125140Z ---------------- slapd.d/cn=config.ldif ---------------- dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf.start olcConfigDir: slapd.d.start olcArgsFile: /usr/local/var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: Packets olcLogLevel: Config olcLogLevel: Stats olcLogLevel: Sync olcPidFile: /usr/local/var/run/slapd.pid olcReadOnly: FALSE olcSaslSecProps: noplain,noanonymous olcServerID: 1 ldap://vmlinux01/ olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /usr/local/etc/openldap/cacerts/cacert.pem olcTLSCertificateFile: /usr/local/etc/openldap/slapd.cert.pem olcTLSCertificateKeyFile: /usr/local/etc/openldap/slapd.key.pem olcTLSCipherSuite: HIGH:MEDIUM olcTLSCRLCheck: none olcTLSVerifyClient: try olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 67b85bb6-58a2-4c6e-abd5-2bf7ce077d69 creatorsName: cn=config createTimestamp: 20090224192423Z entryCSN: 20090302142216.165509Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20090302142216Z ******************* LDIF for activating syncrepl on cn=config ************** dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 "ldap://vmlinux01" olcServerID: 2 "ldap://vmlinux02" - add: olcAuthzRegexp olcAuthzRegexp: "cn=.*_repl_config,o=Htam.net Inc.,c=fr" "cn=config" dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider="ldap://vmlinux01" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=1 tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem tls_cert=/usr/local/etc/openldap/slapd_repl_config.cert.pem tls_key=/usr/local/etc/openldap/slapd_repl_config.key.pem olcSyncRepl: rid=002 provider="ldap://vmlinux02" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=1 tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem tls_cert=/usr/local/etc/openldap/slapd_repl_config.cert.pem tls_key=/usr/local/etc/openldap/slapd_repl_config.key.pem - add: olcMirrorMode olcMirrorMode: TRUE - add: olcLimits olcLimits: dn="cn=config" size=unlimited time=unlimited ******************* LDIF for activating syncrepl on data backend ************** dn: cn=config changetype: modify add: olcAuthzRegexp olcAuthzRegexp: "cn=.*_replicator,o=Htam.net Inc.,c=FR" cn=Replicator,ou=replicators,dc=htam,dc=net dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcLimits olcLimits: dn.subtree="ou=replicators,dc=htam,dc=net" size=unlimited time=unlimited - add: olcSyncRepl olcSyncRepl: rid=201 provider="ldap://vmlinux01" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=htam,dc=net" type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout=1 starttls=critical tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem tls_cert=/usr/local/etc/openldap/slapd_replicator.cert tls_key=/usr/local/etc/openldap/slapd_replicator.key olcSyncRepl: rid=202 provider="ldap://vmlinux02" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=htam,dc=net" type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout=1 starttls=critical tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem tls_cert=/usr/local/etc/openldap/slapd_replicator.cert tls_key=/usr/local/etc/openldap/slapd_replicator.key - add: olcMirrorMode olcMirrorMode: TRUE -- Mathieu MILLET mailto:ldap@htam.net ----

2 1

OpenLDAP 2.4.11-1 w/Mirrormode + 2 consumers
by Manuel Molina Cuberos 02 Mar '09

02 Mar '09

Hello all! I've migrated our LDAP infrastructure from 2.3.x to 2.4.11-1. We're using Debian. We use to have a master (balanced between two physical machines with keepalived and two scripts, active/passive mode, both accessing the data via NFS) with two replicas, and now I'm trying to evolve this configuration. First, I configured one server as the provider and the two former slaves as consumers, with syncrepl and delta-sync. That worked fine. Now I'm in the second stage, in which I want to have two machines acting in Mirrormode, with only one of them at a time with the VIP in his interface. I want to configure that VIP as the provider IP in the two machines that acts as consumers (and supports the big load of querys). In theory this is possible (I thought so, please correct me otherwise), but when I've modified the configuration of the two servers that acts as Mirrormode providers, they don't propagate anything to each other. Here's the configuration of the two Mirromode servers: Server number 1: ---------------------- serverID 1 allow bind_v2 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # Other includes here ... pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb.la moduleload accesslog.la moduleload syncprov.la sizelimit 500 tool-threads 2 backend bdb database bdb suffix cn=accesslog directory /var/lib/ldap/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 dbconfig set_flags DB_LOG_AUTOREMOVE limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # Main database database bdb suffix "o=dmstk" rootdn "cn=admusr,ou=users,ou=administrative,o=dmstk" rootpw XXXXX directory "/var/lib/ldap/dmstk" dbconfig set_cachesize 0 6291456 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 dbconfig set_flags DB_LOG_AUTOREMOVE index objectClass,entryCSN,entryUUID,reqEnd,reqResult,reqStart eq index mailID pres,eq,sub index mailAlternateAddress pres,eq,sub index mailStatus eq index mailForwardingAddress eq index hostingID pres,eq,sub index ou eq index uid eq index mailServices sub index DNSzonename eq index mail pres,eq lastmod on checkpoint 512 30 overlay syncprov syncprov-checkpoint 1000 60 syncprov-sessionlog 100 overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 07+00:00 01+00:00 limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited syncrepl rid=1 provider=ldap://server_two bindmethod=simple binddn="cn=admusr,ou=users,ou=administrative,o=dmstk" credentials=ytslapd searchbase="o=dmstk" schemachecking=on type=refreshAndPersist interval=00:00:00:01 retry="60 +" mirrormode on access to * by dn.base="cn=admusr,ou=users,ou=administrative,o=dmstk" read by * break # Other ACLs here ... access to attrs=userPassword by anonymous auth by self write by * none access to dn.base="" by * read 8<---8<---8<---8<---8<---8<--- Server number 2: ---------------------- serverID 2 allow bind_v2 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # Other includes here ... pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb.la moduleload accesslog.la moduleload syncprov.la sizelimit 500 tool-threads 2 backend bdb database bdb suffix cn=accesslog directory /var/lib/ldap/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 dbconfig set_flags DB_LOG_AUTOREMOVE limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # Main database database bdb suffix "o=dmstk" rootdn "cn=admusr,ou=users,ou=administrative,o=dmstk" rootpw XXXXX directory "/var/lib/ldap/dmstk" dbconfig set_cachesize 0 6291456 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 dbconfig set_flags DB_LOG_AUTOREMOVE index objectClass,entryCSN,entryUUID,reqEnd,reqResult,reqStart eq index mailID pres,eq,sub index mailAlternateAddress pres,eq,sub index mailStatus eq index mailForwardingAddress eq index hostingID pres,eq,sub index ou eq index uid eq index mailServices sub index DNSzonename eq index mail pres,eq lastmod on checkpoint 512 30 overlay syncprov syncprov-checkpoint 1000 60 syncprov-sessionlog 100 overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 07+00:00 01+00:00 limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited syncrepl rid=1 provider=ldap://server_one bindmethod=simple binddn="cn=admusr,ou=users,ou=administrative,o=dmstk" credentials=ytslapd searchbase="o=dmstk" schemachecking=on type=refreshAndPersist interval=00:00:00:01 retry="60 +" mirrormode on access to * by dn.base="cn=admusr,ou=users,ou=administrative,o=dmstk" read by * break # Other ACLs here ... access to attrs=userPassword by anonymous auth by self write by * none access to dn.base="" by * read 8<---8<---8<---8<---8<---8<--- Any hints / ideas ? Thanks in advance,

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software March 2009