[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3995) syncrepl with subordinate back-meta keeps reconnecting.



Full_Name: Perry Nguyen
Version: 2.3.7
OS: Linux FC3
URL: http://w3.gofti.com/~pfnguyen/openldap/2.3.7-syncrepl-reconnecting.txt
Submission from: (NULL) (66.245.252.239)


I am using syncrepl to replicate from a master which has a bdb and a back-meta
glued into the same namingContext.  On the master, I have an ACL set so that the
replicator login cannot descend into the glued back-meta.  When I launch the
consumer slapd, it connects to the master in a continual loop, something that
/seems/ like for (;;) reconnect_to_master();

(Yes, I realize the backend configurations for the producer and consumer are
different, I am testing changes on the master which I've not yet propagated to
the slave).

The configuration of the producer and consumer slapds and a log of the consumer
follow:

###
### Master configuration:
###
include                /etc/openldap/schema/core.schema
include                /etc/openldap/schema/cosine.schema
include                /etc/openldap/schema/inetorgperson.schema
include                /etc/openldap/schema/nis.schema

include                /etc/openldap/schema/ppolicy.schema
include                /etc/openldap/schema/samba.schema
include                /etc/openldap/schema/krb5-kdc.schema
include                /etc/openldap/schema/ibmPerson.schema

pidfile                /var/run/slapd.pid
argsfile               /var/run/slapd.args

TLSCACertificateFile /usr/share/ssl/CA/cacert.pem
TLSCertificateFile /etc/ssl/server/wassup.cert
TLSCertificateKeyFile /etc/ssl/server/wassup.key

#loglevel -1

security ssf=0 update_ssf=56 simple_bind=64

# Do not allow users to change their objectClass, or POSIX uid/gid values
access to attrs=objectClass,uidNumber,gidNumber,saslAuthzTo
        by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
        by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
        by * read

# Do not allow anyone to read any of the encrypted passwords
access to attrs=userPassword
        by ssf=56
           group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
        by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
        by ssf=56
           dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" read
        by ssf=56 * auth

# Access control the administrative group
access to dn.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm"
        by dn.base="uid=root,ou=People,ou=ecmbi,o=ibm" write
        by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
        by * read

# Only the Local Admin should be able to access the kerberos tree
access to attrs=krb5Key
        by ssf=56
           group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
        by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
        by ssf=56
           dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" read
        by * none
access to dn.sub="ou=Kerberos,ou=ecmbi,o=ibm"
        by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
        by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
        by dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" read
        by * none

# Deny access to replicate the SSO DIT
access to dn.sub="ou=sso,ou=ecmbi,o=ibm"
        by dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" none
        by * read

# read access for all, write by the user himself and write to all by admins
access to *
        by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
        by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
        by self write
        by * read

database        meta
readonly        on
nretries        forever
suffix          "ou=sso,ou=ecmbi,o=ibm"
uri             "ldaps://bluepages.ibm.com/c=us,ou=sso,ou=ecmbi,o=ibm"
suffixmassage   "c=us,ou=sso,ou=ecmbi,o=ibm" "c=us,ou=bluepages,o=ibm.com"
uri             "ldaps://bluepages.ibm.com/c=cn,ou=sso,ou=ecmbi,o=ibm"
suffixmassage   "c=cn,ou=sso,ou=ecmbi,o=ibm" "c=cn,ou=bluepages,o=ibm.com"
uri             "ldap:///ou=sso,ou=ecmbi,o=ibm";
suffixmassage   "ou=sso,ou=ecmbi,o=ibm" "ou=SSO Stub,ou=ecmbi,o=ibm"

subordinate

database        bdb
suffix          "ou=ecmbi,o=ibm"

# an unusable rootdn for features that require it.
rootdn          "cn=LDAP Directory Master,ou=DSE,ou=ecmbi,o=ibm"

directory       /var/lib/ldap

cachesize       1024
checkpoint      1024 15
# Indices to maintain for this database
index entryUUID,entryCSN                eq
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

### Index for krb5
index krb5PrincipalName                 eq

index notesShortName                    eq

# enable this server as a syncrepl master
overlay         syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

overlay         ppolicy
ppolicy_default "cn=Default Password Policy,ou=Policies,ou=ecmbi,o=ibm"

### End database bdb config

# typically, this rule should only be used by Heimdal kerberos
authz-regexp
        uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
        "uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
        gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
        "uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"

authz-regexp
        uid=ldap/swapus.svl.ibm.com,cn=ecmbi,cn=GSSAPI,cn=auth
        "uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
        uid=ldap/swapus.svl.ibm.com,cn=GSSAPI,cn=auth
        "uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm"

limits dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm"
        size=unlimited time=unlimited

authz-regexp
        uid=root,cn=ecmbi,cn=GSSAPI,cn=auth
        uid=root,ou=Services,ou=ecmbi,o=ibm
authz-regexp
        uid=root,cn=GSSAPI,cn=auth
        uid=root,ou=Services,ou=ecmbi,o=ibm

authz-regexp
        uid=([^,/]+),cn=ecmbi,cn=GSSAPI,cn=auth
        uid=$1,ou=People,ou=ecmbi,o=ibm
authz-regexp
        uid=([^,/]+),cn=GSSAPI,cn=auth
        uid=$1,ou=People,ou=ecmbi,o=ibm

###
### Slave Configuration:
###
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema

include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/ibmPerson.schema

pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args

TLSCACertificateFile /usr/share/ssl/CA/cacert.pem
TLSCertificateFile /etc/ssl/server/swapus.cert
TLSCertificateKeyFile /etc/ssl/server/swapus.key

security ssf=0 update_ssf=70 simple_bind=64

# Do not allow anyone to read any of the encrypted passwords
access to attrs=userPassword
        by ssf=56 group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm"
read
        by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" read
        by ssf=56 * auth

# Only the Local Admin should be able to access the kerberos tree
access to attrs=krb5Key
        by ssf=56 group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm"
read
        by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" read
        by * none
access to dn.sub="ou=Kerberos,ou=ecmbi,o=ibm"
        by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" read
        by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" read
        by * none

# read access for all, write by the user himself and write to all by admins
access to *
        by * read

###
### Proxy to US bluepages
###
database        ldap
suffix          "c=us,ou=sso,ou=ecmbi,o=ibm"
uri             ldaps://bluepages.ibm.com
overlay         rwm
rwm-suffixmassage   "c=us,ou=sso,ou=ecmbi,o=ibm" "c=us,ou=bluepages,o=ibm.com"

###
### Proxy to CSDL bluepages
###
database        ldap
suffix          "c=cn,ou=sso,ou=ecmbi,o=ibm"
uri             ldaps://bluepages.ibm.com
overlay         rwm
rwm-suffixmassage   "c=cn,ou=sso,ou=ecmbi,o=ibm" "c=cn,ou=bluepages,o=ibm.com"

### Proxy bluepages so we can use its authentication
### Glue US and CSDL and our local accounts together
database        meta
suffix          "ou=sso,ou=ecmbi,o=ibm"
uri             "ldaps:///c=us,ou=sso,ou=ecmbi,o=ibm"
uri             "ldaps:///c=cn,ou=sso,ou=ecmbi,o=ibm"
uri             "ldaps:///ou=sso,ou=ecmbi,o=ibm"
suffixmassage   "ou=sso,ou=ecmbi,o=ibm" "ou=Build Accounts,ou=ecmbi,o=ibm"

database	bdb
suffix		"ou=ecmbi,o=ibm"
cachesize       1024
checkpoint      1024 15

# rootdn must be set in order for syncrepl to function
rootdn  "cn=LDAP Master,ou=DSE,ou=ecmbi,o=ibm"
directory	/var/lib/ldap

# Indices to maintain for this database
index entryUUID,entryCSN                eq
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

### Index for krb5
index krb5PrincipalName                 eq

index notesShortName                    eq

overlay         ppolicy
ppolicy_default "cn=Default Password Policy,ou=Policies,ou=ecmbi,o=ibm"

syncrepl rid=2
        provider="ldaps://wassup.svl.ibm.com"
        type=refreshAndPersist
        interval=00:00:01:00
        retry="1,2,3,4,5,+"
        searchbase="ou=ecmbi,o=ibm"
        filter="(objectClass=*)"
        scope=sub
        attrs="*"
        schemachecking=off
        bindmethod=sasl
        saslmech=gssapi

updateref ldaps://wassup.svl.ibm.com

# typically, this rule should only be used by Heimdal kerberos
authz-regexp
        uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
        "uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
        gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
        "uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"

authz-regexp
        uid=root,cn=ecmbi,cn=GSSAPI,cn=auth
        uid=root,ou=Services,ou=ecmbi,o=ibm
authz-regexp
        uid=root,cn=GSSAPI,cn=auth
        uid=root,ou=Services,ou=ecmbi,o=ibm

authz-regexp
        uid=([^,/]+),cn=ecmbi,cn=GSSAPI,cn=auth
        uid=$1,ou=People,ou=ecmbi,o=ibm
authz-regexp
        uid=([^,/]+),cn=GSSAPI,cn=auth
        uid=$1,ou=People,ou=ecmbi,o=ibm