Hi all,
I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).
I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.
When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like:
dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcRootPW: {SSHA}************** olcRootDN: cn=monitor
When I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2 I see an error in the slapd log on ldap2 like:
olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix
No olcSuffix is set for the cn=monitor database in the cn=config, but all the cn=monitor DNs are of the form cn=X,cn=Y,...,cn=monitor, so it seems that the suffix of the cn=monitor database is effectively cn=monitor.
Any ideas?
Chris
--On Tuesday, January 08, 2013 4:34 PM +0000 Chris Card ctcard@hotmail.com wrote:
Hi all,
I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).
I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.
When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like:
dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcRootPW: {SSHA}************** olcRootDN: cn=monitor
When I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2 I see an error in the slapd log on ldap2 like:
olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix
No olcSuffix is set for the cn=monitor database in the cn=config, but all the cn=monitor DNs are of the form cn=X,cn=Y,...,cn=monitor, so it seems that the suffix of the cn=monitor database is effectively cn=monitor.
Any ideas?
I suggest you file an ITS if you can reproduce this with current RE24.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 11/1/2013 11:58 πμ, Chris Card wrote:
where can I download a tar.gz file for RE24?
Simply take a snapshot from here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=shortlog;h=refs/he...
This is a direct link for the snapshot: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=6f33e2c...
Regards, Nick
On 01/08/2013 05:34 PM, Chris Card wrote:
Hi all,
I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).
I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.
When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like:
dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcRootPW: {SSHA}************** olcRootDN: cn=monitorWhen I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2 I see an error in the slapd log on ldap2 like:
olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix
Works for me. The error you post occurs when using slapd.conf and setting rootpw before rootdn; when using slapd-config it should never happen because olcRootPW is listed *after* olcRootDN in olcDatabaseConfig, thus processing should always occur in the right order.
No olcSuffix is set for the cn=monitor database in the cn=config, but all the cn=monitor DNs are of the form cn=X,cn=Y,...,cn=monitor, so it seems that the suffix of the cn=monitor database is effectively cn=monitor.
The suffix of cn=monitor is indeed cn=monitor, and is hardcoded.
p.
On 01/08/2013 05:34 PM, Chris Card wrote:
Hi all,
I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).
I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.
When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like:
dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcRootPW: {SSHA}************** olcRootDN: cn=monitor
When I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2 I see an error in the slapd log on ldap2 like:
olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix
Works for me. The error you post occurs when using slapd.conf and setting rootpw before rootdn; when using slapd-config it should never happen because olcRootPW is listed *after* olcRootDN in olcDatabaseConfig, thus processing should always occur in the right order.
I have an automated process to build the first LDAP server. There is an initial base slapd.d configuration which is then modified by applying a sequence of LDIF files using ldapmodify. The rootdn and rootpw for cn=monitor are added using ldapmodify with this LDIF: dn: olcDatabase={2}monitor,cn=config changetype: modify add: olcRootDN olcRootDN: cn=Monitor - add: olcRootPW olcRootPW: *******
where the values of olcRootDN and olcRootPW are my "factory settings".
The actual rootpw and rootdn to be used for cn=monitor is then read from a configuration file and applied by a script, which hashes the password using slappasswd and then runs ldapmodify with this LDIF: dn: olcDatabase={2}monitor,cn=config changetype: modify replace: olcRootPW olcRootPW: <hashed password> - replace: olcRootDN olcRootDN: cn=Monitor
Once this has been done, ldapsearch always returns the attributes in the order seen above, olcRootPW before olcRootDN. Could this influence the order that syncrepl handles the attributes, when the second LDAP server is built?
Chris
On 01/08/2013 05:34 PM, Chris Card wrote:
Hi all,
I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).
I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.
I am also seeing a similar issue when trying to modify the LDAP configuration to use delta-syncrepl for my main directory instead of simple syncrepl. I apply LDIF on the first LDAP server that creates a cn=accesslog database and creates an overlay on the main database which depends on the cn=accesslog database:
dn: olcDatabase=mdb,cn=config changetype: add objectClass: olcMdbConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcRootPW: ***** olcDatabase: mdb olcDbDirectory: **************** olcSuffix: cn=accesslog olcDbMaxSize: 10737418240 olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart olcRootDN: cn=accesslog
dn: olcOverlay=syncprov,olcDatabase={3}mdb,cn=config changetype: add objectClass: olcSyncProvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: syncprov olcSpReloadHint: TRUE olcSpNoPresent: TRUE
dn: olcOverlay={2}accesslog,olcDatabase={1}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {2}accesslog olcAccessLogDb: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 1+00:00 1+00:00
This works fine on the first LDAP server, but when replicated to the second LDAP server gives an error:
olcAccessLogDB: value #0: <olcAccessLogDB> no matching backend found for suffix "cn=accesslog" null_callback : error code 0x50 syncrepl_entry: rid=*** be_add olcOverlay={2}accesslog,olcDatabase={1}bdb,cn=config failed (80)
It looks like LDAP replication is trying to create the accesslog overlay before creating the cn=accecsslog database.
Chris
openldap-technical@openldap.org
-
Chris Card -
Nick Milas -
Pierangelo Masarati -
Quanah Gibson-Mount