openldap-technical June 2017

openldap-technical@openldap.org

34 participants
69 discussions

Limiting which attributes get replicated
by Philip Colmer 08 Jun '17

08 Jun '17

Hi We've got a core set of OpenLDAP servers that are in a multi-master configuration. We are looking at building out that set of servers so that our data centres can have local copies of the data. However, those copies don't need to be of everything, so I want to limit which attributes get replicated. I wanted to check that I've understood the configuration correctly ... According to http://www.openldap.org/doc/admin22/syncrepl.html, it looks like I can specify on the consuming LDAP server which attributes are synced, and I can also ensure that the binddn account only has access to those attributes on the providing LDAP server. The example given in the documentation has: filter="(objectClass=organizationalPerson)" What do I do if I want to synchronise all objectClasses but only restrict the attributes on the organizationalPerson class? So, for example, I want everything on groups but I don't want jpegPhoto on people. What happens if one of the consuming LDAP servers is then itself queried for an attribute that hasn't been synced? So, for example, if a system in a data centre connects to a local consuming LDAP server and asks for a jpegPhoto, that won't be on the local server, so what happens then? Thank you. Philip

1 0

Security Enclaves
by Derrick McKee 08 Jun '17

08 Jun '17

Greetings, I am a computer security researcher working on adding functionality to the hardware security enclaves recently released on CPUs (e.g. Intel SGX or ARM TrustZone). I think that OpenLDAP would suit my purposes well, and I was thinking of attempting to secure SASL and TLS/SSL functionality. My plan is to get OpenSSL to use the secure enclave, and adopt OpenLDAP to use the enclave as well for SASL and TLS. I just need a little help on where to start looking. I have seen sasl.c and saslauthz.c in servers/slapd, as well as tls2.c in libraries/libldap and libraries/libldap_r. Anywhere else I should be looking? Is the only difference between libraries/libldap and libraries/libldrap_r just the use of threads? Finally, any other ideas about what else I can protect? For those unfamiliar, security enclaves allow for virtual address ranges to be encrypted/decrypted on the processor itself. So even an adversary with root privileges would not be able to read data/code/whatever within the secure address range. Thanks in advance for any help. - Derrick McKee -- Derrick McKee Ph.D. Student at Purdue University

1 0

Attempting to set Access Control for auth to Perl Backend
by Etan Weintraub 06 Jun '17

06 Jun '17

Hi all- I'm configuring an OpenLDAP server with the Perl Backend. I've been able to set permissions for search on one of my backends to lock it down based on IP as follows: access to dn.sub="dc=alias" by peername.ip=127.0.0.1 read by peername.ip=10.181.24.193 read by peername.ip=10.181.35.243 read by * none That makes it that only those IP's listed can search and get results from that branch. I now need to do the same type of thing for another branch, but for authentication instead (i.e. only allow auth to occur if coming from an approved IP). I've tried the following: access to dn.sub="dc=mfa" by peername.ip=127.0.0.1 auth by peername.ip=10.181.24.193 auth by * none But no luck. Any ideas/help? If I can't do this with an ACL, if I can get the IP address of the request passed in to the bind function in the Perl backend, I can handle the controls there. -Etan E. Weintraub Information Security Architect IT@Johns Hopkins Johns Hopkins at Mt. Washington <x-apple-data-detectors://4/> 5801 Smith Ave. Davis Building <x-apple-data-detectors://4/> Suite 3110B <x-apple-data-detectors://5/0> Baltimore, MD 21209 Phone: <tel:667-208-6309> 667-208-6309 E-mail: <mailto:eweintra@jhmi.edu> eweintra(a)jhmi.edu

1 0

Re: How wold you go about writing a new OpenLDAP backend?
by Howard Chu 05 Jun '17

05 Jun '17

Prentice Bisbal wrote: > On 05/31/2017 12:37 AM, John Lewis wrote: > >> What if I wanted to write a OpenLDAP backend for a systemd journal file >> or Elasticsearch so I can present my logs as an LDAP subtree so I can >> use my LDAP tools to filter my logs? Should I use back-shell for >> prototyping? If so, what is the usual work flow? > This sounds like the wrong tool for this job. Really? Can you give a point by point comparison against what you think is the "right" tool for the job? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 4

Directory Sever Gateway for OpenLDAP
by John Lewis 05 Jun '17

05 Jun '17

Is there something like 389 Directory Server Gateway (389-dsgw) for OpenLDAP? Is there some way to borrow 389-dsgw itself and run it standalone and aim it at OpenLDAP? I am looking for some kind of service I can run to get a phonebook, orgchart, advanced search interface, and DSML gateway. Having a frontend like this would make it easier for people to buy into the idea of a directory server for things they interact with directly before introducing thick clients.

2 1

Re: How wold you go about writing a new OpenLDAP backend?
by Quanah Gibson-Mount 02 Jun '17

02 Jun '17

--On Friday, June 02, 2017 3:02 PM -0400 Prentice Bisbal <pbisbal(a)pppl.gov> wrote: > Well, that certainly sounds like the missing link, doesn't it? ;) > > What is different about your native backends that makes them so much > faster? Domain-specific design? I haven't been keeping up with OpenLDAP > over the past few years. The versions I've used in the bast used BDB for > the backend. I've been charged with upgrading an old LDAP server, and as > I was looking through the documentation for the latest version, I saw > that you have some new native backend(s), but I didn't have time to read > up on them. You might find some of this useful: <https://en.wikipedia.org/wiki/Lightning_Memory-Mapped_Database> <https://mishikal.wordpress.com/2013/05/16/openldap-a-comparison-of-back-mdb…> <http://wiki.zimbra.com/wiki/OpenLDAP_MDB_vs_HDB_performance> There's also a ton more information at: <https://symas.com/lightning-memory-mapped-database/> Scroll to the bottom and look at the "Project presentations" section and the "Benchmarks" section, in addition to the rest of the useful information. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

OpenLDAP 2.4.45 available...openSUSE / SLES RPMs
by Michael Ströder 02 Jun '17

02 Jun '17

OpenLDAP Project wrote: > OpenLDAP 2.4.45 is now available for download as detailed on our download page: Devel builds for various openSUSE / SLES versions are here: https://build.opensuse.org/package/show/network:ldap/openldap2 You can directly add appropriate repo from herein: https://download.opensuse.org/repositories/network:/ldap/ Example for adding the repo on openSUSE Tumbleweed: zypper addrepo -f https://download.opensuse.org/repositories/network:/ldap/openSUSE_Tumblewee… Ciao, Michael.

1 0

Re: How wold you go about writing a new OpenLDAP backend?
by Howard Chu 02 Jun '17

02 Jun '17

Prentice Bisbal wrote: > On 05/31/2017 04:39 PM, John Lewis wrote: >> On Wed, 2017-05-31 at 15:07 -0400, Prentice Bisbal wrote: >>> On 05/31/2017 02:55 PM, Howard Chu wrote: >>>> Prentice Bisbal wrote: >>>>> On 05/31/2017 12:37 AM, John Lewis wrote: >>>>> >>>>> This sounds like the wrong tool for this job. >>>> Really? Can you give a point by point comparison against what you >>>> think is the "right" tool for the job? >>> That's the wrong question to ask, since I never made any claim as to >>> what the right tool is. A better question to ask would be why I think >>> this is the wrong tool. So here's my reply to that: It doesn't seem like >>> this is a job LDAP was designed for. To me, LDAP is really just a >>> standardized database interface that make certain type of DB looks up >>> easy, and most importantly, standardized.I would think a more general >>> purpose database interface would be better for this. >>> >>> Unfortunately, I'm not a database expert, so I can't give you the >>> "point-by-point argument you requested. >>> >>> Now your turn - why would OpenLDAP be a good fit for this over other >>> databases? >>> >>> -- >>> Prentice >>> >> Yes, LDAP is really just a standardized database interface. That is the >> point. I want my logs available through an IETF standardized protocol so >> I can reuse tools so I don't have to maintain as many tools. >> >> OpenLDAP would be a good fit over other databases because Michael, and >> Howard, and the other contributers to OpenLDAP did most of the work for >> me. >> > > Fair enough answer. How would you store and retrieve your results? Are you > creating/using a schema specifically for this? If so, what does it look like. > > I'm still having trouble seeing the performance benefits, though. The data is > still stored in a backend DB, right? Let's say that backend is some sort of > SQL DB. You write your ldapsearch query, and then LDAP converts that to SQL, > and then the DB returns the results to LDAP, which then translated the results > to LDIF and returns them to you. Isn't there performance hits every time you > traverse the LDAP layer? > > I suppose this might still be faster than reading a plain-text log file. Is > that the point I'm missing? OpenLDAP's native backends are multiple orders of magnitude faster than every SQL DB. That seems to be the crucial point you're missing. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

problem with syncrepl and STARTTLS
by r0m5 02 Jun '17

02 Jun '17

Hello, I am facing an issue with syncrepl and STARTTLS on 389 port. The kind of problem happening only sometimes, and disappearing "by itself". I use Debian Jessie, OpenLDAP 2.4.40+dfsg-1+deb8u2. Description : I have a production environment, and a preproduction environment. Both of them consist of one provider and multiple consumers. Right now all is working fine. Then 2 times a days a script injects the production data in the preproduction environment : ldapsearch on prod / ldapdelete on preprod / stop slapd on preprod / slapadd on preprod / start slapd on preprod. Then sometimes during this injection I get a problem : one or more of the consumers in preprod fail to sync. But sometimes all are OK. Then the consumers facing the issue succeed syncrepl again "by themselves" after a few dozens of minutes / hours. If I restart slapd on the failing consumers, then the syncrepl succeeds immediately. When the syncrepl is failing, I can still perform an ldapsearch using STARTTLS and the syncrepl binding credentials from the consumer to the provider. There is no issue with non-TLS LDAP replications. Also, using ldapsearch with option "-d 3" I get TLS debug, but even with "olcLogLevel -1" in cn=config I can't get precise debug for TLS during syncrepl. I captured the trafic and when there is the error, wireshark at some point can't understand TLS sent by the consumer (SSL "ignored unknown record"). Corresponding data is "30 05 02 01 02 42 00". Not sure it's related to the problem though, but it looks like since (if I am right) the first information in TLS is the content-type, and 30 is not a valid value for content type (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-pa…). Any idea ? I would like to avoid making the injection script connect to all my preprod consumers and restart slapd on them. Please feel free to ask for more logs / configurations. Log on the provider : May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: slap_listener_activate(9): May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 busy May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: >>> slap_listener(ldap:///) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: listen=9, new connection on 18 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: added 18r (active) listener=(nil) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: conn=1010 fd=18 ACCEPT from IP=192.168.115.61:33816 (IP=0.0.0.0:389) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: 18r May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: read active on 18 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18): got connid=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_read(18): checking for input on id=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: op tag 0x77, time 1496231248 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: conn=1010 op=0 do_extended May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: conn=1010 op=0 EXT oid=1.3.6.1.4.1.1466.20037 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: do_extended: oid=1.3.6.1.4.1.1466.20037 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: conn=1010 op=0 STARTTLS May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: send_ldap_extended: err=0 oid= len=0 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: send_ldap_response: msgid=1 tag=120 err=0 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: conn=1010 op=0 RESULT oid= err=0 text= May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: 18r May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: read active on 18 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18): got connid=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_read(18): checking for input on id=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: 18r May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: read active on 18 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18): got connid=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_read(18): checking for input on id=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_read(18): unable to get TLS client DN, error=49 id=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: conn=1010 fd=18 TLS established tls_ssf=128 ssf=128 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 2 descriptors May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: 18r May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: read active on 18 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_get(18): got connid=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_read(18): checking for input on id=1010 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: ber_get_next on fd 18 failed errno=0 (Success) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_read(18): input error=-2 id=1010, closing. May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_closing: readying conn=1010 sd=18 for close May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: connection_close: conn=1010 sd=18 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: removing 18 May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: conn=1010 fd=18 closed (connection lost) May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=12 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-master-pp slapd[5828]: daemon: epoll: listen=13 active_threads=0 tvp=zero Log on the consumer : May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: =>do_syncrepl rid=006 May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: epoll: listen=11 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: slap_client_connect: URI=ldap://ldap-master-pp.acme Error, ldap_start_tls failed (-11) May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: do_syncrepl: rid=006 rc -11 retrying May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: activity on 1 descriptor May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: activity on: May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: epoll: listen=9 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: epoll: listen=10 active_threads=0 tvp=zero May 31 13:47:28 lxc-sd-ldap-replica-pp-prim slapd[32753]: daemon: epoll: listen=11 active_threads=0 tvp=zero syncrepl config on consumer : olcSyncrepl: {0}rid=6 provider=ldap://ldap-master-pp.acme starttls=critical t ls_reqcert=never bindmethod=simple binddn="cn=replication,ou=Applications,d c=acme,dc=fr" credentials=**** searchbase="dc=acme,dc=fr" schemacheck ing=off type=refreshAndPersist filter="(objectClass=*)" attrs="*" scope=sub retry="60 +" TLS config on provider : dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 9efabaca-b31f-1036-9746-2d4f8feb88f1 creatorsName: cn=config createTimestamp: 20170411162820Z olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key olcLogLevel: 256 entryCSN: 20170531131949.877388Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170531131949Z

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2017