Trying to perform mirror sync , but getting - TLS: error: the certificate '/etc/openldap/certs/xxx.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.
I've recently updated both my openldap servers to 2.4.39 version and everything seems to be working EXCEPT the mirror synchronization which was the issue I had previously with 2.4.23 Running on CentOS 6.5
Setup -
Server1(provider): ldap-east.xxxxx.net Server2(consumer): ldap-west.xxxxx.net
Not using self signed certs. Instead have a SAN(Subject Alternative Name)cert from DigiCert with 4 hostnames:
ldap.xxxxx.net ldap-1.xxxxx.net ldap-2.xxxxx.net ldap-alt.xxxxx.net
I'm using slapd.conf vs cn=config.
The details:
[root@ldap-east certs]# slapd -d sync 541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $
root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd 541b16ed /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema 541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted. 541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges. 541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 541b16ed slapd starting TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.xxxxx.net,O="xxxxxx, INC.",L=Alviso,ST=California,C=US'. 541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
*** I wonder if there is something about SAN certs where ldap is having issues ? *** Since it is a signed CA cert in a mirror sync setup do I need to set it up in the local CA(using certutil) and add it? (didn't have to for non-sync use) *** Unclear of 'not found in database' - which one? I've tried adding it using certutil in various permutations of setting adding the cert to the local CA database with all the various SAN names as different nick names *** I've also setup symlinks in /etc/openldap/certs pointing from the hashes -> certs - but all of these with the exact same output as above.
From the debug log:
Sep 18 13:39:30 ldap-east slapd[18966]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $#012#011root@admin.xxxxx.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema Sep 18 13:39:30 ldap-east slapd[18966]: PROXIED attributeDescription "SAMACCOUNTNAME" inserted. Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges. Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn=Subschema> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn=subschema> Sep 18 13:39:30 ldap-east slapd[18966]: matching_rule_use_init Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.840.113556.1.4.804 (integerBitOrMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.840.113556.1.4.803 (integerBitAndMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.39 (certificateListMatch): Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.38 (certificateListExactMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.35 (certificateMatch): Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.34 (certificateExactMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.30 (objectIdentifierFirstComponentMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.29 (integerFirstComponentMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.28 (generalizedTimeOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $ modifyTimestamp $ sudoNotBefore $ sudoNotAfter ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.27 (generalizedTimeMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $ sudoNotBefore $ sudoNotAfter ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.24 (protocolInformationMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.23 (uniqueMemberMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.22 (presentationAddressMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.20 (telephoneNumberMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.18 (octetStringOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.18 NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ olcDbCryptKey ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.17 (octetStringMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.16 (bitStringMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.15 (integerOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.15 NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.14 (integerMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.13 (booleanMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcAccessLogSuccess $ olcRwmNormalizeMapped $ olcRwmDropUnrequested $ olcSpNoPresent $ olcSpReloadHint $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $ olcDbSessionTrackingRequest $ olcDbNoRefs $ olcDbNoUndefFilter $ olcChainCacheURI $ olcChainReturnError ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.11 (caseIgnoreListMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.9 (numericStringOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.9 NAME 'numericStringOrderingMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.8 (numericStringMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.7 (caseExactSubstringsMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.6 (caseExactOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOffi Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.5 (caseExactMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.4 (caseIgnoreSubstringsMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.3 (caseIgnoreOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOff Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.2 (caseIgnoreMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.36.79672281.1.13.3 (rdnMatch): Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.1 (distinguishedNameMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.0 (objectIdentifierMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) Sep 18 13:39:30 ldap-east slapd[18966]: slapd startup: initiated. Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "cn=config" Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: No explicit ACL for back-config configured. Using hardcoded default Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=config" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=module{0}" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=schema" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={0}core> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={0}core> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={0}core" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={1}cosine> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={1}cosine> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={1}cosine" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={2}inetorgperson> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={2}inetorgperson> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={2}inetorgperson" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={3}nis> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={3}nis> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={3}nis" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={4}sudo> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={4}sudo> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={4}sudo" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={-1}frontend" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={0}config" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={1}ldap" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={0}rwm" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={2}bdb" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={0}syncprov" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={1}glue" Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: ldap_back_db_open: URI=ldap://ad1.xxxxx.net Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: database "dc=xxxxx,dc=net": dbenv_open(/var/lib/ldap). Sep 18 13:39:30 ldap-east slapd[18966]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)", at: "contextCSN" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net") Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_dn2id("dc=xxxxx,dc=net") Sep 18 13:39:30 ldap-east slapd[18966]: <= bdb_dn2id: got id=0x7 Sep 18 13:39:30 ldap-east slapd[18966]: entry_decode: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: <= entry_decode(dc=xxxxx,dc=net) Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0 Sep 18 13:39:30 ldap-east slapd[18966]: slapd starting Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 4r listener=(nil) Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 7r listener=0x7f37cb13f7c0 Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 8r listener=0x7f37cb13f8a0 Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on: Sep 18 13:39:30 ldap-east slapd[18966]: Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrepl rid=001 Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)", at: "contextCSN" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net") Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0 Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result not in cache (contextCSN) Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access to "dc=xxxxx,dc=net" "contextCSN" requested Sep 18 13:39:30 ldap-east slapd[18966]: <= root access granted Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access granted by manage(=mwrscxd) Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in cache (contextCSN) Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in cache (contextCSN) Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrep2 rid=001 Sep 18 13:39:30 ldap-east slapd[18966]: do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 13r listener=(nil) Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on: Sep 18 13:39:30 ldap-east slapd[18966]: Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero
slapd.conf
[root@ldap-east openldap]# cat slapd.conf
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema
allow bind_v2
TLSCertificateFile /etc/openldap/certs/ldap_xxxxx_net.crt TLSCertificateKeyFile /etc/openldap/certs/ldap_xxxxx_net.key TLSCACertificateFile /etc/openldap/certs/CAcompany.crt
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap modulepath /usr/lib64/openldap
moduleload accesslog.la moduleload rwm.la moduleload syncprov.la
disallow bind_anon
moduleload back_bdb moduleload back_ldap
backend bdb
moduleload syncprov
database ldap suffix "ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net" uri ldap://ad1.xxxxx.net/ rebind-as-user idassert-bind bindmethod=simple
binddn="cn=username,ou=users,ou=xxxxxx,dc=ad,dc=xxxxx,dc=net" credentials="xxxxxxxxx" mode=none idassert-authzFrom "*" chase-referrals yes subordinate
overlay rwm rwm-map attribute uid sAMAccountName
database bdb suffix "dc=xxxxx,dc=net" checkpoint 1024 15 rootdn "cn=Manager,dc=xxxxx,dc=net" rootpw {SSHA}xxxxxxxxxxx
directory /var/lib/ldap
access to * by dn.base="cn=TestSync,ou=Roles,dc=xxxxx,dc=net" write by * break
# Generic ACL section access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=xxxxx,dc=net" write by anonymous auth by self write by * none
# Specific ACL section to restrict userPassword to be used for authentication only - 8-15-14 #access to to dn.children="ou=People,dc=xxxxx,dc=net" write # attrs=userPasswrod # by self write # by * auth # by dn.children="ou=Customers,ou=People,dc=xxxxx,dc=net" write
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
#LDAP Sync - Master serverID 1 overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
#LDAP Sync - Slave syncrepl rid=001 provider=ldaps://ldap-west.xxxxx.net bindmethod=simple binddn="cn=TestSync,ou=Roles,dc=xxxxx,dc=net" credentials=xxxxxxx searchbase="dc=xxxxx,dc=net" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on
loglevel -1
Sterling Sahaydak wrote:
I've recently updated both my openldap servers to 2.4.39 version and everything seems to be working EXCEPT the mirror synchronization which was the issue I had previously with 2.4.23 Running on CentOS 6.5 Setup - Server1(provider): ldap-east.xxxxx.net Server2(consumer): ldap-west.xxxxx.net Not using self signed certs. Instead have a SAN(Subject Alternative Name)cert from DigiCert with 4 hostnames: ldap.xxxxx.net ldap-1.xxxxx.net ldap-2.xxxxx.net ldap-alt.xxxxx.net I'm using slapd.conf vs cn=config. The details: [root@ldap-east certs]# slapd -d sync 541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $ root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd mailto:root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd 541b16ed /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema 541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted. 541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges. 541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 541b16ed slapd starting TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.xxxxx.net,O="xxxxxx, INC.",L=Alviso,ST=California,C=US'. 541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE *** I wonder if there is something about SAN certs where ldap is having issues ?
This has nothing to do with OpenLDAP. Your build is using the MozNSS crypto library, ask Red Hat for help with that.
*** Since it is a signed CA cert in a mirror sync setup do I need to set it up in the local CA(using certutil) and add it? (didn't have to for non-sync use) *** Unclear of 'not found in database' - which one? I've tried adding it using certutil in various permutations of setting adding the cert to the local CA database with all the various SAN names as different nick names *** I've also setup symlinks in /etc/openldap/certs pointing from the hashes -> certs - but all of these with the exact same output as above. From the debug log:
openldap-technical@openldap.org
-
Howard Chu -
Sterling Sahaydak