I recently installed some updates and configuration changes on one of my LDAP slaves. Replication broke mysteriously after that. I turned on full debugging on slapd and just saw this:
----------- Jul 11 12:42:51 pip slapd[30723]: =>do_syncrepl rid 001 Jul 11 12:42:51 pip slapd[30723]: daemon: epoll: listen=8 active_threads=0 tvp=zero Jul 11 12:42:51 pip slapd[30723]: =>do_syncrep2 rid 001 Jul 11 12:42:51 pip slapd[30723]: do_syncrep2: rid 001 LDAP_RES_SEARCH_RESULT Jul 11 12:42:51 pip slapd[30723]: connection_get(12) Jul 11 12:42:51 pip slapd[30723]: connection_get(12): got connid=0 Jul 11 12:42:51 pip slapd[30723]: daemon: removing 12 Jul 11 12:42:51 pip slapd[30723]: daemon: activity on 1 descriptor Jul 11 12:42:51 pip slapd[30723]: daemon: activity on: Jul 11 12:42:51 pip slapd[30723]: Jul 11 12:42:51 pip slapd[30723]: daemon: epoll: listen=7 active_threads=0 tvp=zero Jul 11 12:42:51 pip slapd[30723]: daemon: epoll: listen=8 active_threads=0 tvp=zero Jul 11 12:42:51 pip slapd[30723]: daemon: activity on 1 descriptor Jul 11 12:42:51 pip slapd[30723]: do_syncrepl: rid 001 retrying (9 retries left) -----------
The replica would continue to connect over and over again to the master, and the logs just kept saying "retrying".
Finally, I ended up having to disable TLS on the replica and temporarily allow plaintext authentication on the master.
On reviewing the packet capture, it was immediately obvious that the search Was failing with a protocol error because derefAliases was set to always. A quick Google search indicated that other people have had a similar problem, generally because they changed the global LDAP configuration file.
Indeed, I had switched to NFS home directories with the auto mounter, and LDAP integration for my deployment required dereferencing aliases by the auto mount client, so I had set "DEREF always" in /etc/openldap/ldap.conf, which is being inherited by slapd.
It would be useful if replication failure provided better error messages; something in the logs indicating that a protocol error had occurred because of an invalid dereferencing setting would have saved me a lot of time. Also, if alias dereferencing is not valid for a syncrepl query, shouldn't the server simply override that setting from the global configuration and do the right thing?
In any case, I find myself stuck: the auto mounter requires alias dereferencing in order to work; while slapd requires alias dereferencing disabled.
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
The global configuration file will not work, as I require a different option setting for two processes. The home directory configuration file will not work, as both automount and slapd look in ~root. while I could probably kludge an init script to pass an environment variable to one or the other process, the init script framework does not allow for that and I would prefer something that fits within the intended operating system configuration.
Any suggestions on how to best have a different LDAP configuration for two processes both running as root?
Would there be any value in modifying slapd to ignore the alias dereferencing setting for the purposes of syncrepl? Or to enhance the slapd.conf file to allow setting general LDAP configuration options? Or perhaps a commandline option allowing the specification of either an alternate configuration file or LDAP configuration options on the command line?
Thanks much for any suggestions or assistance...
Paul B. Henson wrote:
Finally, I ended up having to disable TLS on the replica and temporarily allow plaintext authentication on the master.
Just adding "packets" to your debug level would have given you readable packet logs, without having to compromise security by disabling TLS.
On reviewing the packet capture, it was immediately obvious that the search Was failing with a protocol error because derefAliases was set to always. A quick Google search indicated that other people have had a similar problem, generally because they changed the global LDAP configuration file.
Indeed, I had switched to NFS home directories with the auto mounter, and LDAP integration for my deployment required dereferencing aliases by the auto mount client, so I had set "DEREF always" in /etc/openldap/ldap.conf, which is being inherited by slapd.
It would be useful if replication failure provided better error messages; something in the logs indicating that a protocol error had occurred because of an invalid dereferencing setting would have saved me a lot of time.
If you want suggestions to actually get acted on, submit an ITS.
Also, if alias dereferencing is not valid for a syncrepl query, shouldn't the server simply override that setting from the global configuration and do the right thing?
Ditto.
In any case, I find myself stuck: the auto mounter requires alias dereferencing in order to work; while slapd requires alias dereferencing disabled.
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
Re-read ldap.conf(5). There are other choices as well.
On Sun, 13 Jul 2008, Howard Chu wrote:
Just adding "packets" to your debug level would have given you readable packet logs, without having to compromise security by disabling TLS.
I actually had all debugging enabled, which was perhaps was too much and resulted in my missing that information.
If you want suggestions to actually get acted on, submit an ITS.
Done.
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
Re-read ldap.conf(5). There are other choices as well.
The only other choice I see is an "ldaprc" file in the current working directory, which also will not work for me because both slapd and the automounter process both have a working directory of /. Is there a fourth option I missed? As I said, ideally I would like a configuration mechanism that does not require me to change bits of the operating system (such as /etc/init.d/slapd).
Thanks...
Paul B. Henson wrote:
On Sun, 13 Jul 2008, Howard Chu wrote:
Just adding "packets" to your debug level would have given you readable packet logs, without having to compromise security by disabling TLS.
I actually had all debugging enabled, which was perhaps was too much and resulted in my missing that information.
If you want suggestions to actually get acted on, submit an ITS.
Done.
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
Re-read ldap.conf(5). There are other choices as well.
The only other choice I see is an "ldaprc" file in the current working directory, which also will not work for me because both slapd and the automounter process both have a working directory of /. Is there a fourth option I missed? As I said, ideally I would like a configuration mechanism that does not require me to change bits of the operating system (such as /etc/init.d/slapd).
You can use LDAPCONF=/path/to/specific/ldap.conf to force slapd to use a specific ldap.conf file. You could even use LDAPNOINIT=1 to disable initializing from the ldap.conf mechanism.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------
On Thu, 17 Jul 2008, Pierangelo Masarati wrote:
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
[...]
You can use LDAPCONF=/path/to/specific/ldap.conf to force slapd to use a specific ldap.conf file. You could even use LDAPNOINIT=1 to disable initializing from the ldap.conf mechanism.
I would include that in the "environment variable" bucket, no?
Thanks...
Paul B. Henson wrote:
On Thu, 17 Jul 2008, Pierangelo Masarati wrote:
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
[...]
You can use LDAPCONF=/path/to/specific/ldap.conf to force slapd to use a specific ldap.conf file. You could even use LDAPNOINIT=1 to disable initializing from the ldap.conf mechanism.
I would include that in the "environment variable" bucket, no?
Yes. My point is: why doesn't this work for you? What other method would you suggest? The fact that a client needs alias dereferencing set globally to work to me seems to be broken, and does not deserve to require breaking the rest of the system. You should rather work at providing __that__ client a specific ldap.conf, without breaking the rest of the system.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------
On Wed, 16 Jul 2008, Pierangelo Masarati wrote:
Yes. My point is: why doesn't this work for you?
It does (and is for now), but requires I edit the system startup script (/etc/init.d/slapd). I'd rather have a configuration mechanism that doesn't need me to tweak parts of the OS not intended to be modified for configuration purposes.
What other method would you suggest?
That slapd never make a syncrepl request with deref aliases enabled (regardless of global ldap.conf settings), as that will always fail. Or a mechanism allowing specific ldap options to be set for slapd either in the config file or via command line options. Per Howard's suggestion, I opened an ITS for each of those.
The fact that a client needs alias dereferencing set globally to work to me seems to be broken, and does not deserve to require breaking the rest of the system. You should rather work at providing __that__ client a specific ldap.conf, without breaking the rest of the system.
The only thing I've found broken so far is slapd syncrepl.
Arguably, this problem could also be solved if the automount configuration allowed changing ldap client options. However, it really seems more apropos for slapd to be more flexable than automount. Also, automount doesn't need alias dereferencing set in general, just specifically in my environment given how I integrated automount entries into my existing user/group entries.
My problem is that barring the feature of some specific ldap configuration options in a client, there is no way for two clients running as the same user with the same home directory, the same current working directory, and the same environment to have different ldap library settings. I can kludge around that by tweaking OS startup scripts, but would rather have a solution that fits into configuration files. I could be bugging the automounter folk to add more ldap configuration options, but think in general this feature would be more valuable in slapd.
Thanks...
Paul B. Henson wrote:
On Wed, 16 Jul 2008, Pierangelo Masarati wrote:
Yes. My point is: why doesn't this work for you?
It does (and is for now), but requires I edit the system startup script (/etc/init.d/slapd). I'd rather have a configuration mechanism that doesn't need me to tweak parts of the OS not intended to be modified for configuration purposes.
What other method would you suggest?
That slapd never make a syncrepl request with deref aliases enabled (regardless of global ldap.conf settings), as that will always fail. Or a mechanism allowing specific ldap options to be set for slapd either in the config file or via command line options. Per Howard's suggestion, I opened an ITS for each of those.
I would probably reject the latter, since such mechanisms already exist. You're just unwilling to use them.
I should note that /etc/init.d/slapd was not provided by us. A reasonable distro packager always provides the ability to source an external config file for site-specific options in their init.d scripts. Whether yours does or not is not an OpenLDAP Project concern though.
On Thu, 17 Jul 2008, Howard Chu wrote:
That slapd never make a syncrepl request with deref aliases enabled (regardless of global ldap.conf settings), as that will always fail. Or a mechanism allowing specific ldap options to be set for slapd either in the config file or via command line options. Per Howard's suggestion, I opened an ITS for each of those.
I would probably reject the latter, since such mechanisms already exist. You're just unwilling to use them.
Other mechanisms which do not offer the same functionality. What would it hurt to allow ldap library option configuration in slapd.conf? Although if you implement the first suggestion that would solve my specific problem.
I should note that /etc/init.d/slapd was not provided by us. A reasonable distro packager always provides the ability to source an external config file for site-specific options in their init.d scripts. Whether yours does or not is not an OpenLDAP Project concern though.
The init script framework allows for setting arbitrary slapd command line options, but not for running arbitrary shell code.
Paul B. Henson wrote:
Other mechanisms which do not offer the same functionality. What would it hurt to allow ldap library option configuration in slapd.conf? Although if you implement the first suggestion that would solve my specific problem.
You can already solve your current problem. Just use a different working directory for slapd, and set an ldaprc there. (And/or do the same for the automountd.) Most sysadmins would recognize it's a good idea to run servers in different working directories anyway, to prevent core files from getting overwritten if nothing else.
On Wed, 2008-07-16 at 14:23 -0700, Paul B. Henson wrote:
On Sun, 13 Jul 2008, Howard Chu wrote:
Just adding "packets" to your debug level would have given you readable packet logs, without having to compromise security by disabling TLS.
I actually had all debugging enabled, which was perhaps was too much and resulted in my missing that information.
If you want suggestions to actually get acted on, submit an ITS.
Done.
There appears to be three ways to define configuration: the global configuration file, a configuration file in the home directory, or an environment variable.
Re-read ldap.conf(5). There are other choices as well.
The only other choice I see is an "ldaprc" file in the current working directory, which also will not work for me because both slapd and the automounter process both have a working directory of /. Is there a fourth option I missed? As I said, ideally I would like a configuration mechanism that does not require me to change bits of the operating system (such as /etc/init.d/slapd).
You don't specify what operating system it is, but many Linux distributions source something like /etc/sysconfig/ldap or /etc/default/slapd into the init script, so adding an:
export LDAPCONF=/etc/openldap/slapd-ldap.conf
or similar to such a file should do the trick (depending on the OS and the shell interpreter invoked by the init script etc. etc.).
Regards, Buchan
On Thu, 17 Jul 2008, Buchan Milne wrote:
You don't specify what operating system it is, but many Linux distributions source something like /etc/sysconfig/ldap or /etc/default/slapd into the init script, so adding an:
export LDAPCONF=/etc/openldap/slapd-ldap.conf
It's gentoo, which has an /etc/conf.d/slapd file. I did try setting an env variable there, but looking at your example realized I forgot to export it. I'll have to try again with the export and see if it works, that would be great...
Thanks much...
openldap-software@openldap.org
-
Buchan Milne -
Hallvard B Furuseth -
Howard Chu -
Paul B. Henson -
Pierangelo Masarati