Hi All
I have just registered on the mail list seeking for assistance of how to get openldap replication working between 2.3 and 2.4 openldap.
My provider is running on 2.3(openldap) which replicates successfully to a 2.3(openldap slave). Recently we build a rhel6 host that comes with openldap 2.4 with the intention to run openldap on it as slave.
I have stand up the new slave(2.4 openldap) using the same configuration of the other running slave(2.3openldap) I have managed to slapadd the ldif of the master to the new slave slapadd -l /tmp/AAA01_20140314.ldif
However, if I try and search for entries, it shows the following but I am expecting 32K objects
[root@vm-nix-t01 ldap]# ldapsearch -x -h 127.0.0.1 "Objectclass=*" 1:1 # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: Objectclass=* # requesting: 1:1 #
# search result search: 2 result: 32 No such object
I also don't see any replication details in /var/log/slapd.log
Could you please show me some troubleshooting directions here
regards
On Mon, 17 Mar 2014, Andrew Belford wrote:
I have just registered on the mail list seeking for assistance of how to get openldap replication working between 2.3 and 2.4 openldap.
Time to read the "Changes Since Previous Release" section of the 2.4 admin guide: http://www.openldap.org/doc/admin24/appendix-changes.html
My provider is running on 2.3(openldap) which replicates successfully to a 2.3(openldap slave). Recently we build a rhel6 host that comes with openldap 2.4 with the intention to run openldap on it as slave.
I have stand up the new slave(2.4 openldap) using the same configuration of the other running slave(2.3openldap) I have managed to slapadd the ldif of the master to the new slave slapadd -l /tmp/AAA01_20140314.ldif
However, if I try and search for entries, it shows the following but I am expecting 32K objects
Item B.2 at http://www.openldap.org/doc/admin24/appendix-upgrading.html ?
I also don't see any replication details in /var/log/slapd.log
Since you don't mention how you configured replication to this 2.4 box or what output you were expecting, I can't help on this.
Philip Guenther
Sorry Philip
here is my slap.conf file from one of the openldap 2.3 (consumer) which is working fine
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=kinect,dc=co,dc=nz" rootdn "cn=Manager,dc=kinect,dc=co,dc=nz"
# Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged.
rootpw {SSHA}vO/5mpk4CMOKDelv36BpjksRaHFjgqh1 password-hash {CRYPT} password-crypt-salt-format "%s"
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap checkpoint 128 15
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID eq index entryCSN eq
#threads 64 # Unlimited query size sizelimit unlimited
syncrepl rid=3 provider=ldap://testaaa-int.dcnztest.co.nz:389 bindmethod=simple binddn="cn=sync,dc=kinect,dc=co,dc=nz" credentials=ieLeik8v type=refreshAndPersist retry="05 +" searchbase="dc=kinect,dc=co,dc=nz" schemachecking=off
I used the above file to config slave for openldap2.4
here are the steps
#slapcat -f slapd.conf -F /tmp/ldap -n 0 - This will create cn=config format in /tmp/ldap using the slapd.conf file from openldap 2.3
#rm -rf /etc/openldap/slapd.d/* - remove the current files in /etc/openldap/slapd.d
# cp -rp /tmp/ldap/cn=config* /etc/openldap/slapd.d/ - copy the cn=config created above to /etc/openldap/slapd.d
# chown -R ldap: /etc/openldap/slapd.d - change ownership to ldap:ldap
#slaptest -uF /etc/openldap/slapd.d - successful
#/etc/init.d/slapd start
In the logs in gave an error Mar 18 11:49:45 vm-nix-t01 slapd[2049]: null_callback : error code 0x50 Mar 18 11:49:45 vm-nix-t01 slapd[2049]: syncrepl_entry: rid=003 be_add cn=Dial_IP,ou=Group,ou=auth,dc=kinect,dc=co,dc=nz failed (80) Mar 18 11:49:45 vm-nix-t01 slapd[2049]: do_syncrepl: rid=003 rc 80 retrying Mar 18 11:49:50 vm-nix-t01 slapd[2049]: bdb(dc=kinect,dc=co,dc=nz): Lock table is out of available lock entries Mar 18 11:49:50 vm-nix-t01 slapd[2049]: => bdb_idl_insert_key: c_put id failed: Cannot allocate memory (12) Mar 18 11:49:50 vm-nix-t01 slapd[2049]: null_callback : error code 0x50 Mar 18 11:49:50 vm-nix-t01 slapd[2049]: syncrepl_entry: rid=003 be_add cn=Dial_IP,ou=Group,ou=auth,dc=kinect,dc=co,dc=nz failed (80) Mar 18 11:49:50 vm-nix-t01 slapd[2049]: do_syncrepl: rid=003 rc 80 retrying Mar 18 11:49:55 vm-nix-t01 slapd[2049]: bdb(dc=kinect,dc=co,dc=nz): Lock table is out of available lock entries Mar 18 11:49:55 vm-nix-t01 slapd[2049]: => bdb_idl_insert_key: c_put id failed: Cannot allocate memory (12) Mar 18 11:49:55 vm-nix-t01 slapd[2049]: null_callback : error code 0x50 Mar 18 11:49:55 vm-nix-t01 slapd[2049]: syncrepl_entry: rid=003 be_add cn=Dial_IP,ou=Group,ou=auth,dc=kinect,dc=co,dc=nz failed (80) Mar 18 11:49:55 vm-nix-t01 slapd[2049]: do_syncrepl: rid=003 rc 80 retrying
But since I increase the value of the DB_CONFIG, it took out that above and only log stop and start openldap
Mar 18 15:02:22 vm-nix-t01 slapd[3178]: slapd stopped. Mar 18 15:04:18 vm-nix-t01 slapd[1478]: @(#) $OpenLDAP: slapd 2.4.23 (Oct 31 2012 08:14:14) $#012#011mockbuild@x86-022.build.eng.bos.redhat.com: /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd Mar 18 15:04:20 vm-nix-t01 slapd[1479]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable Mar 18 15:04:20 vm-nix-t01 slapd[1479]: slapd starting
slapd.conf of the PROVIDER # cat /etc/openldap/slapd.conf .............. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/freeradius.schema
# Logging loglevel none
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/tls/testaaa-int.dcnztest.co.nz.crt TLSCertificateKeyFile /etc/openldap/tls/testaaa-int.dcnztest.co.nz.key
####################################################################### # security policies #######################################################################
# prevent anonymous lookups of hashed passwords access to attrs=userPassword by dn.exact="cn=sync,dc=kinect,dc=co,dc=nz" read by dn.exact="uid=client-root,ou=auth,dc=kinect,dc=co,dc=nz" write by self write by anonymous auth by * none
# default allow all access to * by self write by users read by anonymous read
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=kinect,dc=co,dc=nz" rootdn "cn=Manager,dc=kinect,dc=co,dc=nz" #threads 64 # Allow unlimited length DB queries - important for ensuring reliable sync sizelimit unlimited
rootpw {SSHA}vO/5mpk4CMOKDelv36BpjksRaHFjgqh1 password-hash {CRYPT} password-crypt-salt-format "%s"
directory /var/lib/ldap checkpoint 128 15
# Indices to maintain for this database index entryUUID eq index entryCSN eq index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
overlay syncprov syncprov-checkpoint 100 10 syncproc-sessionlog 100
On the consumer openldap 2.4, there is no slapd.conf file, but here is the cn=config.ldif. This is another question that I am trying to understand, the manual is talking about slapd.conf in 2.4, but it doesn't exist by default
[root@vm-nix-t01 ~]# cat /etc/openldap/slapd.d/cn=config.ldif dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: ../slapd.conf olcConfigDir: /tmp/ldap olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcPasswordCryptSaltFormat: %s olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcSaslSecProps: noplain,noanonymous olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /etc/openldap/tls/test02aaa.pem olcTLSCertificateFile: /etc/openldap/tls/test02aaa.pem olcTLSCertificateKeyFile: /etc/openldap/tls/test02aaa-key.pem olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 structuralObjectClass: olcGlobal entryUUID: 7f528bf2-4271-1033-8d3c-451e105bb7d9 creatorsName: cn=config createTimestamp: 20140317224452Z entryCSN: 20140317224452.209642Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140317224452Z
On 18 March 2014 18:40, Philip Guenther pguenther@proofpoint.com wrote:
On Mon, 17 Mar 2014, Andrew Belford wrote:
I have just registered on the mail list seeking for assistance of how to get openldap replication working between 2.3 and 2.4 openldap.
Time to read the "Changes Since Previous Release" section of the 2.4 admin guide: http://www.openldap.org/doc/admin24/appendix-changes.html
My provider is running on 2.3(openldap) which replicates successfully to a 2.3(openldap slave). Recently we build a rhel6 host that comes with openldap 2.4 with the intention to run openldap on it as slave.
I have stand up the new slave(2.4 openldap) using the same configuration
of
the other running slave(2.3openldap) I have managed to slapadd the ldif of the master to the new slave slapadd -l /tmp/AAA01_20140314.ldif
However, if I try and search for entries, it shows the following but I am expecting 32K objects
Item B.2 at http://www.openldap.org/doc/admin24/appendix-upgrading.html ?
I also don't see any replication details in /var/log/slapd.log
Since you don't mention how you configured replication to this 2.4 box or what output you were expecting, I can't help on this.
Philip Guenther
I have modified my slapd.conf file on consumer 2.4
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/corba.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ppolicy.schema #include /usr/share/doc/krb5-server-ldap-1.9/kerberos.schema #include /usr/share/doc/sudo-1.8.5-1.el6/schema.OpenLDAP
# Primary database. database bdb directory /var/lib/ldap suffix "dc=kinect,dc=co,dc=nz" rootdn "cn=Manager,dc=kinect,dc=co,dc=nz" rootpw {SSHA}vO/5mpk4CMOKDelv36BpjksRaHFjgqh1 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# syncrepl specific indices index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID eq index entryCSN eq
# syncrepl directives syncrepl rid=3 provider=ldap://testaaa-int.dcnztest.co.nz:389 bindmethod=simple starttls=no binddn="cn=sync,dc=kinect,dc=co,dc=nz" credentials="ieLeik8v" searchbase="dc=kinect,dc=co,dc=nz" logbase="cn=accesslog" schemachecking=off type=refreshAndPersist retry="05 +" syncdata=accesslog
# Refer updates to the master updateref ldap://testaaa-int.dcnztest.co.nz
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
access to attrs=userPassword by self write by * auth
access to dn.base=dc=kinect,dc=co,dc=nz by * search by * none
# Give access to this database to serveral important users. #to dn.subtree="dc=kinect,dc=co,dc=nz"
access to attrs=userPassword by dn.exact="cn=sync,dc=kinect,dc=co,dc=nz" read by dn.exact="uid=client-root,ou=auth,dc=kinect,dc=co,dc=nz" write by self write by anonymous auth by * none
# default allow all access to * by self write by users read by anonymous read
TLSCACertificateFile /etc/openldap/tls/test02aaa.pem TLSCertificateFile /etc/openldap/tls/test02aaa.pem TLSCertificateKeyFile /etc/openldap/tls/test02aaa-key.pem
database monitor
access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=admin,dc=kinect,dc=co,dc=nz" manage by * none
# Configure the config backend.
database config
# Again, let SASL EXTERNAL users with UID 0 & GID 0 users and the rootdn manage # the configuration. But not any other users. access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base="cn=admin,dc=kinect,dc=co,dc=nz" manage by * none
Then run
#slapcat -f ldap/slap.conf.consumer -F /tmp/ldap -n 0
#cp -rp ldap/cn=config* /etc/openldap/slapd.d/
#chown -R ldap:ldap /etc/openldap/slapd.d
#slaptest -uF /etc/openldap/slapd.d
#/etc/init.d/slapd start
Now it comes up with a different error
Mar 20 11:52:31 vm-nix-t01 slapd[13445]: syncrepl_message_to_entry: rid=003 mods check (objectClass: value #2 invalid per syntax) Mar 20 11:52:31 vm-nix-t01 slapd[13445]: do_syncrepl: rid=003 rc 21 retrying Mar 20 11:52:36 vm-nix-t01 slapd[13445]: syncrepl_message_to_entry: rid=003 mods check (objectClass: value #2 invalid per syntax) Mar 20 11:52:36 vm-nix-t01 slapd[13445]: do_syncrepl: rid=003 rc 21 retrying Mar 20 11:52:41 vm-nix-t01 slapd[13445]: syncrepl_message_to_entry: rid=003 mods check (objectClass: value #2 invalid per syntax) Mar 20 11:52:41 vm-nix-t01 slapd[13445]: do_syncrepl: rid=003 rc 21 retrying Mar 20 11:52:46 vm-nix-t01 slapd[13445]: syncrepl_message_to_entry: rid=003 mods check (objectClass: value #2 invalid per syntax) Mar 20 11:52:46 vm-nix-t01 slapd[13445]: do_syncrepl: rid=003 rc 21 retrying Mar 20 11:52:51 vm-nix-t01 slapd[13445]: syncrepl_message_to_entry: rid=003 mods check (objectClass: value #2 invalid per syntax) Mar 20 11:52:51 vm-nix-t01 slapd[13445]: do_syncrepl: rid=003 rc 21 retrying Mar 20 11:52:56 vm-nix-t01 slapd[13445]: syncrepl_message_to_entry: rid=003 mods check (objectClass: value #2 invalid per syntax) Mar 20 11:52:56 vm-nix-t01 slapd[13445]: do_syncrepl: rid=003 rc 21 retrying
This is the value of objectclass in /etc/openldap/slapd.d/
/root@vm-nix-t01 tmp]# grep -iR objectclass /etc/openldap/slapd.d/* /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:objectClass: olcDatabaseConfig /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:objectClass: olcBdbConfig /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif: objectclass=*)" searchbase="dc=kinect,dc=co,dc=nz" logbase="cn=accesslog" sco /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:olcDbIndex: objectClass pres,eq /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif:structuralObjectClass: olcBdbConfig /etc/openldap/slapd.d/cn=config/cn=schema.ldif:objectClass: olcSchemaConfig /etc/openldap/slapd.d/cn=config/cn=schema.ldif:olcObjectIdentifier: olmObjectClasses 1.3.6.1.4.1.4203.666.3.16 /etc/openldap/slapd.d/cn=config/cn=schema.ldif:olcObjectIdentifier: olmSubSystemObjectClasses olmObjectClasses:0 /etc/openldap/slapd.d/cn=config/cn=schema.ldif:olcObjectIdentifier: olmGenericObjectClasses olmSubSystemObjectClasses:0 /etc/openldap/slapd.d/cn=config/cn=schema.ldif:olcObjectIdentifier: olmDatabaseObjectClasses olmSubSystemObjectClasses:1
Any suggestions
On 18 March 2014 18:40, Philip Guenther pguenther@proofpoint.com wrote:
On Mon, 17 Mar 2014, Andrew Belford wrote:
I have just registered on the mail list seeking for assistance of how to get openldap replication working between 2.3 and 2.4 openldap.
Time to read the "Changes Since Previous Release" section of the 2.4 admin guide: http://www.openldap.org/doc/admin24/appendix-changes.html
My provider is running on 2.3(openldap) which replicates successfully to a 2.3(openldap slave). Recently we build a rhel6 host that comes with openldap 2.4 with the intention to run openldap on it as slave.
I have stand up the new slave(2.4 openldap) using the same configuration
of
the other running slave(2.3openldap) I have managed to slapadd the ldif of the master to the new slave slapadd -l /tmp/AAA01_20140314.ldif
However, if I try and search for entries, it shows the following but I am expecting 32K objects
Item B.2 at http://www.openldap.org/doc/admin24/appendix-upgrading.html ?
I also don't see any replication details in /var/log/slapd.log
Since you don't mention how you configured replication to this 2.4 box or what output you were expecting, I can't help on this.
Philip Guenther
openldap-technical@openldap.org
-
Andrew Belford -
Philip Guenther