Re: Overlay Chain Extended Passmod Problem

Hi,

* masarati@aero.polimi.it masarati@aero.polimi.it [10.04.2010 07:19]:

You don't clearly state what your configuration is, so I can only guess. I presume you're using the ppolicy overlay. I set up a syncrepl producer/consumer with slapo-chain on the consumer and slapo-ppolicy on both servers, and I'm hitting the consumer with passmod requests that are chained to the producer, using TLS both client to consumer and in chaining. It seems to be working just fine, I had no failures after hundreds of operations. Would you mind sharing your configuration and an example passmod, in order to reproduce the issue? More details, e.g. about what TLS support you're using, and software versions would be helpful.

sorry for my uncleary description. The OpenLDAP Master is at time a self-compiled OpenLDAP 2.4.20 on a Sles11. The Slaves have different packages and are different distros. We use Ubuntu, Suse and Debian installations. The effect is always the same. In the morning the first extended passmod operation fails. We can't see a tcp packet on the outgoing interface on the slave. After the first fail all works fine. The whole day. There are working more than 500 User on the Samba Servers without problems. If we restart the slapd before the first extended passmod the operation is successfully. We have checked ntp, dns, routing, firewalls and so on without a result.

We define and undefine idletimeouts, TLSRandFile and so on. But without a result. In the morning before the User are working the first extended passmod over overlay chain and TLS fails. If we disable TLS always works fine.

I would like to know where the problem is. At the first time we searched at the virtual systems but the problem exists also on physical machines.

Here our configure command: --------------------------- ./configure --with-tls --with-cyrus-sasl --enable-overlays --enable-modules \ --enable-rewrite --enable-wrapper --enable-dynamic --enable-ldap

We use openssl support.

Here the OpenLDAP 2.4.20 Master configuration: ---------------------------------------------- include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/ppolicy.schema include /usr/local/etc/openldap/schema/samba3.schema include /usr/local/etc/openldap/schema/kerberos.schema include /usr/local/etc/openldap/schema/siegnetz.schema

pidfile /usr/local/var/run/slapd/slapd.pid

argsfile /usr/local/var/run/slapd/slapd.args

#loglevel trace args filter stats parse loglevel sync #loglevel conns

authz-policy all

moduleload back_hdb moduleload accesslog moduleload syncprov moduleload smbk5pwd

sizelimit unlimited idletimeout 300 writetimeout 300

defaultsearchbase dc=camelot,dc=de

TLSCertificateFile /usr/local/etc/openldap/certs/cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/certs/key.pem TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem TLSVerifyClient demand

authz-regexp "uid=rzimmermann,cn=gssapi,cn=auth" "cn=ldapadmin,dc=camelot,dc=de" authz-regexp "email=r.zimmermann@siegnetz.de,cn=r.zimmermann@siegnetz.de,ou=EDV,o=Siegnetz,l=Siegen,st=NRW,c=DE" "cn=ldapadmin,dc=camelot,dc=de"

tool-threads 1 threads 16

limits dn.exact="cn=replicator,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited limits dn.exact="cn=backupadmin,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

<snip> ACLS </snip>

backend hdb database config rootdn cn=config rootpw {SSHA}xxxxxxx security ssf=128

access to dn="olcDatabase={2}hdb,cn=config" attrs=olcReadOnly by ssf=128 dn.exact="cn=backupadmin,dc=camelot,dc=de" write by break

access to dn="olcDatabase={3}hdb,cn=config" attrs=olcReadOnly by ssf=128 dn.exact="cn=backupadmin,dc=camelot,dc=de" write by break

database monitor rootdn "cn=monitoring,cn=monitor" rootpw {SSHA}xxxxxx security ssf=128

database hdb suffix "cn=logs" cachesize 10000 rootdn "cn=logs" rootpw {SSHA}xxxxxx directory /var/lib/ldaplogs/data security ssf=128 dbconfig set_cachesize 0 268435456 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_data_dir /var/lib/ldaplogs/data dbconfig set_lg_dir /var/lib/ldaplogs/logs dbconfig set_lk_max_objects 2000 dbconfig set_lk_max_locks 2000 dbconfig set_lk_max_lockers 2000 checkpoint 1024 5 index default eq index objectClass,entryCSN,entryUUID eq index reqEnd,reqResult,reqStart,reqMod eq overlay syncprov syncprov-reloadhint TRUE syncprov-nopresent TRUE

database hdb suffix "dc=camelot,dc=de" cachesize 50000 idlcachesize 150000 security ssf=128 rootdn "cn=masteradmin,dc=camelot,dc=de" rootpw {SSHA}xxxxxx directory "/var/lib/ldap/data" dbconfig set_cachesize 0 268435456 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_data_dir /var/lib/ldap/data dbconfig set_lg_dir /var/lib/ldap/logs dbconfig set_lk_max_objects 2000 dbconfig set_lk_max_locks 2000 dbconfig set_lk_max_lockers 2000 index default eq index objectClass,entryCSN,entryUUID eq index memberUid,gidNumber,displayName,mail,uidNumber,homeDirectory,loginShell,employeeNumber eq index sambaDomainName,sambaPrimaryGroupSID,sambaGroupType,sambaSIDList eq index krbPrincipalName eq index cn,sn,uid pres,eq,approx,sub index sambaSID eq,sub index associatedDomain,rfc822MailMember eq index snitMailQuota,snitMailSizeMax,snitAccountStatus,snitTransportServer,snitDynamicGroupMember eq lastmod on checkpoint 1024 5 overlay accesslog logdb "cn=logs" logsuccess TRUE logops writes logpurge 07+00:00 01+00:00 logold (objectClass=*)

overlay syncprov syncprov-checkpoint 100 1

overlay valsort valsort-attr memberUid dc=camelot,dc=de alpha-ascend valsort-attr member dc=camelot,dc=de alpha-ascend valsort-attr snitGroupMemberMailAddress dc=camelot,dc=de alpha-ascend

overlay dynlist dynlist-attrset groupOfNames labeledURI member

overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=camelot,dc=de"

overlay refint refint_attributes member manager owner seeAlso refint_nothing "cn=dummyuser,dc=camelot,dc=de"

overlay unique unique_uri ldap:///?mail?sub? unique_uri ldap:///?uid?sub? unique_uri ldap:///?uidNumber?sub? unique_uri ldap:///?employeeNumber?sub? unique_uri ldap:///?sambaSID?sub? unique_uri ldap:///?snitPrimaryMailAddress?sub?

overlay smbk5pwd

Here the configuration of a OpenLDAP 2.4.21 Slave(Samba): ---------------------------------------------------------

include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/ppolicy.schema include /usr/local/etc/openldap/schema/samba3.schema include /usr/local/etc/openldap/schema/kerberos.schema include /usr/local/etc/openldap/schema/siegnetz.schema

referral ldap://master.camelot.de

pidfile /usr/local/var/run/slapd/slapd.pid

argsfile /usr/local/var/run/slapd/slapd.args

authz-policy all

#loglevel sync stats loglevel sync

moduleload back_hdb moduleload accesslog moduleload syncprov moduleload back_ldap moduleload dynlist moduleload ppolicy moduleload unique

sizelimit unlimited

idletimeout 300 writetimeout 300 conn_max_pending 256

defaultsearchbase dc=camelot,dc=de

TLSCertificateFile /usr/local/etc/openldap/certs/cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/certs/key.pem TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem TLSVerifyClient demand

tool-threads 2 threads 16

overlay chain chain-uri ldap://master.camelot.de chain-tls start tls_reqcert="demand" tls_cert="/usr/local/etc/openldap/certs/cert.pem" tls_key="/usr/local/etc/openldap/certs/key.pem" tls_cacert="/usr/local/etc/openldap/certs/cacert.pem" chain-idassert-bind bindmethod=simple binddn="cn=sambaadmin,dc=camelot,dc=de" credentials="xxxxxx" mode="self" flags=non-prescriptive chain-rebind-as-user TRUE chain-return-error TRUE chain-conn-ttl 600 chain-idle-timeout 300 chain-protocol-version 3

limits dn.exact="cn=replicator,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited limits dn.exact="cn=sambaadmin,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

<snip> ACLS </snip>

backend hdb database monitor rootdn "cn=monitoring,cn=monitor" rootpw {SSHA}xxxxxx security ssf=128

database config rootdn cn=config rootpw {SSHA}xxxxxx security ssf=128

database hdb suffix "dc=camelot,dc=de" cachesize 50000 idlcachesize 150000 security ssf=128 rootdn "cn=masteradmin,dc=camelot,dc=de" rootpw {SSHA}xxxxxxx directory /var/lib/ldap/data readonly FALSE checkpoint 1024 5 dbconfig set_cachesize 0 268435456 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 dbconfig set_data_dir /var/lib/ldap/data dbconfig set_lg_dir /var/lib/ldap/logs dbconfig set_lk_max_objects 2000 dbconfig set_lk_max_locks 2000 dbconfig set_lk_max_lockers 2000 dbConfig set_flags DB_LOG_AUTOREMOVE index default eq index objectClass,entryCSN,entryUUID eq index memberUid,gidNumber,uidNumber,mail,homeDirectory,loginShell,displayName,employeeNumber eq index sambaDomainName,sambaGroupType,sambaSIDList,sambaPrimaryGroupSID eq index sambaSID eq,sub index krbPrincipalName eq index cn,sn,uid pres,eq,approx,sub index associatedDomain,rfc822MailMember eq index snitMailQuota,snitMailSizeMax,snitAccountStatus,snitTransportServer eq index snitPrimaryMailAddress,snitRecipientRestrictedMailAddress,snitSenderRestrictedMailAddress,snitDynamicGroupMember eq syncrepl rid=001 provider=ldap://master.camelot.de uri=ldap://master.camelot.de searchbase="dc=camelot,dc=de" type=refreshandpersist interval=00:00:00:10 retry="10 6 30 6 60 +" bindmethod=simple binddn="cn=replicator,dc=camelot,dc=de" credentials="xxxxxx" schemachecking=on attrs="*,+" filter="(objectClass=*)" scope=sub logbase="cn=logs" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog starttls=critical tls_cert=/usr/local/etc/openldap/certs/cert.pem tls_key=/usr/local/etc/openldap/certs/key.pem tls_cacert=/usr/local/etc/openldap/certs/cacert.pem updateref ldap://master.camelot.de

overlay valsort valsort-attr memberUid dc=camelot,dc=de alpha-ascend valsort-attr member dc=camelot,dc=de alpha-ascend valsort-attr snitGroupMemberMailAddress dc=camelot,dc=de alpha-ascend

overlay dynlist dynlist-attrset groupOfNames labeledURI member

overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=camelot,dc=de"

Regards Ralf Zimmermann

--

.''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen

Tel.: +49 271 68193 13 Fax.: +49 271 68193 29

Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen