2:05 a.m.
Hi,
* masarati(a)aero.polimi.it <masarati(a)aero.polimi.it> [10.04.2010 07:19]:
You don't clearly state what your configuration is, so I can only
guess.
I presume you're using the ppolicy overlay. I set up a syncrepl
producer/consumer with slapo-chain on the consumer and slapo-ppolicy on
both servers, and I'm hitting the consumer with passmod requests that are
chained to the producer, using TLS both client to consumer and in
chaining. It seems to be working just fine, I had no failures after
hundreds of operations. Would you mind sharing your configuration and an
example passmod, in order to reproduce the issue? More details, e.g.
about what TLS support you're using, and software versions would be
helpful.
sorry for my uncleary description. The OpenLDAP Master is at time a
self-compiled OpenLDAP 2.4.20 on a Sles11. The Slaves have different packages
and are different distros. We use Ubuntu, Suse and Debian installations. The
effect is always the same. In the morning the first extended passmod operation
fails. We can't see a tcp packet on the outgoing interface on the slave. After
the first fail all works fine. The whole day. There are working more than 500
User on the Samba Servers without problems. If we restart the slapd before the
first extended passmod the operation is successfully. We have checked ntp, dns,
routing, firewalls and so on without a result.
We define and undefine idletimeouts, TLSRandFile and so on. But without a
result. In the morning before the User are working the first extended passmod
over overlay chain and TLS fails. If we disable TLS always works fine.
I would like to know where the problem is. At the first time we searched at the
virtual systems but the problem exists also on physical machines.
Here our configure command:
---------------------------
./configure --with-tls --with-cyrus-sasl --enable-overlays --enable-modules \
--enable-rewrite --enable-wrapper --enable-dynamic --enable-ldap
We use openssl support.
Here the OpenLDAP 2.4.20 Master configuration:
----------------------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/samba3.schema
include /usr/local/etc/openldap/schema/kerberos.schema
include /usr/local/etc/openldap/schema/siegnetz.schema
pidfile /usr/local/var/run/slapd/slapd.pid
argsfile /usr/local/var/run/slapd/slapd.args
#loglevel trace args filter stats parse
loglevel sync
#loglevel conns
authz-policy all
moduleload back_hdb
moduleload accesslog
moduleload syncprov
moduleload smbk5pwd
sizelimit unlimited
idletimeout 300
writetimeout 300
defaultsearchbase dc=camelot,dc=de
TLSCertificateFile /usr/local/etc/openldap/certs/cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/key.pem
TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem
TLSVerifyClient demand
authz-regexp "uid=rzimmermann,cn=gssapi,cn=auth"
"cn=ldapadmin,dc=camelot,dc=de"
authz-regexp
"email=r.zimmermann@siegnetz.de,cn=r.zimmermann@siegnetz.de,ou=EDV,o=Siegnetz,l=Siegen,st=NRW,c=DE"
"cn=ldapadmin,dc=camelot,dc=de"
tool-threads 1
threads 16
limits dn.exact="cn=replicator,dc=camelot,dc=de" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
limits dn.exact="cn=backupadmin,dc=camelot,dc=de" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
<snip>
ACLS
</snip>
backend hdb
database config
rootdn cn=config
rootpw {SSHA}xxxxxxx
security ssf=128
access to dn="olcDatabase={2}hdb,cn=config" attrs=olcReadOnly
by ssf=128 dn.exact="cn=backupadmin,dc=camelot,dc=de" write
by break
access to dn="olcDatabase={3}hdb,cn=config" attrs=olcReadOnly
by ssf=128 dn.exact="cn=backupadmin,dc=camelot,dc=de" write
by break
database monitor
rootdn "cn=monitoring,cn=monitor"
rootpw {SSHA}xxxxxx
security ssf=128
database hdb
suffix "cn=logs"
cachesize 10000
rootdn "cn=logs"
rootpw {SSHA}xxxxxx
directory /var/lib/ldaplogs/data
security ssf=128
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
dbconfig set_data_dir /var/lib/ldaplogs/data
dbconfig set_lg_dir /var/lib/ldaplogs/logs
dbconfig set_lk_max_objects 2000
dbconfig set_lk_max_locks 2000
dbconfig set_lk_max_lockers 2000
checkpoint 1024 5
index default eq
index objectClass,entryCSN,entryUUID eq
index reqEnd,reqResult,reqStart,reqMod eq
overlay syncprov
syncprov-reloadhint TRUE
syncprov-nopresent TRUE
database hdb
suffix "dc=camelot,dc=de"
cachesize 50000
idlcachesize 150000
security ssf=128
rootdn "cn=masteradmin,dc=camelot,dc=de"
rootpw {SSHA}xxxxxx
directory "/var/lib/ldap/data"
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
dbconfig set_data_dir /var/lib/ldap/data
dbconfig set_lg_dir /var/lib/ldap/logs
dbconfig set_lk_max_objects 2000
dbconfig set_lk_max_locks 2000
dbconfig set_lk_max_lockers 2000
index default eq
index objectClass,entryCSN,entryUUID eq
index
memberUid,gidNumber,displayName,mail,uidNumber,homeDirectory,loginShell,employeeNumber eq
index sambaDomainName,sambaPrimaryGroupSID,sambaGroupType,sambaSIDList eq
index krbPrincipalName eq
index cn,sn,uid pres,eq,approx,sub
index sambaSID eq,sub
index associatedDomain,rfc822MailMember eq
index
snitMailQuota,snitMailSizeMax,snitAccountStatus,snitTransportServer,snitDynamicGroupMember
eq
lastmod on
checkpoint 1024 5
overlay accesslog
logdb "cn=logs"
logsuccess TRUE
logops writes
logpurge 07+00:00 01+00:00
logold (objectClass=*)
overlay syncprov
syncprov-checkpoint 100 1
overlay valsort
valsort-attr memberUid dc=camelot,dc=de alpha-ascend
valsort-attr member dc=camelot,dc=de alpha-ascend
valsort-attr snitGroupMemberMailAddress dc=camelot,dc=de alpha-ascend
overlay dynlist
dynlist-attrset groupOfNames labeledURI member
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=camelot,dc=de"
overlay refint
refint_attributes member manager owner seeAlso
refint_nothing "cn=dummyuser,dc=camelot,dc=de"
overlay unique
unique_uri ldap:///?mail?sub?
unique_uri ldap:///?uid?sub?
unique_uri ldap:///?uidNumber?sub?
unique_uri ldap:///?employeeNumber?sub?
unique_uri ldap:///?sambaSID?sub?
unique_uri ldap:///?snitPrimaryMailAddress?sub?
overlay smbk5pwd
Here the configuration of a OpenLDAP 2.4.21 Slave(Samba):
---------------------------------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/samba3.schema
include /usr/local/etc/openldap/schema/kerberos.schema
include /usr/local/etc/openldap/schema/siegnetz.schema
referral ldap://master.camelot.de
pidfile /usr/local/var/run/slapd/slapd.pid
argsfile /usr/local/var/run/slapd/slapd.args
authz-policy all
#loglevel sync stats
loglevel sync
moduleload back_hdb
moduleload accesslog
moduleload syncprov
moduleload back_ldap
moduleload dynlist
moduleload ppolicy
moduleload unique
sizelimit unlimited
idletimeout 300
writetimeout 300
conn_max_pending 256
defaultsearchbase dc=camelot,dc=de
TLSCertificateFile /usr/local/etc/openldap/certs/cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/key.pem
TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem
TLSVerifyClient demand
tool-threads 2
threads 16
overlay chain
chain-uri ldap://master.camelot.de
chain-tls start
tls_reqcert="demand"
tls_cert="/usr/local/etc/openldap/certs/cert.pem"
tls_key="/usr/local/etc/openldap/certs/key.pem"
tls_cacert="/usr/local/etc/openldap/certs/cacert.pem"
chain-idassert-bind bindmethod=simple
binddn="cn=sambaadmin,dc=camelot,dc=de"
credentials="xxxxxx"
mode="self"
flags=non-prescriptive
chain-rebind-as-user TRUE
chain-return-error TRUE
chain-conn-ttl 600
chain-idle-timeout 300
chain-protocol-version 3
limits dn.exact="cn=replicator,dc=camelot,dc=de" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
limits dn.exact="cn=sambaadmin,dc=camelot,dc=de" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
<snip>
ACLS
</snip>
backend hdb
database monitor
rootdn "cn=monitoring,cn=monitor"
rootpw {SSHA}xxxxxx
security ssf=128
database config
rootdn cn=config
rootpw {SSHA}xxxxxx
security ssf=128
database hdb
suffix "dc=camelot,dc=de"
cachesize 50000
idlcachesize 150000
security ssf=128
rootdn "cn=masteradmin,dc=camelot,dc=de"
rootpw {SSHA}xxxxxxx
directory /var/lib/ldap/data
readonly FALSE
checkpoint 1024 5
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
dbconfig set_data_dir /var/lib/ldap/data
dbconfig set_lg_dir /var/lib/ldap/logs
dbconfig set_lk_max_objects 2000
dbconfig set_lk_max_locks 2000
dbconfig set_lk_max_lockers 2000
dbConfig set_flags DB_LOG_AUTOREMOVE
index default eq
index objectClass,entryCSN,entryUUID eq
index
memberUid,gidNumber,uidNumber,mail,homeDirectory,loginShell,displayName,employeeNumber eq
index sambaDomainName,sambaGroupType,sambaSIDList,sambaPrimaryGroupSID eq
index sambaSID eq,sub
index krbPrincipalName eq
index cn,sn,uid pres,eq,approx,sub
index associatedDomain,rfc822MailMember eq
index snitMailQuota,snitMailSizeMax,snitAccountStatus,snitTransportServer eq
index
snitPrimaryMailAddress,snitRecipientRestrictedMailAddress,snitSenderRestrictedMailAddress,snitDynamicGroupMember
eq
syncrepl rid=001
provider=ldap://master.camelot.de
uri=ldap://master.camelot.de
searchbase="dc=camelot,dc=de"
type=refreshandpersist
interval=00:00:00:10
retry="10 6 30 6 60 +"
bindmethod=simple
binddn="cn=replicator,dc=camelot,dc=de"
credentials="xxxxxx"
schemachecking=on
attrs="*,+"
filter="(objectClass=*)"
scope=sub
logbase="cn=logs"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog
starttls=critical
tls_cert=/usr/local/etc/openldap/certs/cert.pem
tls_key=/usr/local/etc/openldap/certs/key.pem
tls_cacert=/usr/local/etc/openldap/certs/cacert.pem
updateref ldap://master.camelot.de
overlay valsort
valsort-attr memberUid dc=camelot,dc=de alpha-ascend
valsort-attr member dc=camelot,dc=de alpha-ascend
valsort-attr snitGroupMemberMailAddress dc=camelot,dc=de alpha-ascend
overlay dynlist
dynlist-attrset groupOfNames labeledURI member
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=camelot,dc=de"
Regards
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen