openldap-technical July 2019

openldap-technical@openldap.org

29 participants
22 discussions

Replication persistence
by Nebula WAN 08 Jul '19

08 Jul '19

Hello I have a replication problem between two OpenLDAP 2.44 servers configured as multimasters on CentOS 7.3 : The minimal configuration of both are correct (connection OK with admin credentials), I replicate the config and hdb databases as you can see in the configuration above, I use LDAPAdmin to connect to each of them and check if the replication works by creating a test OU: they replicate well. After a week or more, automatic replication no longer works: I have to restart the slapd service to see the data exchange between the two servers ... I have contextCSN for both but they are fixed at the installation date. Do you have an idea ? Thank you Here are the configuration (the olcServerID change in server2's configuration) : dn: olcDatabase={0}config,cn=config changeType: modify add: olcAccess olcAccess: to * by dn.exact="cn=ldapadm,dc=test,dc=factory" manage by * break dn: olcDatabase={2}hdb,cn=config changeType: modify add: olcAccess olcAccess: to * by dn.exact="cn=ldapadm,dc=test,dc=factory" manage by * break dn: cn=config changetype: modify add: olcServerID olcServerID: 1 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=test,dc=factory" read by * none ### Updating ID ### dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://server1.test.factory olcServerID: 2 ldap://server2.test.factory ### Enabling CONFIG Replication ### dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ### Configuring CONFIG replication ### dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://server1.test.factory binddn="cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://server2.test.factory binddn="cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE ### Enabling HDB Replication ### dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ### Configuring HDB replication ### dn: olcDatabase={2}hdb,cn=config add: olcSyncRepl olcSyncRepl: rid=004 provider=ldap://server1.test.factory binddn="cn=ldapadm,dc=test,dc=factory" bindmethod=simple credentials=password searchbase="dc=test,dc=factory" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=ldap://server2.test.factory binddn="cn=ldapadm,dc=test,dc=factory" bindmethod=simple credentials=password searchbase="dc=test,dc=factory" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 - add: olcDbIndex olcDbIndex: entryUUID eq - add: olcDbIndex olcDbIndex: entryCSN eq - add: olcMirrorMode olcMirrorMode: TRUE

2 1

How to configure OpenLDAP on Debian Stretch to support SSLv3.0
by Jeremy Davis 02 Jul '19

02 Jul '19

Hi all, I'm writing on behalf of a user ragrading how to go about configuring LDAPS support for SSLv3.0 certificate under OpenLDAP v2.4.44 - running on Debian 9/Stretch (default Debian 'slapd' package install). I know that SSLv3.0 is insecure and generally a bad option, but a user needs to connect to LDAPS with an old application that only supports SSLv3.0. I understand that a complicating factor may be that the Debian OpenLDAP (slapd) package is compiled against GnuTLS, rather than OpenSSL. Any insight that might head me in the right direction would be greatly appreciated. Also please note that I'm a bit of an OpenLDAP newb and my knowledge of SSL/TLS is more related to web servers/browsers and more about "best practices" rather than tweaking to be more permissive. Regards, Jeremy Davis TurnKey Linux

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2019