Openldap 2.4.15, TLS, SASL EXTERNAL and authzregexp = segfaults
by Mathieu MILLET
Hi everyone,
We have a configuration with 2 Openldap in Multimaster Replication mode,
using TLS, client certificate and SASL EXTERNAL to secure the replication.
(Two sets of certificate are used to differentiate the replication of
cn=config and the data backend)
It is working in 2.4.13 (on Red Hat Entreprise Linux 4.5 and Debian 5),
compiled from sources, with openssl libs (not gnutls).
Being affected by ITS#5906 (slapo-rwm with back-config) and ITS#5843 (slapd
syncrepl MMR with deleted entries), I decided to try on a (test)
environment this new version.
With 2.4.15 (and also reproduced in 2.4.14), our configuration segfaults on
one of the two nodes at a short period of time after the 1st replication.
When restarting the segfaulted node, the other segfaults and so on.
The segfault happens when just adding the syncrepl configuration for the
cn=config backend, but some times they are alive long enough to enable
syncrepl options for the databackend, but then again, segfaults always
happen.
During some segfaults, I got some backtraces that follow :
*** glibc detected *** /usr/local/libexec/slapd: realloc(): invalid
pointer: 0xb6db9260 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb6ccf624]
/lib/i686/cmov/libc.so.6(realloc+0x242)[0xb6cd3c82]
/usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6e224c5]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(CRYPTO_realloc+0xab)[0xb6e22c0b]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(BUF_MEM_grow+0x75)[0xb6e83415]
/usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6ea95a4]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x14d)Abandon
or
*** glibc detected *** /usr/local/libexec/slapd: realloc(): invalid
pointer: 0xb6de4260 ***
======= Backtrace: =========
/lib/i686/cmov/libc.so.6[0xb6cfa624]
/lib/i686/cmov/libc.so.6(realloc+0x242)[0xb6cfec82]
/usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6e4d4c5]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(CRYPTO_realloc+0xab)[0xb6e4dc0b]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(BUF_MEM_grow+0x75)[0xb6eae415]
/usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6ed45a4]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x14d)[0xb6edbfbd]
/usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6edc5b5]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x2f3)[0xb6edc163]
/usr/lib/i686/cmov/libcrypto.so.0.9.8[0xb6edc5b5]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_ex_i2d+0x2f3)[0xb6edc163]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(ASN1_item_i2d+0x53)[0xb6edc923]
/usr/lib/i686/cmov/libcrypto.so.0.9.8(i2d_X509+0x2e)[0xb6ed506e]
/usr/lib/i686/cmov/libssl.so.0.9.8(ssl3_output_cert_chain+0x3d4)[0xb6f7b824]
/usr/lib/i686/cmov/libssl.so.0.9.8(ssl3_send_client_certificate+0x142)[0xb6f721b2]
/usr/lib/i686/cmov/libssl.so.0.9.8(ssl3_connect+0xb3)[0xb6f759d3]
/usr/lib/i686/cmov/libssl.so.0.9.8(SSL_connect+0x2a)[0xb6f89c1a]
/usAbandon
It definitely has something to do with TLS stuff.
After more testing, the ldap* clients also segfault when performing TLS and
SASL External with Client Certificate.
Has anybody encounter this behaviour ?
Thanks in advance for any help,
Sincerely yours, Mathieu MILLET.
******************* Startup config (of one node) **************
----------------
slapd.d/cn=config/olcDatabase={-1}frontend.ldif
----------------
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=subschema" by * read
olcAccess: {2}to * by self write by users read by anonymous auth
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 0
olcReadOnly: FALSE
olcSchemaDN: cn=Subschema
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 10002a99-3485-4805-a247-9e4ee777135d
creatorsName: cn=config
createTimestamp: 20090224192423Z
entryCSN: 20090224192423.202231Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090224192423Z
----------------
slapd.d/cn=config/olcDatabase={0}config.ldif
----------------
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcRootPW:: c2VjcmV0
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: fc35a505-ba8f-4bbf-828e-b061bb3aabba
creatorsName: cn=config
createTimestamp: 20090224192423Z
entryCSN: 20090224192423.202231Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090224192423Z
----------------
slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}ppolicy.ldif
----------------
dn: olcOverlay={0}ppolicy
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=htam,dc=net
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
structuralObjectClass: olcPPolicyConfig
entryUUID: 8078dd1d-369e-4c62-9fdc-1ce6820482d8
creatorsName: cn=config
createTimestamp: 20090302125140Z
entryCSN: 20090302125140.681319Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20090302125140Z
----------------
slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={1}memberof.ldif
----------------
dn: olcOverlay={1}memberof
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {1}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: memberOf
structuralObjectClass: olcMemberOf
entryUUID: b0a0abdd-77ef-47f6-a1e1-52637e30ebcc
creatorsName: cn=config
createTimestamp: 20090302125140Z
entryCSN: 20090302125140.683800Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20090302125140Z
----------------
slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={2}refint.ldif
----------------
dn: olcOverlay={2}refint
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: uniqueMember
olcRefintNothing: cn=Manager,dc=htam,dc=net
structuralObjectClass: olcRefintConfig
entryUUID: 13d0a0a0-8284-447c-9d49-426e37692f57
creatorsName: cn=config
createTimestamp: 20090302125140Z
entryCSN: 20090302125140.685440Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20090302125140Z
----------------
slapd.d/cn=config/cn=module{0}.ldif
----------------
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: {0}memberof.la
olcModuleLoad: {1}ppolicy.la
olcModuleLoad: {2}refint.la
olcModuleLoad: {3}retcode.la
olcModuleLoad: {4}rwm.la
olcModuleLoad: {5}syncprov.la
olcModuleLoad: {6}unique.la
olcModuleLoad: {7}back_monitor.la
olcModuleLoad: {8}back_hdb.la
olcModuleLoad: {9}back_relay.la
structuralObjectClass: olcModuleList
entryUUID: 353f4a38-3a12-446f-9176-570021c59341
creatorsName: cn=config
createTimestamp: 20090224192423Z
entryCSN: 20090224192423.202231Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20090224192423Z
----------------
slapd.d/cn=config/olcDatabase={2}hdb.ldif
----------------
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /usr/local/var/openldap-data/
olcSuffix: dc=htam,dc=net
olcAccess: {0}to attrs=userPassword by
group/groupOfUniqueNames/uniqueMember="
cn=ldapadmins,ou=groups,dc=htam,dc=net" write by
dn.subtree="ou=replicators,d
c=htam,dc=net" read by dn.subtree="ou=computers,dc=htam,dc=net" auth by
self
=xwd by anonymous auth
olcAccess: {1}to
attrs=entry,objectClass,uid,uidNumber,gidNumber,loginShell,cn
,gecos,description,homeDirectory by
group/groupOfUniqueNames/uniqueMember="cn
=ldapadmins,ou=groups,dc=htam,dc=net" write by
dn.subtree="ou=replicators,dc=
htam,dc=net" read by dn.subtree="ou=computers,dc=htam,dc=net" read by self
re
ad
olcAccess::
ezJ9dG8gYXR0cnM9dW5pcXVlTWVtYmVyIGJ5IGdyb3VwL2dyb3VwT2ZVbmlxdWVOYW
1lcy91bmlxdWVNZW1iZXI9ImNuPWxkYXBhZG1pbnMsb3U9Z3JvdXBzLGRjPWh0YW0sZGM9bmV0IiB
3cml0ZSBieSBkbi5zdWJ0cmVlPSJvdT1yZXBsaWNhdG9ycyxkYz1odGFtLGRjPW5ldCIgcmVhZCBi
eSBkbi5zdWJ0cmVlPSJvdT1jb21wdXRlcnMsZGM9aHRhbSxkYz1uZXQiIHJlYWQg
olcAccess: {3}to * by
group/groupOfUniqueNames/uniqueMember="cn=ldapadmins,ou=
groups,dc=htam,dc=net" write by dn.subtree="ou=replicators,dc=htam,dc=net"
re
ad by self read
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=htam,dc=net
olcRootPW:: c2VjcmV0
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbConfig: {0}set_cachesize 0 268435456 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE
olcDbIndex: objectClass eq
olcDbIndex: uid pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenname pres,eq,sub
olcDbIndex: uniqueMember pres,eq
olcDbIndex: memberUid pres,eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: ipServicePort eq
olcDbIndex: ipServiceProtocol eq
olcDbIndex: oncRpcNumber eq
olcDbIndex: ipProtocolNumber eq
structuralObjectClass: olcHdbConfig
entryUUID: 9f1eb1ca-a001-46db-aa58-4fc7897c64cc
creatorsName: cn=config
createTimestamp: 20090302125140Z
entryCSN: 20090302125140.183122Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20090302125140Z
----------------
slapd.d/cn=config/olcDatabase={1}monitor.ldif
----------------
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="cn=Manager,dc=htam,dc=net" read by * none
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 6d366d19-e3ce-417b-a0b6-fd41bc690d83
creatorsName: cn=config
createTimestamp: 20090302125140Z
entryCSN: 20090302125140.118423Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20090302125140Z
----------------
slapd.d/cn=config.ldif
----------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: slapd.conf.start
olcConfigDir: slapd.d.start
olcArgsFile: /usr/local/var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcLogLevel: Packets
olcLogLevel: Config
olcLogLevel: Stats
olcLogLevel: Sync
olcPidFile: /usr/local/var/run/slapd.pid
olcReadOnly: FALSE
olcSaslSecProps: noplain,noanonymous
olcServerID: 1 ldap://vmlinux01/
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificateFile: /usr/local/etc/openldap/cacerts/cacert.pem
olcTLSCertificateFile: /usr/local/etc/openldap/slapd.cert.pem
olcTLSCertificateKeyFile: /usr/local/etc/openldap/slapd.key.pem
olcTLSCipherSuite: HIGH:MEDIUM
olcTLSCRLCheck: none
olcTLSVerifyClient: try
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 67b85bb6-58a2-4c6e-abd5-2bf7ce077d69
creatorsName: cn=config
createTimestamp: 20090224192423Z
entryCSN: 20090302142216.165509Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20090302142216Z
******************* LDIF for activating syncrepl on cn=config
**************
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 "ldap://vmlinux01"
olcServerID: 2 "ldap://vmlinux02"
-
add: olcAuthzRegexp
olcAuthzRegexp: "cn=.*_repl_config,o=Htam.net Inc.,c=fr" "cn=config"
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001
provider="ldap://vmlinux01"
bindmethod=sasl
saslmech="EXTERNAL"
searchbase="cn=config"
type=refreshAndPersist
starttls=critical
retry="5 5 60 +"
timeout=1
tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem
tls_cert=/usr/local/etc/openldap/slapd_repl_config.cert.pem
tls_key=/usr/local/etc/openldap/slapd_repl_config.key.pem
olcSyncRepl: rid=002
provider="ldap://vmlinux02"
bindmethod=sasl
saslmech="EXTERNAL"
searchbase="cn=config"
type=refreshAndPersist
starttls=critical
retry="5 5 60 +"
timeout=1
tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem
tls_cert=/usr/local/etc/openldap/slapd_repl_config.cert.pem
tls_key=/usr/local/etc/openldap/slapd_repl_config.key.pem
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcLimits
olcLimits: dn="cn=config" size=unlimited time=unlimited
******************* LDIF for activating syncrepl on data backend
**************
dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: "cn=.*_replicator,o=Htam.net Inc.,c=FR"
cn=Replicator,ou=replicators,dc=htam,dc=net
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.subtree="ou=replicators,dc=htam,dc=net" size=unlimited
time=unlimited
-
add: olcSyncRepl
olcSyncRepl: rid=201
provider="ldap://vmlinux01"
bindmethod=sasl
saslmech="EXTERNAL"
searchbase="dc=htam,dc=net"
type=refreshOnly
interval=00:00:00:10
retry="5 5 300 +"
timeout=1
starttls=critical
tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem
tls_cert=/usr/local/etc/openldap/slapd_replicator.cert
tls_key=/usr/local/etc/openldap/slapd_replicator.key
olcSyncRepl: rid=202
provider="ldap://vmlinux02"
bindmethod=sasl
saslmech="EXTERNAL"
searchbase="dc=htam,dc=net"
type=refreshOnly
interval=00:00:00:10
retry="5 5 300 +"
timeout=1
starttls=critical
tls_cacert=/usr/local/etc/openldap/cacerts/cacert.pem
tls_cert=/usr/local/etc/openldap/slapd_replicator.cert
tls_key=/usr/local/etc/openldap/slapd_replicator.key
-
add: olcMirrorMode
olcMirrorMode: TRUE
--
Mathieu MILLET
mailto:ldap@htam.net
----
14 years, 9 months
OpenLDAP 2.4.11-1 w/Mirrormode + 2 consumers
by Manuel Molina Cuberos
Hello all!
I've migrated our LDAP infrastructure from 2.3.x to 2.4.11-1. We're
using Debian.
We use to have a master (balanced between two physical machines with
keepalived and two scripts, active/passive mode, both accessing the data
via NFS) with two replicas, and now I'm trying to evolve this configuration.
First, I configured one server as the provider and the two former slaves
as consumers, with syncrepl and delta-sync. That worked fine.
Now I'm in the second stage, in which I want to have two machines acting
in Mirrormode, with only one of them at a time with the VIP in his
interface. I want to configure that VIP as the provider IP in the two
machines that acts as consumers (and supports the big load of querys).
In theory this is possible (I thought so, please correct me otherwise),
but when I've modified the configuration of the two servers that acts as
Mirrormode providers, they don't propagate anything to each other.
Here's the configuration of the two Mirromode servers:
Server number 1:
----------------------
serverID 1
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Other includes here ...
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb.la
moduleload accesslog.la
moduleload syncprov.la
sizelimit 500
tool-threads 2
backend bdb
database bdb
suffix cn=accesslog
directory /var/lib/ldap/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_flags DB_LOG_AUTOREMOVE
limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
# Main database
database bdb
suffix "o=dmstk"
rootdn "cn=admusr,ou=users,ou=administrative,o=dmstk"
rootpw XXXXX
directory "/var/lib/ldap/dmstk"
dbconfig set_cachesize 0 6291456 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_flags DB_LOG_AUTOREMOVE
index objectClass,entryCSN,entryUUID,reqEnd,reqResult,reqStart eq
index mailID pres,eq,sub
index mailAlternateAddress pres,eq,sub
index mailStatus eq
index mailForwardingAddress eq
index hostingID pres,eq,sub
index ou eq
index uid eq
index mailServices sub
index DNSzonename eq
index mail pres,eq
lastmod on
checkpoint 512 30
overlay syncprov
syncprov-checkpoint 1000 60
syncprov-sessionlog 100
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
syncrepl rid=1
provider=ldap://server_two
bindmethod=simple
binddn="cn=admusr,ou=users,ou=administrative,o=dmstk"
credentials=ytslapd
searchbase="o=dmstk"
schemachecking=on
type=refreshAndPersist
interval=00:00:00:01
retry="60 +"
mirrormode on
access to *
by dn.base="cn=admusr,ou=users,ou=administrative,o=dmstk" read
by * break
# Other ACLs here ...
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to dn.base="" by * read
8<---8<---8<---8<---8<---8<---
Server number 2:
----------------------
serverID 2
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Other includes here ...
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb.la
moduleload accesslog.la
moduleload syncprov.la
sizelimit 500
tool-threads 2
backend bdb
database bdb
suffix cn=accesslog
directory /var/lib/ldap/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_flags DB_LOG_AUTOREMOVE
limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
# Main database
database bdb
suffix "o=dmstk"
rootdn "cn=admusr,ou=users,ou=administrative,o=dmstk"
rootpw XXXXX
directory "/var/lib/ldap/dmstk"
dbconfig set_cachesize 0 6291456 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_flags DB_LOG_AUTOREMOVE
index objectClass,entryCSN,entryUUID,reqEnd,reqResult,reqStart eq
index mailID pres,eq,sub
index mailAlternateAddress pres,eq,sub
index mailStatus eq
index mailForwardingAddress eq
index hostingID pres,eq,sub
index ou eq
index uid eq
index mailServices sub
index DNSzonename eq
index mail pres,eq
lastmod on
checkpoint 512 30
overlay syncprov
syncprov-checkpoint 1000 60
syncprov-sessionlog 100
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
limits dn.exact="cn=admusr,ou=users,ou=administrative,o=dmstk"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
syncrepl rid=1
provider=ldap://server_one
bindmethod=simple
binddn="cn=admusr,ou=users,ou=administrative,o=dmstk"
credentials=ytslapd
searchbase="o=dmstk"
schemachecking=on
type=refreshAndPersist
interval=00:00:00:01
retry="60 +"
mirrormode on
access to *
by dn.base="cn=admusr,ou=users,ou=administrative,o=dmstk" read
by * break
# Other ACLs here ...
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to dn.base="" by * read
8<---8<---8<---8<---8<---8<---
Any hints / ideas ?
Thanks in advance,
14 years, 9 months