Oh the wise and mighty of the openLDAP community,
I have an issue that I have not been able to understand. Partially because Im an enthusitis, not an expert in the domain. That being said, I've used an openLDAP RPM compiled by one of the fellow *nix admins: http://staff.telkomsa.net/packages - Yes, besides the security reasons I'm desparate enough to try this. I'll eventually use the spec to compile my own RPM.
I'm running CentOS 5.7 x86_64 with the latest packages. I was able to successfully install and configure openLDAP but when I attempt to start it with MIrrorMode, it will not start. I ran slaptest to figure out where it's hanging up on:
[root@ldap1 ~]# slaptest2.4 -f /etc/openldap2.4/slapd.conf /etc/openldap2.4/slapd.conf: line 207: rootDN must be defined before syncrepl may be used slaptest2.4: bad configuration file!
Any suggestions why it continues to complain about rootDN? I have it specified and if slapd is going through the lines, it should have picked up the rootdn before syncrepl. Thoughts?
Here is my slapd.conf:
include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/java.schema include /usr/share/openldap2.4/schema/krb5-kdc.schema include /usr/share/openldap2.4/schema/kerberosobject.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/autofs.schema include /usr/share/openldap2.4/schema/samba.schema include /usr/share/openldap2.4/schema/kolab.schema include /usr/share/openldap2.4/schema/evolutionperson.schema include /usr/share/openldap2.4/schema/calendar.schema include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/dnszone.schema include /usr/share/openldap2.4/schema/dhcp.schema
#include /usr/share/openldap2.4/schema/rfc822-MailMember.schema #include /usr/share/openldap2.4/schema/pilot.schema #include /usr/share/openldap2.4/schema/qmail.schema #include /usr/share/openldap2.4/schema/mull.schema #include /usr/share/openldap2.4/schema/netscape-profile.schema #include /usr/share/openldap2.4/schema/trust.schema
include /etc/openldap2.4/schema/local.schema include /etc/openldap2.4/slapd.access.conf
access to dn.subtree="dc=domain,dc=pvt" by group="cn=Replicator,ou=Group,dc=domain,dc=pvt" by users read by anonymous read pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args
modulepath /usr/lib64/openldap2.4
# database backend modules available: #moduleload back_dnssrv.la #moduleload back_ldap.la #moduleload back_meta.la moduleload back_monitor.la #moduleload back_passwd.la #moduleload back_sql.la
# overlay modules available: #moduleload accesslog.la #moduleload denyop.la #moduleload dyngroup.la #moduleload dynlist.la #moduleload glue.la #moduleload lastmod.la #moduleload pcache.la #moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la moduleload syncprov.la #moduleload translucent.la #moduleload unique.la
#contrib overlays #moduleload smbk5pwd.so
# SASL config #sasl-host ldap.domain.com
# To allow TLS-enabled connections, create /etc/ssl/openldap2.4/ldap.pem # and uncomment the following lines. #TLSRandFile /dev/random #TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/pki/tls/private/ldap.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap.pem #TLSCACertificatePath /etc/ssl/openldap2.4/ #TLSCACertificateFile /etc/ssl/cacert.pem TLSCACertificateFile /etc/pki/tls/private/ldap.pem #TLSVerifyClient never # ([never]|allow|try|demand)
# logging #loglevel 256
####################################################################### # database definitions #######################################################################
database bdb suffix "dc=domain,dc=pvt" #suffix "o=My Organization Name,c=US" rootdn "cn=Manager,dc=domain,dc=pvt" #rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}[NeeeNer NeeeNer NeeeNer]
# The database directory MUST exist prior to running slapd AND # should only be accessable by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap2.4
# Tuning settings, please see the man page for slapd-bdb for more information # as well as the DB_CONFIG file in the database directory # commented entries are at their defaults # In-memory cache size in entries #cachesize 1000 # Checkpoint the bdb database after 256kb of writes or 5 minutes have passed # since the last checkpoint checkpoint 256 5
# Indices to maintain index objectClass eq
# persion-type searches index cn,mail,surname,givenname eq,subinitial
# nss_ldap exact searches: index uidNumber,gidNumber,memberuid,member,uniqueMember eq # username completion via nss_ldap needs uid indexed sub: index uid eq,subinitial
# samba: index sambaSID,sambaDomainName,displayName eq
# autofs: #index nisMapName eq
# bind sdb_ldap: #index zoneName,relativeDomainName eq
# sudo index sudoUser eq
# syncprov #index entryCSN,entryUUID eq
limits group="cn=Replicator,ou=Group,dc=domain,dc=pvt" size=unlimited time=unlimited
database monitor
overlay syncprov syncprov-checkpoint 10 1 syncprov-sessionlog 100
syncrepl rid=000 provider=ldap://ldap1.oak.domain.pvt type=refreshAndPersist interval=01:00:00:00 retry="5 5 300 +" rootdn="dc=domain,dc=pvt" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=domain,dc=pvt" credentials=domain1
syncrepl rid=001 provider=ldap://ldap2.oak.domain.pvt type=refreshAndPersist interval=01:00:00:00 retry="5 5 300 +" rootdn="dc=domain,dc=pvt" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=domain,dc=pvt" credentials=domain1
mirrormode TRUE serverID 1
William S. wrote:
Oh the wise and mighty of the openLDAP community,
I have an issue that I have not been able to understand. Partially because I’m an enthusitis, not an expert in the domain. That being said, I've used an openLDAP RPM compiled by one of the fellow *nix admins: http://staff.telkomsa.net/packages - Yes, besides the security reasons I'm desparate enough to try this. I'll eventually use the spec to compile my own RPM.
I'm running CentOS 5.7 x86_64 with the latest packages. I was able to successfully install and configure openLDAP but when I attempt to start it with MIrrorMode, it will not start. I ran slaptest to figure out where it's hanging up on:
[root@ldap1 ~]# slaptest2.4 -f /etc/openldap2.4/slapd.conf /etc/openldap2.4/slapd.conf: line 207: rootDN must be defined before syncrepl may be used slaptest2.4: bad configuration file!
Any suggestions why it continues to complain about rootDN? I have it specified and if slapd is going through the lines, it should have picked up the rootdn before syncrepl. Thoughts?
You have placed these directives in your "database monitor" config, which has no rootdn configured. You probably meant to place them further up in the file, under the "database bdb" config.
Here is my slapd.conf:
include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/java.schema include /usr/share/openldap2.4/schema/krb5-kdc.schema include /usr/share/openldap2.4/schema/kerberosobject.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/autofs.schema include /usr/share/openldap2.4/schema/samba.schema include /usr/share/openldap2.4/schema/kolab.schema include /usr/share/openldap2.4/schema/evolutionperson.schema include /usr/share/openldap2.4/schema/calendar.schema include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/dnszone.schema include /usr/share/openldap2.4/schema/dhcp.schema
#include /usr/share/openldap2.4/schema/rfc822-MailMember.schema #include /usr/share/openldap2.4/schema/pilot.schema #include /usr/share/openldap2.4/schema/qmail.schema #include /usr/share/openldap2.4/schema/mull.schema #include /usr/share/openldap2.4/schema/netscape-profile.schema #include /usr/share/openldap2.4/schema/trust.schema
include /etc/openldap2.4/schema/local.schema include /etc/openldap2.4/slapd.access.conf
access to dn.subtree="dc=domain,dc=pvt" by group="cn=Replicator,ou=Group,dc=domain,dc=pvt" by users read by anonymous read pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args
modulepath /usr/lib64/openldap2.4
# database backend modules available: #moduleload back_dnssrv.la #moduleload back_ldap.la #moduleload back_meta.la moduleload back_monitor.la #moduleload back_passwd.la #moduleload back_sql.la
# overlay modules available: #moduleload accesslog.la #moduleload denyop.la #moduleload dyngroup.la #moduleload dynlist.la #moduleload glue.la #moduleload lastmod.la #moduleload pcache.la #moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la moduleload syncprov.la #moduleload translucent.la #moduleload unique.la
#contrib overlays #moduleload smbk5pwd.so
# SASL config #sasl-host ldap.domain.com
# To allow TLS-enabled connections, create /etc/ssl/openldap2.4/ldap.pem # and uncomment the following lines. #TLSRandFile /dev/random #TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/pki/tls/private/ldap.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap.pem #TLSCACertificatePath /etc/ssl/openldap2.4/ #TLSCACertificateFile /etc/ssl/cacert.pem TLSCACertificateFile /etc/pki/tls/private/ldap.pem #TLSVerifyClient never # ([never]|allow|try|demand)
# logging #loglevel 256
####################################################################### # database definitions #######################################################################
database bdb suffix "dc=domain,dc=pvt" #suffix "o=My Organization Name,c=US" rootdn "cn=Manager,dc=domain,dc=pvt" #rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}[NeeeNer NeeeNer NeeeNer]
# The database directory MUST exist prior to running slapd AND # should only be accessable by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap2.4
# Tuning settings, please see the man page for slapd-bdb for more information # as well as the DB_CONFIG file in the database directory # commented entries are at their defaults # In-memory cache size in entries #cachesize 1000 # Checkpoint the bdb database after 256kb of writes or 5 minutes have passed # since the last checkpoint checkpoint 256 5
# Indices to maintain index objectClass eq
# persion-type searches index cn,mail,surname,givenname eq,subinitial
# nss_ldap exact searches: index uidNumber,gidNumber,memberuid,member,uniqueMember eq # username completion via nss_ldap needs uid indexed sub: index uid eq,subinitial
# samba: index sambaSID,sambaDomainName,displayName eq
# autofs: #index nisMapName eq
# bind sdb_ldap: #index zoneName,relativeDomainName eq
# sudo index sudoUser eq
# syncprov #index entryCSN,entryUUID eq
limits group="cn=Replicator,ou=Group,dc=domain,dc=pvt" size=unlimited time=unlimited
database monitor
overlay syncprov syncprov-checkpoint 10 1 syncprov-sessionlog 100
syncrepl rid=000 provider=ldap://ldap1.oak.domain.pvt type=refreshAndPersist interval=01:00:00:00 retry="5 5 300 +" rootdn="dc=domain,dc=pvt" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=domain,dc=pvt" credentials=domain1
syncrepl rid=001 provider=ldap://ldap2.oak.domain.pvt type=refreshAndPersist interval=01:00:00:00 retry="5 5 300 +" rootdn="dc=domain,dc=pvt" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=domain,dc=pvt" credentials=domain1
mirrormode TRUE serverID 1
openldap-technical@openldap.org
-
Howard Chu -
William S.