My N-WAY replication works properly with a "bindmethod=simple".
However, I don't like keeping a password in clear in a configuration file, then I tryed this :
On server "ldap-master1.example.fr" :
TLSVerifyClient allow
syncrepl rid=101 provider=ldap://ldap-master2.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master1/server.crt tls_key=/etc/openldap/cacerts/master1/server.key tls_cacert=/etc/openldap/cacerts/CA.crt tls_reqcert=demand
On server "ldap-master2.example.fr" :
TLSVerifyClient allow
syncrepl rid=201 provider=ldap://ldap-master1.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master2/server.crt tls_key=/etc/openldap/cacerts/master2/server.key tls_cacert=/etc/openldap/cacerts/CA.crt
I get a segmentation fault :
ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable <= bdb_inequality_candidates: (entryCSN) not indexed slapd starting slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error, ldap_start_tls failed (-1) do_syncrepl: rid=101 rc -1 retrying conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 conn=1000 op=1 BIND dn="" method=163 conn=1000 op=1 BIND authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" conn=1000 op=1 BIND dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" mech=EXTERNAL sasl_ssf=0 ssf=256 conn=1000 op=1 RESULT tag=97 err=0 text= conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=2 SRCH attr=* + conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1000 op=3 UNBIND conn=1000 fd=12 closed Erreur de segmentation
The segfault happened when the second server tried to sync with the first one :
[root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256 @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= TLS: error: accept - force handshake failure: errno 2 - moznss error -5938 TLS: can't accept: TLS error -5938:Encountered end of file. conn=1000 fd=12 closed (TLS negotiation failure) ^C daemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.
Any idea ?
NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that produce the seg fault.
--- Olivier
On 08/12/2011 07:17 AM, Olivier wrote:
My N-WAY replication works properly with a "bindmethod=simple".
However, I don't like keeping a password in clear in a configuration file, then I tryed this :
On server "ldap-master1.example.fr" :
TLSVerifyClient allow
syncrepl rid=101 provider=ldap://ldap-master2.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master1/server.crt tls_key=/etc/openldap/cacerts/master1/server.key tls_cacert=/etc/openldap/cacerts/CA.crt tls_reqcert=demand
On server "ldap-master2.example.fr" :
TLSVerifyClient allow
syncrepl rid=201 provider=ldap://ldap-master1.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master2/server.crt tls_key=/etc/openldap/cacerts/master2/server.key tls_cacert=/etc/openldap/cacerts/CA.crt
I get a segmentation fault :
ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable <= bdb_inequality_candidates: (entryCSN) not indexed slapd starting slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error, ldap_start_tls failed (-1) do_syncrepl: rid=101 rc -1 retrying conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 conn=1000 op=1 BIND dn="" method=163 conn=1000 op=1 BIND authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" conn=1000 op=1 BIND dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" mech=EXTERNAL sasl_ssf=0 ssf=256 conn=1000 op=1 RESULT tag=97 err=0 text= conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=2 SRCH attr=* + conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1000 op=3 UNBIND conn=1000 fd=12 closed Erreur de segmentation
The segfault happened when the second server tried to sync with the first one :
[root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256 @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= TLS: error: accept - force handshake failure: errno 2 - moznss error -5938 TLS: can't accept: TLS error -5938:Encountered end of file. conn=1000 fd=12 closed (TLS negotiation failure) ^C daemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.
Any idea ?
Can you get a core file and a stack trace from the server that gets the seg fault? I'm assuming from the build that you are running on Fedora 14 or later, or RHEL6.1. You should make sure the openldap-debuginfo package is installed (e.g. debuginfo-install openldap) and install abrt. This will collect the core files in /var/spool/abrt
NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that produce the seg fault.
Olivier
Thanks Rich,
You should make sure the openldap-debuginfo
On track : I rolled back to simple bindmethod at this stage and have created a dedicated proxyuser for replication.
Once I can get this package (internal procedures...), I'll check and come back on that issue.
Thanks,
--- Olivier
On Fri, Aug 12, 2011 at 4:14 PM, Rich Megginson rich.megginson@gmail.com wrote:
On 08/12/2011 07:17 AM, Olivier wrote:
My N-WAY replication works properly with a "bindmethod=simple".
However, I don't like keeping a password in clear in a configuration file, then I tryed this :
On server "ldap-master1.example.fr" :
TLSVerifyClient allow
syncrepl rid=101 provider=ldap://ldap-master2.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master1/server.crt tls_key=/etc/openldap/cacerts/master1/server.key tls_cacert=/etc/openldap/cacerts/CA.crt tls_reqcert=demand
On server "ldap-master2.example.fr" :
TLSVerifyClient allow
syncrepl rid=201 provider=ldap://ldap-master1.example.fr:389 searchbase="dc=example,dc=fr" schemachecking=on type=refreshOnly interval=00:00:01:00 retry="10 +" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/cacerts/master2/server.crt tls_key=/etc/openldap/cacerts/master2/server.key tls_cacert=/etc/openldap/cacerts/CA.crt
I get a segmentation fault :
ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable <= bdb_inequality_candidates: (entryCSN) not indexed slapd starting slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error, ldap_start_tls failed (-1) do_syncrepl: rid=101 rc -1 retrying conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 conn=1000 op=1 BIND dn="" method=163 conn=1000 op=1 BIND
authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" conn=1000 op=1 BIND
dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" mech=EXTERNAL sasl_ssf=0 ssf=256 conn=1000 op=1 RESULT tag=97 err=0 text= conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=2 SRCH attr=* + conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1000 op=3 UNBIND conn=1000 fd=12 closed Erreur de segmentation
The segfault happened when the second server tried to sync with the first one :
[root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256 @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389) conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1000 op=0 STARTTLS conn=1000 op=0 RESULT oid= err=0 text= TLS: error: accept - force handshake failure: errno 2 - moznss error -5938 TLS: can't accept: TLS error -5938:Encountered end of file. conn=1000 fd=12 closed (TLS negotiation failure) ^C daemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.
Any idea ?
Can you get a core file and a stack trace from the server that gets the seg fault? I'm assuming from the build that you are running on Fedora 14 or later, or RHEL6.1. You should make sure the openldap-debuginfo package is installed (e.g. debuginfo-install openldap) and install abrt. This will collect the core files in /var/spool/abrt
NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that produce the seg fault.
Olivier
openldap-technical@openldap.org
-
Olivier -
Rich Megginson