Hello, My master is a freebsd 7.2 server running 2.3.38 at the moment. I am trying to get the replication going to a 2.4 server. Using the same configuration file, it is able to replicate to another 2.3 server without a hitch so I am guessing I am doing something foolish. I understand ACLs have changed between the 2 versions but cannot see my mistake. This is the configuration from my 2.3 master:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/courier.schema include /usr/local/etc/openldap/schema/ISPEnv2.schema include /usr/local/etc/openldap/schema/amavis.schema include /usr/local/etc/openldap/schema/samba.schema include /usr/local/etc/openldap/schema/freeradius.schema include /usr/local/etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals.
referral ldaps://masterldap.example.com
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb # moduleload back_ldap # moduleload back_ldbm # moduleload back_passwd # moduleload back_shell
backend bdb
# security restrictions
access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn.base="cn=Administrator,dc=example,dc=com" write by dn.base="cn=ldaprep,dc=example,dc=com" read by dn.base="cn=samba,ou=specialusers,dc=example,dc=com" write by anonymous auth by self write
#following sections seperated so that we can specify other groups later that can manage specific services
#who can alter users? access to dn.one="ou=people,dc=example,dc=com" by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
#who can make users? access to dn.base="ou=people,dc=example,dc=com" by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
#ensure users don't screw up things they shouldn't be allowed play with. access to attrs=objectClass,uid,uidNumber,gidNumber,homeDirectory,loginShell,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,quota by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
#ensure mail users dont screw up their own settings access to attrs=mail,mailbox,defaultdelivery,amavisVirusLover,amavisBannedFilesLover,amavisSpamLover,amavisBypassVirusChecks,amavisBypassSpamChecks,amavisSpamQuarantineTo by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
#manage mail settings access to dn.base="ou=aliases,dc=example,dc=com" by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.one="ou=aliases,dc=example,dc=com" by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="ou=mailscripts,dc=example,dc=com" by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="ou=domains,dc=example,dc=com" by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.one="ou=domains,dc=example,dc=com" by dn.base="cn=Administrator,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="" by * read
#control of who gets to make acls and who can alter acls not specified above access to dn.children="ou=acldomain,dc=example,dc=com" by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by dn.base="cn=Administrator,dc=example,dc=com" write by * read
access to * by dn.base="cn=Administrator,dc=example,dc=com" write by self write by users read by anonymous read
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=example,dc=com" rootdn "cn=Administrator,dc=example,dc=com" rootpw {MD5}xxxxxxxxxxxxxxxxx password-hash {CRYPT} password-crypt-salt-format "$1$%.8s" directory /var/db/openldap-data
TLSCACertificateFile /usr/local/etc/openldap/cert/cacert.pem TLSCertificateFile /usr/local/etc/openldap/cert/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/cert/serverkey.pem
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
directory /var/db/openldap-data
# Indices to maintain index cn eq index objectClass eq,pres index uid,uidNumber,gidNumber,memberUid eq,pres index mail eq index entryUUID eq
Now onto my LDAP slave, this is a Debian 5.0 install running their packaged LDAP Server (2.4.11), here is my configuration:
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/courier.schema include /etc/ldap/schema/ISPEnv2.schema include /etc/ldap/schema/amavis.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/freeradius.schema include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap moduleload back_bdb
sizelimit 500 tool-threads 1
backend bdb database bdb
suffix "dc=example,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500
index objectClass eq
# Save the time that the entry gets modified, for database #1 lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30
# Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog
access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
#ACLs access to attrs=userPassword by dn.base="cn=admin,dc=example,dc=com" write by anonymous auth by self write
access to dn.one="ou=people,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="ou=people,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to attrs=objectClass,uid,uidNumber,gidNumber,homeDirectory,loginShell,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,quota by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to attrs=mail,mailbox,defaultdelivery,amavisVirusLover,amavisBannedFilesLover,amavisSpamLover,amavisBypassVirusChecks,amavisBypassSpamChecks,amavisSpamQuarantineTo by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="ou=aliases,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.one="ou=aliases,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="ou=mailscripts,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.one="ou=mailscripts,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="ou=domains,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.one="ou=domains,dc=example,dc=com" by dn.base="cn=admin,dc=example,dc=com" write by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by * read
access to dn.base="" by * read
access to dn.children="ou=acldomain,dc=example,dc=com" by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write by dn.base="cn=admin,dc=example,dc=com" write by * read
access to * by dn.base="cn=admin,dc=example,dc=com" write by self write by users read by anonymous read
rootdn "cn=admin,dc=example,dc=com" rootpw {MD5}xxxxxxxxxxxxxxxx password-hash {CRYPT} password-crypt-salt-format "$1$%.8s"
TLSCACertificateFile /etc/ldap/cert/cacert.pem
# Indices to maintain #index objectClass eq index cn eq index uid,uidNumber,gidNumber,memberUid eq,pres index mail eq index entryUUID eq
syncrepl rid=124 \ provider=ldaps://masterldap.example.org:636 \ type=refreshAndPersist \ searchbase="dc=example,dc=com" \ scope=sub \ filter="(objectClass=*)" \ attrs="*" \ schemachecking=off \ bindmethod=simple \ binddn="cn=ldaprep,dc=example,dc=com" \ credentials=xxxxxxxx
Even with this, i get (this is the end of a slapd -d 500)
Config: ** successfully added syncrepl "ldaps://masterldap.example.com:636" => ldap_bv2dn(cn=Subschema,0) <= ldap_bv2dn(cn=Subschema)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=subschema)=0 main: TLS init def ctx failed: 1 slapd stopped. connections_destroy: nothing to destroy.
Lists suggest that cacert might not be right, i checked mine and did not find any problem with it (and yes, it works will all my 2.3 slaves):
# openssl x509 -text -in /etc/ldap/cert/cacert.pem
Certificate: Data: Version: 3 (0x2) Serial Number: e8:01:da:01:ac:05:15:ad Signature Algorithm: md5WithRSAEncryption Issuer: C=IE, ST=Dublin, L=Dublin, O=ORGANISATION, CN=masterldap.example.org Validity Not Before: May 31 15:57:37 2006 GMT Not After : May 30 15:57:37 2011 GMT Subject: C=IE, ST=Dublin, L=Dublin, O=ORGANISATION, CN=masterldap.example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [snip] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: [snip] X509v3 Authority Key Identifier: [snip]
DirName:/C=IE/ST=Dublin/L=Dublin/O=ORGANISATION/CN=masterldap.example.org serial:E8:01:DA:01:AC:05:15:AD
X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption [snip] -----BEGIN CERTIFICATE----- [snip] -----END CERTIFICATE-----
Any help appreciated. Cheers, Steph