Hi!
I had sent a request for documentation to the ITS, because I feel that something is wrong with OpenLDAP 2.4.26 (as shipped with SLES11 SP2), but I was redirected:
I wrote:
Full_Name: Ulrich Windl Version: 2.4.26 OS: Linux (SLES11 SP2)
[...]
I was able to set up a master LDAP server and a replication consumer using the physical host names and TLS. However when I tried to bind slapd on a virtual IP address ("interface alias"), I never got slapd working (even though I fixed the certificates for TLS, of course). Dynamic configuration ("cn=config") seems to make things very difficult, because slapd ends in a state where _nobody_ can make configuration changes.
Use the openldap-technical mailing list to ask for configuration help.
You talk about IP addresses and yet in your quoted text below you are using hostnames. Be consistent when you post your question to the mailing list otherwise no one will understand what you're asking for.
--> Obviously slapd listens to ports, not to names, and names were invented so that people don't have to remember IP addresses, but you know. --> Only with X.509 certificates the relation between names and adresses are of some inportance, but you can believe me that I understand that.
Closing this ITS.
It seems slapd tried to use the wrong URI (using the physical host where nobody is listening): slapd[10036]: slap_client_connect: URI=ldap://phost.domain.org/ Error, ldap_start_tls failed (-1) slapd[10036]: do_syncrepl: rid=002 rc -1 retrying
slapd is listening on ldap://vhost.domain.org/ however.
--> You should believe me if I say so.
I read lots of procedures using Google, but could not find the solution for this problem. Thus I suggest to add documentation how to configure such a scenario:
- Set up an LDAP Master server that provides service on a specific IP address
using TLS 2) Set up a replication consumer that provides service on a specific IP address using TLS also 3) The replication consumer should use the address where the master server listens for replication
It sounds like an every-day setup, but I failed multiple times, thus the request for documentation.
Still waiting for a procedure. Something seems to be non-obvious or broken.
Some details (randomly picked, with some names obfuscated): (master server) olcSyncrepl: {0}rid=2 provider="ldap://v07.domain.org/" searchbase="dc=domain,dc=org" type="refreshAndPersist" retry="120 +" starttls=critical tls_reqcert=demand bindmethod="simple" binddn="uid=syncrepl,ou=system,dc=domain,dc=org" credent ials="wNkWudLd3ko8"
The process is started as "/usr/lib/openldap/slapd -h ldap://ds1.domain.org:389 ldaps://ds1.domain.org:636 ldapi:/// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=off"
And syslog message sI'm seeing over and over are like this: Jul 5 08:23:16 v07 slapd[25914]: slap_client_connect: URI=ldap://v07.domain.org/ Error, ldap_start_tls failed (-1) Jul 5 08:23:16 v07 slapd[25914]: do_syncrepl: rid=002 rc -1 retrying
Obviously a connection to the "v07" address is not possible, because the server listens to the "ds1" address. The interface settings look like this: eth0 Link encap:Ethernet HWaddr 00:16:3E:5C:DD:76 inet addr:172.20.16.38 Bcast:172.20.17.255 Mask:255.255.254.0 inet6 addr: fe80::216:3eff:fe5c:4d76/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6334378 errors:0 dropped:6 overruns:0 frame:0 TX packets:237667 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:421369553 (401.8 Mb) TX bytes:49452419 (47.1 Mb)
eth0:ds1 Link encap:Ethernet HWaddr 00:16:3E:5C:DD:76 inet addr:172.20.17.200 Bcast:172.20.17.255 Mask:255.255.254.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Basically I think I have to fix the "olcSyncrepl provider" and possibly the "olcServerID", but with dynamic configuration I cannot do it:
Using ldapmodify I get: v07:~ # ldapmodify -v -ZZ -x -W -D cn=config -H ldap://ds1.domain.org -f /tmp/fix1.ldif ldap_initialize( ldap://ds1.domain.org:389/??base ) Enter LDAP Password: replace olcServerID: 1 ldap://ds1.domain.org modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
When editing the files in the slap.d directory, I get: Jul 5 09:11:25 v07 slapd[15014]: @(#) $OpenLDAP: slapd 2.4.26 (Sep 26 2012 13:21:45) $ abuild@e71:/usr/src/packages/BUILD/openldap-2.4.26/servers/slapd Jul 5 09:11:25 v07 slapd[15014]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif" Jul 5 09:11:25 v07 slapd[15014]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif" Jul 5 09:11:25 v07 slapd[15015]: hdb_monitor_db_open: monitoring disabled; configure monitor database to enable Jul 5 09:11:25 v07 slapd[15015]: slapd starting Jul 5 09:11:25 v07 slapd[15015]: slap_client_connect: URI=ldap://ds1.domain.org/ DN="uid=syncrepl,ou=system,dc=domain,dc=org" ldap_sasl_bind_s failed (49) Jul 5 09:11:25 v07 slapd[15015]: do_syncrepl: rid=002 rc 49 retrying Jul 5 09:11:25 v07 slapd[15015]: slap_client_connect: URI=ldap://ds1.domain.org/ DN="uid=syncrepl,ou=system,dc=domain,dc=org" ldap_sasl_bind_s failed (49) Jul 5 09:11:25 v07 slapd[15015]: do_syncrepl: rid=001 rc 49 retrying Jul 5 09:12:37 v07 nscd: nss-ldap: do_open: do_start_tls failed:stat=-1
(So obviously the syncrepl provider has changed, but it still won't work)
Regards, Ulrich
On 07/05/13 09:17 +0200, Ulrich Windl wrote:
The process is started as "/usr/lib/openldap/slapd -h ldap://ds1.domain.org:389 ldaps://ds1.domain.org:636 ldapi:/// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=off"
And syslog message sI'm seeing over and over are like this: Jul 5 08:23:16 v07 slapd[25914]: slap_client_connect: URI=ldap://v07.domain.org/ Error, ldap_start_tls failed (-1) Jul 5 08:23:16 v07 slapd[25914]: do_syncrepl: rid=002 rc -1 retrying
Basically I think I have to fix the "olcSyncrepl provider" and possibly the "olcServerID", but with dynamic configuration I cannot do it:
See:
http://www.openldap.org/lists/openldap-technical/201211/msg00195.html
Hi,
On 05.07.2013 09:17, Ulrich Windl wrote:
I was able to set up a master LDAP server and a replication consumer using the Dynamic configuration ("cn=config") seems to
Are you trying to replicate the cn=config db or just the 'real data' dbs?
make things very difficult, because slapd ends in a state where _nobody_ can make configuration changes.
A replicated database, i.e. on a consumer site is not editable because this would lead to inconsistencies. That is basically what the error message tells you.
I read lots of procedures using Google, but could not find the solution for this problem. Thus I suggest to add documentation how to configure such a scenario:
- Set up an LDAP Master server that provides service on a specific IP address
using TLS 2) Set up a replication consumer that provides service on a specific IP address using TLS also 3) The replication consumer should use the address where the master server listens for replication
Though a little scattered through the documentation of setting up replication, man slapd and man slapd-config this is already covered in the documentation. What you are looking for is a cookbook receipe.
I suggest learning in this order:
1. Setup an ldap server with basic configuration, listening to protocol://address:port of your liking (you can even have multiple slapd running on the same host if they use different dbs and ports). Make sure that, if you use hostnames they point to the right IP addresses. 2. Setup TLS for said server, TLS certificate subject and subjectAltNames usually do not incorporate ip addresses. Thus all you require is a working DNS setup. 3. Setup a second ldap server with TLS listening to protocol://address:port of your liking 4. Setup a syncprov on one of the servers and a syncrepl on the other, replicating a small test db, e.g. a hdb, bdb, or mdb 5. Should you want to setup a multimaster system, setup syncprov and syncrepl for both servers cn=config dbs and make sure you enable the mirrormode
Some details (randomly picked, with some names obfuscated): (master server) olcSyncrepl: {0}rid=2 provider="ldap://v07.domain.org/" searchbase="dc=domain,dc=org" type="refreshAndPersist" retry="120 +" starttls=critical tls_reqcert=demand bindmethod="simple" binddn="uid=syncrepl,ou=system,dc=domain,dc=org" credent ials="wNkWudLd3ko8"
I assume you want to replicate cn=config in a multimaster setup, otherwise this makes no sense. A master does not need a syncrepl directive for providing syncrepl to a consumer.
The process is started as "/usr/lib/openldap/slapd -h ldap://ds1.domain.org:389 ldaps://ds1.domain.org:636 ldapi:/// -F /etc/openldap/slapd.d -u ldap -g ldap -o slp=off"
Is this the same 'master' that has the syncrepl directive from above or a consumer?
Obviously a connection to the "v07" address is not possible, because the server listens to the "ds1" address.
If you used the above slapd command for your replication provider that is true. Note that you can specify multiple URIs to -h
Basically I think I have to fix the "olcSyncrepl provider" and possibly the "olcServerID", but with dynamic configuration I cannot do it:
Using ldapmodify I get: v07:~ # ldapmodify -v -ZZ -x -W -D cn=config -H ldap://ds1.domain.org -f /tmp/fix1.ldif ldap_initialize( ldap://ds1.domain.org:389/??base ) Enter LDAP Password: replace olcServerID: 1 ldap://ds1.domain.org modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
s.a. This tells you that the slapd service you bind to has a replicated cn=config db which he is not allowed to modify and there is no master service to which he could refere you to.
When editing the files in the slap.d directory, I get:
You should not. The canonical way when you have shut yourself out of your db in this way is to slapcat your config, edit the output and slapdadd it to the *offline* server cn=config db. Otherwise you get the reported checksum errors.
Also the output suggest that you still might not have a syncprov listening on the interface corresponding to the ip address of the hostname.
###
I fear you have not fully understood how LDAP replication works. I advise reading the chapter 18 of the OpenLDAP Administration manual carefully and afterwards have a look at the syncprov overlay and syncrepl directives (man 5 slapo-syncprov; man 5 slapd-config)
Also I am not sure what you are actually trying to accomplish. Maybe a set of acceptable requirements for your setup would help, e.g. - I want one master db provider that provides database content and updates to all consumer dbs - I want connections between consumers to use TLS (server auth only | client and server auth) ...
I hope that I could help you somewhat and look forward to any questions you still have. (Don't fret, ldap sync setup is not that easy to understand for the first time)
hth
openldap-technical@openldap.org