Hi!
I had sent a request for documentation to the ITS, because I feel that something is wrong with OpenLDAP 2.4.26 (as shipped with SLES11 SP2), but I was redirected:
I wrote:
Full_Name: Ulrich Windl Version: 2.4.26 OS: Linux (SLES11 SP2)
[...]
I was able to set up a master LDAP server and a replication consumer using the physical host names and TLS. However when I tried to bind slapd on a virtual IP address ("interface alias"), I never got slapd working (even though I fixed the certificates for TLS, of course). Dynamic configuration ("cn=config") seems to make things very difficult, because slapd ends in a state where _nobody_ can make configuration changes.
Use the openldap-technical mailing list to ask for configuration help.
You talk about IP addresses and yet in your quoted text below you are using hostnames. Be consistent when you post your question to the mailing list otherwise no one will understand what you're asking for.
--> Obviously slapd listens to ports, not to names, and names were invented so that people don't have to remember IP addresses, but you know. --> Only with X.509 certificates the relation between names and adresses are of some inportance, but you can believe me that I understand that.
Closing this ITS.
It seems slapd tried to use the wrong URI (using the physical host where nobody is listening): slapd[10036]: slap_client_connect: URI=ldap://phost.domain.org/ Error, ldap_start_tls failed (-1) slapd[10036]: do_syncrepl: rid=002 rc -1 retrying
slapd is listening on ldap://vhost.domain.org/ however.
--> You should believe me if I say so.
I read lots of procedures using Google, but could not find the solution for this problem. Thus I suggest to add documentation how to configure such a scenario:
- Set up an LDAP Master server that provides service on a specific IP address
using TLS 2) Set up a replication consumer that provides service on a specific IP address using TLS also 3) The replication consumer should use the address where the master server listens for replication
It sounds like an every-day setup, but I failed multiple times, thus the request for documentation.
Still waiting for a procedure. Something seems to be non-obvious or broken.
Some details (randomly picked, with some names obfuscated): (master server) olcSyncrepl: {0}rid=2 provider="ldap://v07.domain.org/" searchbase="dc=domain,dc=org" type="refreshAndPersist" retry="120 +" starttls=critical tls_reqcert=demand bindmethod="simple" binddn="uid=syncrepl,ou=system,dc=domain,dc=org" credent ials="wNkWudLd3ko8"
The process is started as "/usr/lib/openldap/slapd -h ldap://ds1.domain.org:389 ldaps://ds1.domain.org:636 ldapi:/// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=off"
And syslog message sI'm seeing over and over are like this: Jul 5 08:23:16 v07 slapd[25914]: slap_client_connect: URI=ldap://v07.domain.org/ Error, ldap_start_tls failed (-1) Jul 5 08:23:16 v07 slapd[25914]: do_syncrepl: rid=002 rc -1 retrying
Obviously a connection to the "v07" address is not possible, because the server listens to the "ds1" address. The interface settings look like this: eth0 Link encap:Ethernet HWaddr 00:16:3E:5C:DD:76 inet addr:172.20.16.38 Bcast:172.20.17.255 Mask:255.255.254.0 inet6 addr: fe80::216:3eff:fe5c:4d76/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6334378 errors:0 dropped:6 overruns:0 frame:0 TX packets:237667 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:421369553 (401.8 Mb) TX bytes:49452419 (47.1 Mb)
eth0:ds1 Link encap:Ethernet HWaddr 00:16:3E:5C:DD:76 inet addr:172.20.17.200 Bcast:172.20.17.255 Mask:255.255.254.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Basically I think I have to fix the "olcSyncrepl provider" and possibly the "olcServerID", but with dynamic configuration I cannot do it:
Using ldapmodify I get: v07:~ # ldapmodify -v -ZZ -x -W -D cn=config -H ldap://ds1.domain.org -f /tmp/fix1.ldif ldap_initialize( ldap://ds1.domain.org:389/??base ) Enter LDAP Password: replace olcServerID: 1 ldap://ds1.domain.org modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
When editing the files in the slap.d directory, I get: Jul 5 09:11:25 v07 slapd[15014]: @(#) $OpenLDAP: slapd 2.4.26 (Sep 26 2012 13:21:45) $ abuild@e71:/usr/src/packages/BUILD/openldap-2.4.26/servers/slapd Jul 5 09:11:25 v07 slapd[15014]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif" Jul 5 09:11:25 v07 slapd[15014]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif" Jul 5 09:11:25 v07 slapd[15015]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable Jul 5 09:11:25 v07 slapd[15015]: slapd starting Jul 5 09:11:25 v07 slapd[15015]: slap_client_connect: URI=ldap://ds1.domain.org/ DN="uid=syncrepl,ou=system,dc=domain,dc=org" ldap_sasl_bind_s failed (49) Jul 5 09:11:25 v07 slapd[15015]: do_syncrepl: rid=002 rc 49 retrying Jul 5 09:11:25 v07 slapd[15015]: slap_client_connect: URI=ldap://ds1.domain.org/ DN="uid=syncrepl,ou=system,dc=domain,dc=org" ldap_sasl_bind_s failed (49) Jul 5 09:11:25 v07 slapd[15015]: do_syncrepl: rid=001 rc 49 retrying Jul 5 09:12:37 v07 nscd: nss-ldap: do_open: do_start_tls failed:stat=-1
(So obviously the syncrepl provider has changed, but it still won't work)
Regards, Ulrich