Hi all,
i have a problem getting openldap to run monitor backend AND syncrepl overlay. i'm running freebsd-7.2-release-p6 in combination with openldap-server-2.4.19 with sasl support compiled in.
i use the following slapd config:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/radius.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log
password-hash {SSHA} modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_monitor
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by ssf=128 dn="cn=admin,dc=example,dc=de" write by dn="cn=admin,dc=example,dc=de" peername.ip=127.0.0.1 write by ssf=96 dn="cn=nssadmin,dc=example,dc=de" read by dn="cn=nssadmin,dc=example,dc=de" peername.ip=127.0.0.1 read by anonymous auth by * none access to attrs=userPassword by self write by anonymous auth by * none
database bdb suffix "dc=example,dc=de" rootdn "dc=example,dc=de" directory /var/db/openldap-data index objectClass,entryCSN,entryUUID eq index uid pres,eq,sub index memberUID eq index uidNumber,gidNumber eq index host eq
database monitor rootdn "cn=monitoring,cn=Monitor" rootpw monitoring
access to dn.subtree="cn=Monitor" by dn="cn=nssadmin,dc=example,dc=de" by * none
syncrepl rid=041 provider=ldap://ldap-master.example.de type=refreshOnly interval=00:00:35:00 searchbase="dc=example,dc=de" schemachecking=off bindmethod=simple starttls=yes binddn="cn=syncuser,dc=example,dc=de" credentials="strongsecretpassword"
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
loglevel 256
now, when i run slaptest i receive following error:
/usr/local/etc/openldap/slapd.conf: line 59: database monitor does not support operations required for syncrepl slaptest: bad configuration file!
Line 59 corresponds to the credentials option in the synrepl statement. i can't figure out whats wrong, so if anyone can point me in the right direction that would be really helpful.
thanks in advance, david
Hi david,
i'm not sure about that, by havn't figured out why the credentials have to be in cleartext, but that was only possibility I got syncrepl working since I tried it with SSHA or MD5 prefixes. Did you tried that in cleartext?
just my two bucks and a half benjamin
On Wed, Mar 10, 2010 at 10:01, DeMoNs@web.de DeMoNs@web.de wrote:
Hi all,
i have a problem getting openldap to run monitor backend AND syncrepl overlay. i'm running freebsd-7.2-release-p6 in combination with openldap-server-2.4.19 with sasl support compiled in.
i use the following slapd config:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/radius.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log
password-hash {SSHA} modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_monitor
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by ssf=128 dn="cn=admin,dc=example,dc=de" write by dn="cn=admin,dc=example,dc=de" peername.ip=127.0.0.1 write by ssf=96 dn="cn=nssadmin,dc=example,dc=de" read by dn="cn=nssadmin,dc=example,dc=de" peername.ip=127.0.0.1 read by anonymous auth by * none access to attrs=userPassword by self write by anonymous auth by * none
database bdb suffix "dc=example,dc=de" rootdn "dc=example,dc=de" directory /var/db/openldap-data index objectClass,entryCSN,entryUUID eq index uid pres,eq,sub index memberUID eq index uidNumber,gidNumber eq index host eq
database monitor rootdn "cn=monitoring,cn=Monitor" rootpw monitoring
access to dn.subtree="cn=Monitor" by dn="cn=nssadmin,dc=example,dc=de" by * none
syncrepl rid=041 provider=ldap://ldap-master.example.de type=refreshOnly interval=00:00:35:00 searchbase="dc=example,dc=de" schemachecking=off bindmethod=simple starttls=yes binddn="cn=syncuser,dc=example,dc=de" credentials="strongsecretpassword"
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
loglevel 256
now, when i run slaptest i receive following error:
/usr/local/etc/openldap/slapd.conf: line 59: database monitor does not support operations required for syncrepl slaptest: bad configuration file!
Line 59 corresponds to the credentials option in the synrepl statement. i can't figure out whats wrong, so if anyone can point me in the right direction that would be really helpful.
thanks in advance, david
DeMoNs@web.de schrieb:
Hi all,
i have a problem getting openldap to run monitor backend AND syncrepl overlay. i'm running freebsd-7.2-release-p6 in combination with openldap-server-2.4.19 with sasl support compiled in.
i use the following slapd config:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/radius.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log
password-hash {SSHA} modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_monitor
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by ssf=128 dn="cn=admin,dc=example,dc=de" write by dn="cn=admin,dc=example,dc=de" peername.ip=127.0.0.1 write by ssf=96 dn="cn=nssadmin,dc=example,dc=de" read by dn="cn=nssadmin,dc=example,dc=de" peername.ip=127.0.0.1 read by anonymous auth by * none access to attrs=userPassword by self write by anonymous auth by * none
database bdb suffix "dc=example,dc=de" rootdn "dc=example,dc=de" directory /var/db/openldap-data index objectClass,entryCSN,entryUUID eq index uid pres,eq,sub index memberUID eq index uidNumber,gidNumber eq index host eq
database monitor rootdn "cn=monitoring,cn=Monitor" rootpw monitoring
access to dn.subtree="cn=Monitor" by dn="cn=nssadmin,dc=example,dc=de" by * none
syncrepl rid=041 provider=ldap://ldap-master.example.de type=refreshOnly interval=00:00:35:00 searchbase="dc=example,dc=de" schemachecking=off bindmethod=simple starttls=yes binddn="cn=syncuser,dc=example,dc=de" credentials="strongsecretpassword"
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
loglevel 256
now, when i run slaptest i receive following error:
/usr/local/etc/openldap/slapd.conf: line 59: database monitor does not support operations required for syncrepl slaptest: bad configuration file!
Line 59 corresponds to the credentials option in the synrepl statement. i can't figure out whats wrong, so if anyone can point me in the right direction that would be really helpful.
thanks in advance, david
Hi David,
from the slapd.conf(5) manpage:
The slapd.conf file consists of a series of global confi- guration options that apply to slapd as a whole (including all backends), followed by zero or more database backend definitions that contain information specific to a backend instance.
Which means that your syncrepl stuff is placed in the back-monitor specific part of the configuration. Put the syncrepl part before the monitor definition and behind the bdb definition.
Regards, Christian Manal
DeMoNs@web.de wrote:
Hi all,
i have a problem getting openldap to run monitor backend AND syncrepl overlay. i'm running freebsd-7.2-release-p6 in combination with openldap-server-2.4.19 with sasl support compiled in.
i use the following slapd config:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/radius.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log
password-hash {SSHA} modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_monitor
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by ssf=128 dn="cn=admin,dc=example,dc=de" write by dn="cn=admin,dc=example,dc=de" peername.ip=127.0.0.1 write by ssf=96 dn="cn=nssadmin,dc=example,dc=de" read by dn="cn=nssadmin,dc=example,dc=de" peername.ip=127.0.0.1 read by anonymous auth by * none access to attrs=userPassword by self write by anonymous auth by * none
database bdb suffix "dc=example,dc=de" rootdn "dc=example,dc=de" directory /var/db/openldap-data index objectClass,entryCSN,entryUUID eq index uid pres,eq,sub index memberUID eq index uidNumber,gidNumber eq index host eq
database monitor rootdn "cn=monitoring,cn=Monitor" rootpw monitoring
access to dn.subtree="cn=Monitor" by dn="cn=nssadmin,dc=example,dc=de" by * none
syncrepl rid=041 provider=ldap://ldap-master.example.de type=refreshOnly interval=00:00:35:00 searchbase="dc=example,dc=de" schemachecking=off bindmethod=simple starttls=yes binddn="cn=syncuser,dc=example,dc=de" credentials="strongsecretpassword"
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
loglevel 256
now, when i run slaptest i receive following error:
/usr/local/etc/openldap/slapd.conf: line 59: database monitor does not support operations required for syncrepl slaptest: bad configuration file!
Line 59 corresponds to the credentials option in the synrepl statement. i can't figure out whats wrong, so if anyone can point me in the right direction that would be really helpful.
"Line 59" means the whole statement ending at line 59, so in general the error can be anywhere in the statement. In this case, the error is the statement itself. As the error message is saying, back-monitor is missing some essential function that is required by syncrepl (I bet bi_op_add()). What's puzzling me is: back-monitor is (almost) read-only, and contains mostly dynamically generated information on the state of a server; what's the purpose of replicating it? Your configuration makes no sense.
p.
"DeMoNs@web.de" DeMoNs@web.de writes:
Hi all,
i have a problem getting openldap to run monitor backend AND syncrepl overlay. i'm running freebsd-7.2-release-p6 in combination with openldap-server-2.4.19 with sasl support compiled in.
[...]
database bdb suffix "dc=example,dc=de" rootdn "dc=example,dc=de" directory /var/db/openldap-data
[...]
database monitor rootdn "cn=monitoring,cn=Monitor" rootpw monitoring
[...]
syncrepl rid=041
[...]
now, when i run slaptest i receive following error:
/usr/local/etc/openldap/slapd.conf: line 59: database monitor does not support operations required for syncrepl slaptest: bad configuration file!
Line 59 corresponds to the credentials option in the synrepl statement. i can't figure out whats wrong, so if anyone can point me in the right direction that would be really helpful.
It is exactly what slaptest says, syncrepl has to be configured within a database declaration, according to you slapd.conf you want to synchronize cn=monitor, which is not supported. Move syncrepl statements to the bdb database.
-Dieter
openldap-technical@openldap.org
-
Benjamin Griese -
Christian Manal -
DeMoNs@web.de -
Dieter Kluenter -
Pierangelo Masarati