I've a sandbox environment with 2 CentOS 6.2 servers running the genuine openldap-servers rpms, that is OpenLDAP 2.4.23 .I've setup a multi-master replication between the servers, so that both my data DIT (dc=....,dc=.... ) and the cn=config should be replicated.
Actually, the replication of data works fine, as expected in either way, but the replication of the configuration tree fails:
each time I update the configuration on the second node, I get this error in my LDAP client (Apache Directory Studio):
could not put entry file in place
I've tried to run the second master in debug (-d -1) mode, and it seems like there's a write access error when the slapd daemon
(on the 2nd master) tries to update/modify/replace the /etc/openldap/slapd.d/cn=config.ldif file:
<= acl_access_allowed: granted to database root
ldif_write_entry: could not put entry file for "cn=config" in place: Permission denied
send_ldap_result: conn=-1 op=0 p=3
send_ldap_result: err=80 matched="" text="internal error (could not put entry file in place)"
send_ldap_result: conn=-1 op=0 p=3
send_ldap_result: err=80 matched="" text="internal error (could not put entry file in place)"
null_callback : error code 0x50
slap_graduate_commit_csn: removing 0x7fd19412f090 20120510163105.003156Z#000000#001#000000
syncrepl_updateCookie: rid=001 be_modify failed (80)
ldap_msgfree
The OpenLDAP error log shows the following error:
May 10 19:12:39 sashimi slapd[24866]: slapd starting
May 10 19:12:40 sashimi slapd[24866]: ldif_write_entry: cannot create file for "olcDatabase={0}config,cn=config": Permission denied
May 10 19:12:40 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:12:40 sashimi slapd[24866]: syncrepl_entry: rid=001 be_modify failed (80)
May 10 19:12:40 sashimi slapd[24866]: do_syncrepl: rid=001 rc -1 quitting
May 10 19:12:50 sashimi slapd[24866]: ldif_write_entry: could not put entry file for "cn=config" in place: Permission denied
May 10 19:12:50 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:12:50 sashimi slapd[24866]: syncrepl_updateCookie: rid=001 be_modify failed (80)
May 10 19:13:00 sashimi slapd[24866]: ldif_write_entry: could not put entry file for "cn=config" in place: Permission denied
May 10 19:13:00 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:13:00 sashimi slapd[24866]: syncrepl_updateCookie: rid=001 be_modify failed (80)
May 10 19:13:10 sashimi slapd[24866]: ldif_write_entry: could not put entry file for "cn=config" in place: Permission denied
May 10 19:13:10 sashimi slapd[24866]: null_callback : error code 0x50
May 10 19:13:10 sashimi slapd[24866]: syncrepl_updateCookie: rid=001 be_modify failed (80)
Of course, I don't have any right access problems at the file system level, I don't have any file system ACLs, I don't use SELinux and
I've checked that I can update or create any file under /etc/openldap/slapd.d, when logged in as the ldap user (who's the account used
to run slapd).
So, this error looks like a bug to me. Already fixed ?
To setup the replication of both data and configuration, I've copied the full /etc/openldap directory from one server to the other, with the
same file system rights. I've just changed the server certificate files since I use TLS to replicate both the data and the configuration. So, I don't have
any TLS problem since the data tree replication works fine.
Here's my replication configuration for the cn=config database:
dn: olcDatabase={0}config,cn=config
...
....
olcSyncRepl: rid=001 provider=ldap://......:389 binddn="cn=config" bindmethod=simple credentials="......" searchbase="cn=config" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes
tls_cacert=/etc/openldap/conf/cacert.pem
olcSyncRepl: rid=002 provider=ldap://.....:389 binddn="cn=config" bindmethod=simple credentials="....... " searchbase="cn=config" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_cacert=/etc/openldap/conf/cacert.pem
I actually use the same setup than for the data replication, excepted that I have rid=003 and rid=004 of course for data replication, and the BIND DN and passwords are different too.
--
Cyril