Troubleshooting syncrepl
by John Oliver
I've set up a pair of OpenLDAP servers to work with, so that I can
figure out my SSL problem without worrying about breaking my
currently-working LDAP server. I got the producer up and running in
about two minutes. I expected to get the consumer up just as fast, but
ran into a problem... the sunchronization isn't succeeding. So I
started logging and got:
Consumer:
Jul 30 08:55:32 unix-services2 slapd[8041]: slapd starting
Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: added 4r
Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: added 7r
Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: select: listen=7
active_threads=0 tvp=zero
Jul 30 08:55:32 unix-services2 slapd[8041]: =>do_syncrepl
Jul 30 08:55:32 unix-services2 slapd[8041]: do_syncrep1:
ldap_sasl_bind_s failed (49)
Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: shutdown requested
and initiated.
Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: closing 7
Jul 30 08:55:32 unix-services2 slapd[8041]: slapd shutdown: waiting for
0 threads to terminate
Producer:
Jul 30 08:55:18 test1 slapd[4919]: connection_get(13)
Jul 30 08:55:18 test1 slapd[4919]: connection_get(13): got connid=0
Jul 30 08:55:18 test1 slapd[4919]: connection_read(13): checking for
input on id=0
Jul 30 08:55:18 test1 slapd[4919]: ber_get_next on fd 13 failed errno=11
(Resource temporarily unavailable)
Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=7
active_threads=0 tvp=NULL
Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jul 30 08:55:18 test1 slapd[4919]: do_bind
Jul 30 08:55:18 test1 slapd[4919]: >>> dnPrettyNormal:
<cn=syncuser,dc=mydomain,dc=com>
Jul 30 08:55:18 test1 slapd[4919]: <<< dnPrettyNormal:
<cn=syncuser,dc=mydomain,dc=com>,
<cn=syncuser,dc=mydomain,dc=com>
Jul 30 08:55:18 test1 slapd[4919]: do_bind: version=3
dn="cn=syncuser,dc=mydomain,dc=com" method=128
Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 BIND
dn="cn=syncuser,dc=mydomain,dc=com" method=128
Jul 30 08:55:18 test1 slapd[4919]: ==> bdb_bind: dn:
cn=syncuser,dc=mydomain,dc=com
Jul 30 08:55:18 test1 slapd[4919]:
bdb_dn2entry("cn=syncuser,dc=mydomain,dc=com")
Jul 30 08:55:18 test1 slapd[4919]: =>
bdb_dn2id("cn=syncuser,dc=mydomain,dc=com")
Jul 30 08:55:18 test1 slapd[4919]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30989)
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: conn=0 op=0 p=3
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: err=49 matched=""
text=""
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_response: msgid=1 tag=97
err=49
Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 RESULT tag=97 err=49
text=
Googling for do_syncrep1: ldap_sasl_bind_s failed (49) indicates that
this is likely to be an authentication issue with my syncuser. I
double-checked the password, and verified that it's set as cleartext in
slapd.conf I then tried to log on to a machine using the producer as
the authentication server, since there's nothing (that I can think of)
that makes this user in any way special. It logs on... and about a
half second later is booted back out. No logs on the client machine
indicate why.
Googling bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair
found (-30989) led to many mentions of this almost certainly being a
permissions issue, but:
[root@test1 ~]# ls -l /var/lib/ldap/
total 69816
-rw-r--r-- 1 ldap ldap 2048 Jul 30 08:54 alock
-rw------- 1 ldap ldap 28672 Jul 29 15:45 cn.bdb
-rw------- 1 ldap ldap 24576 Jul 29 15:45 __db.001
-rw------- 1 ldap ldap 80019456 Jul 29 15:45 __db.002
-rw------- 1 ldap ldap 335552512 Jul 29 15:45 __db.003
-rw------- 1 ldap ldap 2359296 Jul 29 15:45 __db.004
-rw------- 1 ldap ldap 352256 Jul 29 15:45 __db.005
-rw------- 1 ldap ldap 24576 Jul 29 15:45 __db.006
-rw-r----- 1 ldap ldap 886 Jul 29 15:41 DB_CONFIG
-rw------- 1 ldap ldap 24576 Jul 29 15:45 dn2id.bdb
-rw------- 1 ldap ldap 8192 Jul 29 15:45 gidNumber.bdb
-rw------- 1 ldap ldap 20480 Jul 29 15:45 givenName.bdb
-rw------- 1 ldap ldap 98304 Jul 30 08:54 id2entry.bdb
-rw------- 1 ldap ldap 10485760 Jul 30 08:54 log.0000000001
-rw------- 1 ldap ldap 8192 Jul 29 15:45 loginShell.bdb
-rw------- 1 ldap ldap 8192 Jul 29 15:45 mail.bdb
-rw------- 1 ldap ldap 20480 Jul 29 15:45 memberUid.bdb
-rw------- 1 ldap ldap 8192 Jul 29 15:45 objectClass.bdb
-rw------- 1 ldap ldap 8192 Jul 29 15:45 ou.bdb
-rw------- 1 ldap ldap 20480 Jul 29 15:45 sn.bdb
-rw------- 1 ldap ldap 20480 Jul 29 15:45 uid.bdb
-rw------- 1 ldap ldap 8192 Jul 29 15:45 uidNumber.bdb
They look OK to me.
What can I do to further troubleshoot this issue? I want to make 100%
sure that my underlying LDAP is working before I tackle the SSL part.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
15 years, 4 months
role based access to various systems
by amit vyas
Hi All,
I am little bit new to LDAP directory system.
Presently, i am using OpenLDAP to authenticate users. Now i want authorization for various system(Like versioning system, bug tracking system etc.)
So want to store the access rights corresponding to different roles in LDAP (Read, Write, Update, Delete permissions).
Can anybody give me sample .ldif for the same or any other useful information.
It will be very useful.........
Regards
Amit
Download prohibited? No problem. CHAT from any browser, without download. Go to http://in.webmessenger.yahoo.com/
15 years, 4 months
Autofs-OpenLDAP Assistance
by Santosh Balan
Hi Friends,
I am new to this LDAP community. I am haivng redhat evironment on my servers and my clients are also linux based thin clients or redhat linux based clients. I am trying to configure LDAP to authenticate my user to login to the machine and then automatically mount a partition to the user's machine. I have searched through the net and unable to find an appropriate doccumentation on the same. Can you please guide and provide some appropriate doccumentation or method as how I hv to go about with the installation of OpenLDAP and autofs such that it will authenticate my users and automatically mounts the users partition.
Thanks and Regards
Santosh Balan
+91-9819419509
=
--
Powered by Outblaze
15 years, 4 months
Re: N-way multimaster
by Miguel Jinez
Sure
In this case the process was:
master B and master C are without service
master A performs a delete
restart masters A B C
Master A:
# 20080729212056.000003Z, accesslog
dn: reqStart=20080729212056.000003Z,cn=accesslog
objectClass: auditDelete
reqStart: 20080729212056.000003Z
reqEnd: 20080729212056.000004Z
reqType: delete
reqSession: 33
reqAuthzID: cn=admin,dc=ar
reqDN: cn=pbo101,dc=dominio,dc=ar
reqResult: 0
Master B:
# 20080729212438.000000Z, accesslog
dn: reqStart=20080729212438.000000Z,cn=accesslog
objectClass: auditModify
reqStart: 20080729212438.000000Z
reqEnd: 20080729212438.000001Z
reqType: modify
reqSession: 4294967295
reqAuthzID: cn=admin,dc=ar
reqDN: dc=ar
reqResult: 0
reqMod: contextCSN:= 20080728211620.143999Z#000000#003#000000
reqMod: contextCSN:= 20080729212056.356833Z#000000#001#000000
reqMod: contextCSN:= 20080728211533.044990Z#000000#002#000000
Master C:
# 20080729212911.000000Z, accesslog
dn: reqStart=20080729212911.000000Z,cn=accesslog
objectClass: auditModify
reqStart: 20080729212911.000000Z
reqEnd: 20080729212911.000002Z
reqType: modify
reqSession: 4294967295
reqAuthzID: cn=admin,dc=ar
reqDN: dc=ar
reqResult: 0
reqMod: contextCSN:= 20080728211620.143999Z#000000#003#000000
reqMod: contextCSN:= 20080729212056.356833Z#000000#001#000000
reqMod: contextCSN:= 20080728211533.044990Z#000000#002#000000
Migue
2008/7/29 Gavin Henry <ghenry(a)openldap.org>
> <quote who="Miguel Jinez">
> > Hi I have test from zero and I have test with historical information, I
> > have
> > found my old configuration and the logs are different, here master A:
>
> Can we see your actual logs, not the accesslog ones after the test when/i
> fit fails.
>
> Thanks.
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
15 years, 4 months
translucent overlay with local-only entries
by Sven Ulland
I'm trying to extend an ldap directory using the translucent overlay,
like many before me:
http://www.openldap.org/lists/openldap-software/200802/msg00128.html
http://www.openldap.org/lists/openldap-software/200802/msg00267.html
http://www.openldap.org/lists/openldap-software/200511/msg00216.html
http://www.openldap.org/lists/openldap-software/200707/msg00471.html
Before version 2.4.8, this wasn't possible. Howard Chu seems to have
fixed this in rev 1.40 (before release 2.4.8) of translucent.c:
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/overlays/transluce...
(http://www.openldap.org/lists/openldap-bugs/200712/msg00109.html)
Although it seems to have been fixed, I cannot get it to work on my
setup. I use the packaged v2.4.10 in Debian testing. My config:
# Config start
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_ldap
moduleload translucent
sizelimit 500
tool-threads 1
backend hdb
backend ldap
database hdb
directory /var/lib/ldap/translucent
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=mybranch,dc=example,dc=com"
rootpw "admin"
overlay translucent
uri "ldap://172.27.27.37"
idassert-bind
bindmethod=simple
binddn="cn=admin,dc=example,dc=com"
credentials="admin"
mode=none
idassert-authzFrom "dn.subtree:dc=example,dc=com"
# Config end
This works perfectly fine for searches where the entry is remote.
Changing entries works fine well, with the results stored in the local
translucent db. Adding new entries works, but they are not returned on
searches. I check this by running slapcat.
So, it boils down to these questions:
* Does Howard's patch not fully implement the searching?
* Is my config wrong?
* There is probably other ways to do this, perhaps using a meta
ldap backend. With multiple backends, what determines where writes
go? Probably where the object is based, but what about new objects?
* Is it cleaner to keep my "branch" of the tree under a subdomain,
such as mybranch.example.com using rwm, or should they all be on the
main example.com domain?
* Examples for exotic overlays are very scarce. It would be very
helpful if anyone could provide their configuration file.
sven
15 years, 4 months
Modifying every entry in an LDAP address book
by Carr, Chris
Hi All,
Apologies if this is a stupid question, but I can't find the answer via
Google.
I need to make the same modification to every entry in my address book.
Can I do this with a single ldapmodify command? If so, what is the
syntax for the mod file? I'm assuming something like this:
dn: ??
changetype: modify
add: objectClass
objectClass: evolutionPerson
... but I can't think what the DN would be, since I don't really
understand how wildcards work in DNs, if at all. The entries I want to
modify are all in ou=addressbook,dc=mydomain, but all have different
cns.
Second, some of the entries already have that object class - will this
cause a problem? Will ldapmodify simply ignore those entries, or create
a duplicate identical objectClass, or crash?
Many thanks in advance,
CC
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
15 years, 4 months
Client says Can't contact LDAP server, but it can!
by John Oliver
What can I do to troubleshoot this? OpenLDAP client says
ldap_simple_bind Can't contact LDAP server but it can resolve the name,
ping the server, connect to port 636... and I have no details as to why
it thinks it cannot contact the server. Many other clients authenticate
to the same server, and I'm using the same ldap.conf, nsswitch.conf, and
pam.d/system-auth files.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
15 years, 4 months
Re: Client says Can't contact LDAP server, but it can!
by Gustavo Mendes de Carvalho
Hi There,
I use self signed certificates with OpenLDAP, and everything works fine.
Check bellow which commands I used to create this certificate
===> Self signed certificate generation (I am using RHAS 4 Up6)
cd /usr/share/ssl
rm -fr demoCA
/usr/share/ssl/misc/CA -newca
openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
/usr/share/ssl/misc/CA -sign
===> putting certificate files to correct place
cp demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem
cp newcert.pem /etc/openldap/cacerts/servercrt.pem
cp newreq.pem /etc/openldap/cacerts/serverkey.pem
chmod 0400 /etc/openldap/cacerts/serverkey.pem
chown -R ldap:ldap /etc/openldap/cacerts
/etc/init.d/ldap restart
===> putting public certificate files in ldap client machines
scp /etc/openldap/cacerts/cacert.pem
root@<ip_client>:/etc/openldap/cacerts/.
And set in ldap config files (in ldap client machine) the correct path
When generating certificate file, be sure to specify in hostname field
"hostname -f" output command. You can try using localhost too
I hope it helps you
---
Gustavo Mendes de Carvalho
email: gmcarvalho(a)gmail.com
Date: Mon, 28 Jul 2008 09:20:23 +0200
From: Buchan Milne <bgmilne(a)staff.telkomsa.net>
Subject: Re: Client says Can't contact LDAP server, but it can!
To: openldap-technical(a)openldap.org
Cc: John Oliver <joliver(a)john-oliver.net>
Message-ID: <200807280920.33142.bgmilne(a)staff.telkomsa.net>
Content-Type: text/plain; charset="iso-8859-1"
On Friday 25 July 2008 17:16:12 John Oliver wrote:
> On Fri, Jul 25, 2008 at 10:20:55AM +0200, Buchan Milne wrote:
> > On Friday 25 July 2008 01:13:37 John Oliver wrote:
> > > On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote:
> > > > Any client will need to know about the CA that signed your
> > > > self-signed cert.
> > >
> > > I created my certificate with:
> > >
> > > openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout
> > > /etc/openldap/ssl/ldap.pem -days 3650
> > >
> > > In slapd.conf I have:
> > >
> > > TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile
> > > /etc/openldap/ssl/ldap.pem TLSCACertificateFile /etc/ssl/ldap.pem
> > >
> > > What do I need to do differently?
> >
> > Configure the *client* ???
>
> The clients work perfectly with the working server. Why would they
> have to have a different configuration to talk to the backup LDAP server?
They don't necessarily need a different configuration, but it being valid
for one server doesn't guarantee it will be valid for another server,
especially when it comes to ssl, certificate validation etc.
> At the moment, I'm far more interested in getting the second LDAP
> server working than I am in having perfect security.
Then it's easy, turn off SSL.
If you don't want to do that, turn of certificate validation. It's better
than exposing keys.
Or, ensure that the "CA certificate" that the clients use contains the
certificates of the issuer of both of the server certificates, and that the
value of the subject CN on both certificates matches the name you use to
connect to the servers.
Regards,
Buchan
15 years, 4 months
Re: N-way multimaster
by Miguel Jinez
Hi I have test from zero and I have test with historical information, I have
found my old configuration and the logs are different, here master A:
# 20080728211533.000002Z, accesslog
dn: reqStart=20080728211533.000002Z,cn=accesslog
objectClass: auditDelete
reqStart: 20080728211533.000002Z
reqEnd: 20080728211533.000003Z
reqType: delete
reqSession: 387
reqAuthzID: cn=admin,dc=ar
reqDN: cn=user1000,dc=osde1,dc=ar
reqResult: 0
Here master B
# 20080728211533.000002Z, accesslog
dn: reqStart=20080728211533.000002Z,cn=accesslog
objectClass: auditDelete
reqStart: 20080728211533.000002Z
reqEnd: 20080728211533.000003Z
reqType: delete
reqSession: 387
reqAuthzID: cn=admin,dc=ar
reqDN: cn=user1000,dc=osde1,dc=ar
reqResult: 0
I am just using accesslog to look what is happening
Greetings
2008/7/28 Gavin Henry <ghenry(a)openldap.org>
> Hi,
>
> I meant originally. To test for me:
>
> 1. Emtpy both databases, including the accesslogs (accesslog not needed
> here)
> 2. Add original data to one node only, with the other switched off.
> 3. Bring the other one up and let it pull data from the first node.
> 4. Test they are the same and then try your delete situation.
>
> I think you've either added fresh data to each node so their *CSN values
> are different so the deletes won't work.
>
> Please test and report back.
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
>
>
15 years, 4 months
Re: N-way multimaster
by Miguel Jinez
Hi
With my configuration at this time I have in one side:
# 20080728202600.000001Z, accesslog
dn: reqStart=20080728202600.000001Z,cn=accesslog
objectClass: auditDelete
reqStart: 20080728202600.000001Z
reqEnd: 20080728202600.000002Z
reqType: delete
reqSession: 604
reqAuthzID: cn=admin,dc=ar
reqDN: cn=user100,dc=osde1,dc=ar
reqResult: 0
and nothing in the other side, let me try olds configurations to show you
the mofify message
2008/7/26 Gavin Henry <ghenry(a)openldap.org>
> <quote who="Miguel Jinez">
> > Yes, deletes are performed in one node
>
> How did you original load the data on each node?
>
> Can you show the failed delete logs?
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
15 years, 4 months