I'm trying to move my OpenLDAP MMR configuration from RHEL 6.5 (OpenLDAP 2.4.23) to RHEL 6.7 (OpenLDAP 2.4.40). On RHEL 6.5 it is working no with no problems. On RHEL 6.7, the configuration causes "ldapsearch -ZZ" to hang indefinitely.
The cn=config section in slapd.conf looks like this:
# sync provider configuration overlay syncprov syncprov-checkpoint 1 1
syncrepl rid=001 provider=ldap://server1 searchbase="cn=config"
filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/csa-certs/config.crt tls_key=/etc/openldap/csa-certs/config.key tls_cacert=/etc/openldap/csa-certs/cacert.pem tls_reqcert=demand type=refreshAndPersist retry="5 10 10 10 30 +" timeout=1
syncrepl rid=002 provider=ldap://server2 searchbase="cn=config"
filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))" bindmethod=sasl saslmech=EXTERNAL starttls=critical tls_cert=/etc/openldap/csa-certs/config.crt tls_key=/etc/openldap/csa-certs/config.key tls_cacert=/etc/openldap/csa-certs/cacert.pem tls_reqcert=demand type=refreshAndPersist retry="5 10 10 10 30 +" timeout=1
mirrormode on
If I comment out that section in slapd.conf then "ldapsearch -ZZ" works but (obviously) I don't get cn=config replication.
Am I doing something wrong in the configuration? Is it a fluke that it is working on 2.4.23 in the first place? Or does anyone know what may have changed (or is more strict or whatever) in the 2.4.40 release?
Should I try to just remove RHEL's version of OpenLDAP and install the latest from openldap.org instead?
Any assistance is highly appreciated!
Thanks,
On Tue, Mar 22, 2016 at 02:04:14PM -0400, Frank Crow wrote:
I'm trying to move my OpenLDAP MMR configuration from RHEL 6.5 (OpenLDAP 2.4.23) to RHEL 6.7 (OpenLDAP 2.4.40). On RHEL 6.5 it is working no with no problems. On RHEL 6.7, the configuration causes "ldapsearch -ZZ" to hang indefinitely.
http://www.openldap.org/its/?findid=8384 https://bugzilla.redhat.com/show_bug.cgi?id=1317000
--On Tuesday, March 22, 2016 12:09 PM -0700 Ryan Tandy ryan@nardis.ca wrote:
On Tue, Mar 22, 2016 at 02:04:14PM -0400, Frank Crow wrote:
I'm trying to move my OpenLDAP MMR configuration from RHEL 6.5 (OpenLDAP 2.4.23) to RHEL 6.7 (OpenLDAP 2.4.40). On RHEL 6.5 it is working no with no problems. On RHEL 6.7, the configuration causes "ldapsearch -ZZ" to hang indefinitely.
http://www.openldap.org/its/?findid=8384 https://bugzilla.redhat.com/show_bug.cgi?id=1317000
As has been endlessly noted on this list, do not use builds from RHEL in production. If you cannot build and maintain your own OpenLDAP builds, then I'd strongly advise either using the builds from the LTB project, which sanely use OpenSSL instead of RH's broken MozNSS (http://ltb-project.org/wiki/download#openldap) or, if you require support, the builds from Symas (https://symas.com/products/openldap-directory/). Using the broken cruft shipped by RH is just asking for trouble.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
openldap-technical@openldap.org
-
Frank Crow -
Quanah Gibson-Mount -
Ryan Tandy