Tyler,
the fact that I work with CentOS and use the packages from Red Hat can
generate some incompatibility?
I will implement (or was) a CentOS with Samba + OpenLDAP tomorrow, but
I'm worried: |
------
Raul Libório
rauhmarutsªhotmailºcom
Linux user#4444581
"The bug is on the table."
On Sun, Mar 29, 2009 at 8:38 AM, Tyler Gates <tgates81(a)gmail.com> wrote:
The problem is centos + openldap. They don't compile their
openldap
packages with overlay support so nothing will work the way you want it.
Trust me, the same thing happened to me and caused hours of hair pulling
aggravation. On top of that, mirror mode isn't supported in openldap
2.3. You'll have to use a third party repository with openldap 2.4 if
you expect it to work with centos.
http://blog.zrmt.com/2007/10/18/rhel5-openldap/
Follow the instructions there on how to setup openldap using a third
party repo. Also note to install openldap 2.4 (which you need) run
those yum install commands with '2.4' appended ie: yum install
openldap2.4-servers openldap2.4 clients.
Trust me, you MUST use these packages if you expect anything to work
and I can honestly say the quality of these packages are much better
than what centos has to offer.
Tyler
On Fri, 27 Mar 2009 10:36:02 -0700
Jonas Haskins <jhaskins(a)adready.com> wrote:
> Hello friends, I've been trying to setup Mirror Mode replication,
> using the
openldap.org docs and others from googling.. and am having
> some interesting results. I am new to this so this has been an
> enlightening experience to say the least, but perhaps if someone on
> the list might be able to answer a few questions that would be
> awesome...
>
>
> I have 2 nodes, and want to get mirror mode running for high
> availibility .. and will add samba to auth ( later )
>
>
> Basically it seems that mirror mode is sort of working.. i can see the
> syncRep talking back and forth .. However .. I cannot write to either
> nodes once replication is running.
>
> Below example is me trying to add a user account:
>
>
> error is : ( phpldapadmin reports )
> LDAP said: Server is unwilling to perform
> Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM)
> Description: The LDAP server refused to perform the operation.
>
> log file reports in detail:
>
>
> Mar 26 13:14:38 ldap01 slapd[1433]: >>> dnPrettyNormal:
> <cn=joepreston,dc=foobar,dc=com>
> Mar 26 13:14:38 ldap01 slapd[1433]: <<< dnPrettyNormal:
> <cn=joepreston,dc=foobar,dc=com>, <cn=joepreston,dc=foobar,dc=com>
> Mar 26 13:14:38 ldap01 slapd[1433]: do_add: dn
> (cn=joepreston,dc=foobar,dc=com)
> Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 ADD
> dn="cn=joepreston,dc=foobar,dc=com"
> Mar 26 13:14:38 ldap01 slapd[1433]:
> bdb_dn2entry("cn=joepreston,dc=foobar,dc=com")
> Mar 26 13:14:38 ldap01 slapd[1433]: =>
> bdb_dn2id("cn=joepreston,dc=foobar,dc=com")
> Mar 26 13:14:38 ldap01 slapd[1433]: <= bdb_dn2id: get failed:
> DB_NOTFOUND: No matching key/data pair found (-30989)
> Mar 26 13:14:38 ldap01 slapd[1433]: bdb_referrals: op=104
> target="cn=joepreston,dc=foobar,dc=com"
matched="dc=foobar,dc=com"
> Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: conn=14 op=1 p=3
> Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: err=53
> matched="" text="shadow context; no update referral"
> Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_response: msgid=2
> tag=105 err=53
> Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 RESULT tag=105 err=53
> text=shadow context; no update referral
> Mar 26 13:14:38 ldap01 slapd[1433]: daemon: activity on 1 descriptor
> Ma
>
>
> so::
> text="shadow context; no update referral"
>
> using mirrormode, i should be able to write to the db correct?
>
> initally, i used ldapadd to add my ldif files on node 1 ( with syncRep
> commented out ) then useds slapcat/slapadd to populate the db on node
> 2, then uncommented syncRep on both nodes and restarted both..
> ( this was because i was trying to troubleshoot the DB_NOTFOUND error
> above ... the result was it still errored ) however, it seems the
> text=shadow context; no update referral may be the real issue.
>
>
> am i missing something in these configs in reguards to mirrormode?
>
> logs seem to indicate syncRep is talking, and access is allowed,
> but no write, and if i ldap add to node 1 ( with Rep commented out )
> then uncomment and restart both ( so node 1 has data but node2 does
> not, i can see syncRep talking, but node2 never picks up the changes )
>
> ok whew, sorry about all of that.. any ideas?
>
> using:
> openldap-2.3.27
> CentOS 5.2 2.6.18-92.el5 64
> db-4.7.25
> smbldap-tools-0.9.5-1
>
>
> was going to upgrade to the latest, but there are a ton
> of deps , so i though i'd ask forst..
>
>
> many many thanks!
>
>
>
> node1: slapd.conf
>
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/sudo.schema
> include /etc/openldap/schema/samba.schema
>
> loglevel -1
>
> # Allow LDAPv2 client connections. This is NOT the default.
> allow bind_v2
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> # Load dynamic backend modules:
> modulepath /usr/lib64/openldap
> moduleload back_bdb.la
> moduleload back_ldap.la
> moduleload back_ldbm.la
> moduleload back_passwd.la
> moduleload back_shell.la
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
> TLSCertificateFile /etc/openldap/slapdcert.pem
> TLSCertificateKeyFile /etc/openldap/slapdkey.pem
>
> access to *
> by dn.base="cn=Manager,dc=foobar,dc=com" read
> by * break
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database bdb
> suffix "dc=foobar,dc=com"
> rootdn "cn=Manager,dc=foobar,dc=com"
> rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> directory /var/lib/ldap
>
> index objectclass,entryCSN,entryUUID eq
> index cn,sn,uid,displayName
> pres,sub,eq index
> uidNumber,gidNumber eq index
> sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index
> memberUid,mail,givenname eq,subinitial
>
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
> # Global section
> serverID 1
> # database section
>
> # syncrepl directive
> syncrepl rid=001
>
provider=ldap://ldap02.hq.foobar.com
> bindmethod=simple
> binddn="cn=Manager,dc=foobar,dc=com"
> credentials=morefoo
> searchbase="dc=foobar,dc=com"
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"
>
> mirrormode on
>
>
> node2:
>
>
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/sudo.schema
> include /etc/openldap/schema/samba.schema
>
> loglevel -1
>
> # Allow LDAPv2 client connections. This is NOT the default.
> allow bind_v2
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> # Load dynamic backend modules:
> modulepath /usr/lib64/openldap
> moduleload back_bdb.la
> moduleload back_ldap.la
> moduleload back_ldbm.la
> moduleload back_passwd.la
> moduleload back_shell.la
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
> TLSCertificateFile /etc/openldap/slapdcert.pem
> TLSCertificateKeyFile /etc/openldap/slapdkey.pem
>
> access to *
> by dn.base="cn=Manager,dc=foobar,dc=com" read
> by * break
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database bdb
> suffix "dc=foobar,dc=com"
> rootdn "cn=Manager,dc=foobar,dc=com"
> rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX
>
> directory /var/lib/ldap
>
> index objectclass,entryCSN,entryUUID eq
> index cn,sn,uid,displayName
> pres,sub,eq index
> uidNumber,gidNumber eq index
> sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index
> memberUid,mail,givenname eq,subinitial
>
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
> # Global section
> serverID 2
> # database section
>
> # syncrepl directive
> syncrepl rid=001
>
provider=ldap://ldap01.hq.foobar.com
> bindmethod=simple
> binddn="cn=Manager,dc=foobar,dc=com"
> credentials=morefoo
> searchbase="dc=foobar,dc=com"
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"
>
> mirrormode on
>
>
>