Trying to set up multimaster syncrepl, error attribute 'olcTLSCertificateFile' not allowed , why? - openldap-technical

19 Nov 2015


      I inherited a pair  of (interestingly configured) ldap servers from a
previous owner and I'm trying to get them to replicate to each other
(actually, starting with two new VM copies, with the goal of ending up with
four masters spread over two data centers). The VM's are running  RHEL6 and
openldap 2.4.40.
When I try to add replication using the  ldif included at the bottom of
this post , I get this error and then cannot restart slapd
--
[root@ldap01 tmp]#  ldapmodify  -Y  EXTERNAL -H ldapi:/// -f /tmp/repl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"
modifying entry "olcDatabase={2}bdb,cn=config"
ldap_modify: Object class violation (65)
        additional info: attribute 'olcTLSCertificateFile' not allowed
--
slapd restart error in the log is
read_config: no serverID / URL match found. Check slapd -h arguments.
(I assume this is coming from my three new syncprov providers which have
nothing to provide?)
The only reference I found to TLS anywhere was here
[root@ldap01 tmp]# slapcat -s olcDatabase={2}bdb,cn=config |grep TLS
olcTLSCertificateFile: /etc/pki/tls/certs/foobar_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/foobar_key.pem
Those files do not exist, never have!
 (I admit I tried, and failed, to delete the reference)
What can I do to fix the TLS error? Where is there a TLS dependency in this
picture? Thank you for any clues!
[root@ldap01 tmp]# cat post.ldif
olcServerID: 1 ldap://ldap02.example.com
olcServerID: 2 ldap://ldap2.example.com
olcServerID: 3 ldap://ldap.example.com
dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://ldap02.example.com
  binddn="uid=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials="managerpassword"
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 +"
  timeout=1
olcSyncRepl: rid=002
  provider=ldap://ldap2.example.com
  binddn="uid=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials="managerpassword"
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 1 300 12 7200 +"
  timeout=1
olcSyncRepl: rid=003
  provider=ldap://ldap.example.com
  binddn="uid=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials="managerpassword"
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 1 300 12 7200 +"
  timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
thank you very much!