Aaron Bennett wrote:
Hello,
I’ve got two 2.4.28 boxes and I’m trying to get two-way multimaster replication set up – first for cn=config, and then for the entire tree.
I can attach more of config.ldif if needed, but here are what I think are the relevant snippets:
First thing that leaps out is, of course, the certificate is for ds.clarku.edu and the hosts are called animal.clarku.edu and zoot.clarku.edu; that’s needed because I intend to round-robin those two hosts. I have TLS_REQCERT never in ldap.conf on each machine and I can do a successful “ldapsearch -H ldaps://animal.clarku.edu -x -D "cn=config" -W -b cn=config” from each machine to the other.
You have not started slapd with the correct URL in the -h option, therefore the olcServerIDs are not being picked up correctly.
dn: cn=config
objectClass: olcGlobal
cn: config
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 25
olcConfigDir: /etc/openldap/ldap/slapd.d
olcConfigFile: /etc/openldap/slapd.conf
olcConnMaxPending: 400
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexIntLen: 4
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcLocalSSF: 71
olcLogLevel: stats sync
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcServerID: 1 ldaps://animal.clarku.edu
olcServerID: 2 ldaps://zoot.clarku.edu
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 25
olcTLSCACertificatePath: /etc/openldap/nssdb
olcTLSCertificateFile: ds.clarku.edu
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMirrorMode: TRUE
olcMonitoring: FALSE
olcReadOnly: FALSE
olcRootDN: cn=config
olcRootPW: {SSHA}<PASSWORD>
olcSyncrepl: {0}rid=001 provider=ldaps://animal.clarku.edu binddn="cn=config
" bindmethod="simple" credentials="<PASSWORD>" searchbase="cn=config" type=
refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldaps://zoot.clarku.edu binddn="cn=config"
bindmethod="simple" credentials="<PASSWORD>” searchbase="cn=config" type=r
efreshAndPersist retry="5 5 300 5" timeout=1
Here’s the –d1 output:
4f2ae081 do_syncrepl: rid=001 rc -1 retrying (4 retries left)
4f2ae081 slap_listener_activate(9):
4f2ae081 >>> slap_listener(ldaps:///)
4f2ae081 connection_get(15): got connid=1000
4f2ae081 connection_read(15): checking for input on id=1000
TLS: using moznss security dir /etc/openldap/nssdb prefix .
TLS: certificate [CN=ds.clarku.edu,OU=ITS,O=Clark University,L=Worcester,ST=Massachusetts,C=US,serialNumber=HUpyuTQIxJ8ShXHOBGZo7j-BC9l4ykNA] is valid
4f2ae081 connection_get(15): got connid=1000
4f2ae081 connection_read(15): checking for input on id=1000
TLS certificate verification: subject: no certificate, issuer: no certificate, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 1, cache not reusable: 0
4f2ae081 connection_read(15): unable to get TLS client DN, error=49 id=1000
4f2ae081 connection_get(15): got connid=1000
4f2ae081 connection_read(15): checking for input on id=1000
ber_get_next
4f2ae081 ber_get_next on fd 15 failed errno=0 (Success)
4f2ae081 connection_close: conn=1000 sd=15
4f2ae086 =>do_syncrepl rid=001
ldap_create
ldap_url_parse_ext(ldaps://animal.clarku.edu)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP animal.clarku.edu:636
4f2ae086 slap_listener_activate(9):
4f2ae086 >>> slap_listener(ldaps:///)
4f2ae086 connection_get(18): got connid=1001
4f2ae086 connection_read(18): checking for input on id=1001
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 140.232.1.12:636
ldap_pvt_connect: fd: 15 tm: -1 async: 0
4f2ae086 connection_get(18): got connid=1001
4f2ae086 connection_read(18): checking for input on id=1001
TLS certificate verification: subject: no certificate, issuer: no certificate, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 2, cache not reusable: 0
4f2ae086 connection_read(18): unable to get TLS client DN, error=49 id=1001
4f2ae086 connection_get(18): got connid=1001
4f2ae086 connection_read(18): checking for input on id=1001
ber_get_next
ber_get_next: tag 0x30 len 31 contents:
4f2ae086 op tag 0x60, time 1328210054
ber_get_next
4f2ae086 conn=1001 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
4f2ae086 >>> dnPrettyNormal: <cn=config>
4f2ae086 <<< dnPrettyNormal: <cn=config>, <cn=config>
4f2ae086 do_bind: version=3 dn="cn=config" method=128
4f2ae086 do_bind: v3 bind: "cn=config" to "cn=config"
4f2ae086 send_ldap_result: conn=1001 op=0 p=3
4f2ae086 send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 18
4f2ae086 connection_get(18): got connid=1001
4f2ae086 connection_read(18): checking for input on id=1001
ber_get_next
ber_get_next: tag 0x30 len 185 contents:
4f2ae086 op tag 0x63, time 1328210054
ber_get_next
4f2ae086 conn=1001 op=1 do_search
ber_scanf fmt ({miiiib) ber:
4f2ae086 >>> dnPrettyNormal: <cn=config>
4f2ae086 <<< dnPrettyNormal: <cn=config>, <cn=config>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
4f2ae086 => get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
4f2ae086 => get_ctrls: oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical)
ber_scanf fmt ({i) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (b) ber:
ber_scanf fmt (}) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (b) ber:
4f2ae086 => get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical)
4f2ae086 <= get_ctrls: n=2 rc=0 err=""
4f2ae086 send_ldap_result: conn=1001 op=1 p=3
4f2ae086 send_ldap_result: conn=1001 op=1 p=3
4f2ae086 send_ldap_intermediate: err=0 oid=1.3.6.1.4.1.4203.1.9.1.4 len=2
4f2ae086 send_ldap_response: msgid=2 tag=121 err=0
ber_flush2: 37 bytes to sd 18
TLS: certificate [CN=ds.clarku.edu,OU=ITS,O=Clark University,L=Worcester,ST=Massachusetts,C=US,serialNumber=HUpyuTQIxJ8ShXHOBGZo7j-BC9l4ykNA] is valid
TLS certificate verification: subject: CN=ds.clarku.edu,OU=ITS,O=Clark University,L=Worcester,ST=Massachusetts,C=US,serialNumber=HUpyuTQIxJ8ShXHOBGZo7j-BC9l4ykNA, issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 2, cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 33 bytes to sd 15
ldap_result ld 0x7f59cc100910 msgid 1
wait4msg ld 0x7f59cc100910 msgid 1 (timeout 1000000 usec)
wait4msg continue ld 0x7f59cc100910 msgid 1 all 1
** ld 0x7f59cc100910 Connections:
- host: animal.clarku.edu port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Feb 2 14:14:14 2012
** ld 0x7f59cc100910 Outstanding Requests:
- msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f59cc100910 request count 1 (abandoned 0)
** ld 0x7f59cc100910 Response Queue:
Empty
ld 0x7f59cc100910 response count 0
ldap_chkResponseList ld 0x7f59cc100910 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f59cc100910 NULL
ldap_int_select
read1msg: ld 0x7f59cc100910 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x7f59cc100910 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x7f59cc100910 0 new referrals
read1msg: mark request completed, ld 0x7f59cc100910 msgid 1
request done: ld 0x7f59cc100910 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 188 bytes to sd 15
4f2ae086 =>do_syncrep2 rid=001
ldap_result ld 0x7f59cc100910 msgid 2
wait4msg ld 0x7f59cc100910 msgid 2 (timeout 1000000 usec)
wait4msg continue ld 0x7f59cc100910 msgid 2 all 0
** ld 0x7f59cc100910 Connections:
- host: animal.clarku.edu port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Feb 2 14:14:14 2012
** ld 0x7f59cc100910 Outstanding Requests:
- msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f59cc100910 request count 1 (abandoned 0)
** ld 0x7f59cc100910 Response Queue:
Empty
ld 0x7f59cc100910 response count 0
ldap_chkResponseList ld 0x7f59cc100910 msgid 2 all 0
ldap_chkResponseList returns ld 0x7f59cc100910 NULL
ldap_int_select
read1msg: ld 0x7f59cc100910 msgid 2 all 0
ber_get_next
ber_get_next: tag 0x30 len 35 contents:
read1msg: ld 0x7f59cc100910 msgid 2 message type intermediate
ldap_parse_intermediate
ber_scanf fmt ({) ber:
ber_scanf fmt (a) ber:
ber_scanf fmt (O) ber:
ber_scanf fmt (t{) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_result ld 0x7f59cc100910 msgid 2
wait4msg ld 0x7f59cc100910 msgid 2 (timeout 0 usec)
wait4msg continue ld 0x7f59cc100910 msgid 2 all 0
** ld 0x7f59cc100910 Connections:
- host: animal.clarku.edu port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Feb 2 14:14:14 2012
** ld 0x7f59cc100910 Outstanding Requests:
- msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f59cc100910 request count 1 (abandoned 0)
** ld 0x7f59cc100910 Response Queue:
Empty
ld 0x7f59cc100910 response count 0
ldap_chkResponseList ld 0x7f59cc100910 msgid 2 all 0
ldap_chkResponseList returns ld 0x7f59cc100910 NULL
ldap_int_select
4f2ae08a connection_get(15): got connid=0
4f2ae08a =>do_syncrepl rid=001
4f2ae08a =>do_syncrep2 rid=001
ldap_result ld 0x7f59cc100910 msgid 2
wait4msg ld 0x7f59cc100910 msgid 2 (timeout 0 usec)
wait4msg continue ld 0x7f59cc100910 msgid 2 all 0
** ld 0x7f59cc100910 Connections:
- host: animal.clarku.edu port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Feb 2 14:14:14 2012
** ld 0x7f59cc100910 Outstanding Requests:
- msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f59cc100910 request count 1 (abandoned 0)
** ld 0x7f59cc100910 Response Queue:
Empty
ld 0x7f59cc100910 response count 0
ldap_chkResponseList ld 0x7f59cc100910 msgid 2 all 0
ldap_chkResponseList returns ld 0x7f59cc100910 NULL
ldap_int_select
read1msg: ld 0x7f59cc100910 msgid 2 all 0
ber_get_next
ldap_err2string
4f2ae08a do_syncrep2: rid=001 (-1) Can't contact LDAP server
ldap_err2string
4f2ae08a connection_get(15): got connid=0
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 1 1
ldap_free_connection: actually freed
Thanks for your time – any help is appreciated.
- Aaron
Aaron Bennett
Manager of Systems Administration
Clark University ITS