Trying to set up multimaster syncrepl, error attribute 'olcTLSCertificateFile' not allowed , why?
I inherited a pair of (interestingly configured) ldap servers from a previous owner and I'm trying to get them to replicate to each other (actually, starting with two new VM copies, with the goal of ending up with four masters spread over two data centers). The VM's are running RHEL6 and openldap 2.4.40.
When I try to add replication using the ldif included at the bottom of this post , I get this error and then cannot restart slapd -- [root@ldap01 tmp]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/repl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"
modifying entry "olcDatabase={2}bdb,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcTLSCertificateFile' not allowed --
slapd restart error in the log is read_config: no serverID / URL match found. Check slapd -h arguments.
(I assume this is coming from my three new syncprov providers which have nothing to provide?)
The only reference I found to TLS anywhere was here
[root@ldap01 tmp]# slapcat -s olcDatabase={2}bdb,cn=config |grep TLS olcTLSCertificateFile: /etc/pki/tls/certs/foobar_cert.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/foobar_key.pem
Those files do not exist, never have! (I admit I tried, and failed, to delete the reference)
What can I do to fix the TLS error? Where is there a TLS dependency in this picture? Thank you for any clues!
[root@ldap01 tmp]# cat post.ldif olcServerID: 1 ldap://ldap02.example.com olcServerID: 2 ldap://ldap2.example.com olcServerID: 3 ldap://ldap.example.com
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://ldap02.example.com binddn="uid=Manager,dc=example,dc=com" bindmethod=simple credentials="managerpassword" searchbase="dc=example,dc=com" type=refreshAndPersist retry="60 +" timeout=1 olcSyncRepl: rid=002 provider=ldap://ldap2.example.com binddn="uid=Manager,dc=example,dc=com" bindmethod=simple credentials="managerpassword" searchbase="dc=example,dc=com" type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1 olcSyncRepl: rid=003 provider=ldap://ldap.example.com binddn="uid=Manager,dc=example,dc=com" bindmethod=simple credentials="managerpassword" searchbase="dc=example,dc=com" type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE
thank you very much!
--On Friday, November 20, 2015 12:27 AM -0500 Betsy Schwartz betsy.schwartz@gmail.com wrote:
I inherited a pair of (interestingly configured) ldap servers from a previous owner and I'm trying to get them to replicate to each other (actually, starting with two new VM copies, with the goal of ending up with four masters spread over two data centers). The VM's are running RHEL6 and openldap 2.4.40.
When I try to add replication using the ldif included at the bottom of this post , I get this error and then cannot restart slapd -- [root@ldap01 tmp]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/repl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"
modifying entry "olcDatabase={2}bdb,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcTLSCertificateFile' not allowed
Hi Betsy,
I would suggest using slapcat to export the config database and clean up the invalid attribute values that were incorrectly added to the bdb database.
After that, I would advise:
a) Upgrading to a current openldap release b) Switching to back-mdb, assuming a 64-bit OS.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Betsy Schwartz -
Quanah Gibson-Mount