I am running into an issue trying to do LDAP replication. I am trying to get slurp to replicate data but it keeps complaining that none of the data is 'mine'.
I also never see slurpd make a TCP connection to the 192.168.247.130 peer.
slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read loglevel 0
replogfile /var/lib/ldap/replog/ldap.binc-groups.replog
TLSCertificateFile /etc/openldap/servercert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=remote,dc=binc,dc=net" rootdn "XXXXXXXXXXXXXXXXXXXXXXXX" rootpw XXXXXXXXXXXXX directory /var/lib/ldap/dc=remote_dc=binc_dc=net checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres replica host=192.168.247.130 binddn="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" bindmethod=simple credentials=XXXXXXXXXXXXX
Slurpd Logs: Replica 192.168.247.130:389, skip repl record for uid=tester,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=testing,ou=group,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=groupconfiguration,ou=ldapconfig,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=jguthries,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=test22,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=howdy,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=sasser,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine)
On 1/11/07, Jeremy M. Guthrie jeremy.guthrie@berbee.com wrote:
I am running into an issue trying to do LDAP replication. I am trying to get slurp to replicate data but it keeps complaining that none of the data is 'mine'.
I also never see slurpd make a TCP connection to the 192.168.247.130 peer.
slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read loglevel 0
replogfile /var/lib/ldap/replog/ldap.binc-groups.replog
TLSCertificateFile /etc/openldap/servercert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=remote,dc=binc,dc=net" rootdn "XXXXXXXXXXXXXXXXXXXXXXXX" rootpw XXXXXXXXXXXXX directory /var/lib/ldap/dc=remote_dc=binc_dc=net checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres replica host=192.168.247.130 binddn="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" bindmethod=simple credentials=XXXXXXXXXXXXX
Slurpd Logs: Replica 192.168.247.130:389, skip repl record for uid=tester,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=testing,ou=group,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=groupconfiguration,ou=ldapconfig,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=jguthries,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=test22,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=howdy,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=sasser,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine)
--
I've never seen that error, but I'm pretty sure your replogfile needs to go into your database section. (that makes the error seem logicall to me, anyway)
See: http://www.openldap.org/faq/data/cache/371.html
_Matt
I moved replogfile down at the bottom but 'no go'. I still do not see a TCP connection from the 192.168.247.129 host to the 192.168.247.130 host. I don't even see an attempt to form a connection.
begin replication thread for 192.168.247.130:636 new work in /var/lib/ldap/replog/ldap.binc-groups.replog copy replog "/var/lib/ldap/replog/ldap.binc-groups.replog" to "/var/lib/slurpd/replica/slurpd.replog" Replica 192.168.247.130:636, skip repl record for uid=jguthries,ou=people,dc=remote,dc=binc,dc=net (not mine)
On Thursday 11 January 2007 21:10, matthew sporleder wrote:
On 1/11/07, Jeremy M. Guthrie jeremy.guthrie@berbee.com wrote:
I am running into an issue trying to do LDAP replication. I am trying to get slurp to replicate data but it keeps complaining that none of the data is 'mine'.
I also never see slurpd make a TCP connection to the 192.168.247.130 peer.
slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read loglevel 0
replogfile /var/lib/ldap/replog/ldap.binc-groups.replog
TLSCertificateFile /etc/openldap/servercert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=remote,dc=binc,dc=net" rootdn "XXXXXXXXXXXXXXXXXXXXXXXX" rootpw XXXXXXXXXXXXX directory /var/lib/ldap/dc=remote_dc=binc_dc=net checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres replica host=192.168.247.130 binddn="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" bindmethod=simple credentials=XXXXXXXXXXXXX
Slurpd Logs: Replica 192.168.247.130:389, skip repl record for uid=tester,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=testing,ou=group,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=groupconfiguration,ou=ldapconfig,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=jguthries,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=test22,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=howdy,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=sasser,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine)
--
I've never seen that error, but I'm pretty sure your replogfile needs to go into your database section. (that makes the error seem logicall to me, anyway)
See: http://www.openldap.org/faq/data/cache/371.html
_Matt
So more information about my problem: if I change: replica uri=ldaps://192.168.247.130:389/ to replica uri=ldap://192.168.247.130:389/ THEN I get a slightly different replication log created by Slurpd. However, when I examine that file, it is missing: replica: 192.168.247.130:389
If I kill slurpd, edit the log to include the 'replica' line, and then restart slurpd, then it forms the connection and attempts to forward the ldif.
So it looks like I facing two problems: 1. slurpd doesn't work right with SSL 2. slurpd doesn't create the right log format for it to use for replication.
Am I missing something in my SSL config?
Any ideas on a bug fix for #2?
rpmquery --all | egrep openldap openldap2-client-2.3.19-18.6 openldap2-2.3.19-18.7
On Thursday 11 January 2007 21:10, matthew sporleder wrote:
On 1/11/07, Jeremy M. Guthrie jeremy.guthrie@berbee.com wrote:
I am running into an issue trying to do LDAP replication. I am trying to get slurp to replicate data but it keeps complaining that none of the data is 'mine'.
I also never see slurpd make a TCP connection to the 192.168.247.130 peer.
slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read loglevel 0
replogfile /var/lib/ldap/replog/ldap.binc-groups.replog
TLSCertificateFile /etc/openldap/servercert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=remote,dc=binc,dc=net" rootdn "XXXXXXXXXXXXXXXXXXXXXXXX" rootpw XXXXXXXXXXXXX directory /var/lib/ldap/dc=remote_dc=binc_dc=net checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres replica host=192.168.247.130 binddn="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" bindmethod=simple credentials=XXXXXXXXXXXXX
Slurpd Logs: Replica 192.168.247.130:389, skip repl record for uid=tester,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=testing,ou=group,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for cn=groupconfiguration,ou=ldapconfig,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=jguthries,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=test22,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=howdy,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine) Replica 192.168.247.130:389, skip repl record for uid=sasser,ou=binc,ou=people,dc=remote,dc=binc,dc=net (not mine)
--
I've never seen that error, but I'm pretty sure your replogfile needs to go into your database section. (that makes the error seem logicall to me, anyway)
See: http://www.openldap.org/faq/data/cache/371.html
_Matt
--On Friday, January 12, 2007 2:34 PM -0600 "Jeremy M. Guthrie" jeremy.guthrie@berbee.com wrote:
So more information about my problem: if I change: replica uri=ldaps://192.168.247.130:389/ to replica uri=ldap://192.168.247.130:389/ THEN I get a slightly different replication log created by Slurpd. However, when I examine that file, it is missing: replica: 192.168.247.130:389
How do you intend to do LDAPS over port 389? I assume what you want is startTLS on port 389. Or else, turn on LDAPS on port 636....
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
oh... sorry... I meant to change the 389 to 636 as well. replica uri=ldaps://192.168.247.130:636/ to replica uri=ldap://192.168.247.130:389/
On Friday 12 January 2007 14:46, Quanah Gibson-Mount wrote:
--On Friday, January 12, 2007 2:34 PM -0600 "Jeremy M. Guthrie"
jeremy.guthrie@berbee.com wrote:
So more information about my problem: if I change: replica uri=ldaps://192.168.247.130:389/ to replica uri=ldap://192.168.247.130:389/ THEN I get a slightly different replication log created by Slurpd. However, when I examine that file, it is missing: replica: 192.168.247.130:389
How do you intend to do LDAPS over port 389? I assume what you want is startTLS on port 389. Or else, turn on LDAPS on port 636....
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
I see that slapd does not actually write the 'replica: 192.168.247.130:389' line to the ldif entries it puts in the 'reglogfile'. So that looks like the source for one issue.
On Friday 12 January 2007 14:46, Quanah Gibson-Mount wrote:
--On Friday, January 12, 2007 2:34 PM -0600 "Jeremy M. Guthrie"
jeremy.guthrie@berbee.com wrote:
So more information about my problem: if I change: replica uri=ldaps://192.168.247.130:389/ to replica uri=ldap://192.168.247.130:389/ THEN I get a slightly different replication log created by Slurpd. However, when I examine that file, it is missing: replica: 192.168.247.130:389
How do you intend to do LDAPS over port 389? I assume what you want is startTLS on port 389. Or else, turn on LDAPS on port 636....
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
I've nailed this down quite a bit now. It appears that 'replica: 192.168.247.130:XXX' is not making it in regardless of ldap or ldaps. I was able to reproduce the issue in a VMWARE set of hosts where I could restart from scratch. Soon as I add the line, it works like it should with ldap and ldaps. So for some reason, that one line is never being put in. 8(
On Friday 12 January 2007 14:46, Quanah Gibson-Mount wrote:
--On Friday, January 12, 2007 2:34 PM -0600 "Jeremy M. Guthrie"
jeremy.guthrie@berbee.com wrote:
So more information about my problem: if I change: replica uri=ldaps://192.168.247.130:389/ to replica uri=ldap://192.168.247.130:389/ THEN I get a slightly different replication log created by Slurpd. However, when I examine that file, it is missing: replica: 192.168.247.130:389
How do you intend to do LDAPS over port 389? I assume what you want is startTLS on port 389. Or else, turn on LDAPS on port 636....
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
--On Friday, January 12, 2007 5:09 PM -0600 "Jeremy M. Guthrie" jeremy.guthrie@berbee.com wrote:
I've nailed this down quite a bit now. It appears that 'replica: 192.168.247.130:XXX' is not making it in regardless of ldap or ldaps. I was able to reproduce the issue in a VMWARE set of hosts where I could restart from scratch. Soon as I add the line, it works like it should with ldap and ldaps. So for some reason, that one line is never being put in. 8(
So start slapd with -d -1 and drop the output to a file. See why it isn't parsing the line. Perhaps you have whitespace issues somewhere...
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
openldap-software@openldap.org
-
Jeremy M. Guthrie -
matthew sporleder -
Quanah Gibson-Mount