Hi all,
last week I wrote to the list because I have a problem with overlay chain. Today I traced the problem. The configuration and the host are the same. OpenLDAP syncrepl runs fine over the weekend. But if I want to change a password nothing happens. I can't see any packet with tcpdump from the slave to the master. I traced slapd with loglevel=65535. The slave is openldap 2.4.21.
# Here the trace with no successfull passmod operation:
conn=1126 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128 do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128 => bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") => bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de" bdb_entry_get: rc=0 => bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de") bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de" bdb_entry_get: rc=0 ==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") )
# Here the trace after I restart slapd with exactly the same config
# and working passmod oepration:
conn=1000 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128 do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128 => bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") => hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de") <= hdb_dn2id: got id=0x5 entry_decode: "" <= entry_decode() => bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de" bdb_entry_get: rc=0 => bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de") => hdb_dn2id("ou=policies,dc=camelot,dc=de") <= hdb_dn2id: got id=0x9 => hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de") <= hdb_dn2id: got id=0xa entry_decode: "" <= entry_decode() => bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de" bdb_entry_get: rc=0 ==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
When the passmod operation is successfull there are hdb_dn2id entries in the trace. When the passmod operation ist not successfull the entries doesn't exist. What happens, that I must restart the slapd? The configuration is the same and all other things works fine. Only the write operations to the master hangs. If I make a passmod without TLS everything works fine and I can change the password after I restarted the slapd on the slave. Then I can change the passwords the wholy day. Tomorrow I'll must restart slapd on the slave because the passmod operation is not successfull.
Any ideas?
You don't clearly state what your configuration is, so I can only guess. I presume you're using the ppolicy overlay. I set up a syncrepl producer/consumer with slapo-chain on the consumer and slapo-ppolicy on both servers, and I'm hitting the consumer with passmod requests that are chained to the producer, using TLS both client to consumer and in chaining. It seems to be working just fine, I had no failures after hundreds of operations. Would you mind sharing your configuration and an example passmod, in order to reproduce the issue? More details, e.g. about what TLS support you're using, and software versions would be helpful.
p.