[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#3996) syncrepl with subordinate back-meta keeps reconnecting.
Full_Name: Perry Nguyen
Version: 2.3.7
OS: Linux FC3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.245.252.239)
I am using syncrepl to replicate from a master which has a bdb and a back-meta
glued into the same namingContext. On the master, I have an ACL set so that the
replicator login cannot descend into the glued back-meta. When I launch the
consumer slapd, it connects to the master in a continual loop, something that
/seems/ like for (;;) reconnect_to_master();
(Yes, I realize the backend configurations for the producer and consumer are
different, I am testing changes on the master which I've not yet propagated to
the slave).
The configuration of the producer and consumer slapds and a log of the consumer
follow:
###
### Master configuration:
###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/ibmPerson.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
TLSCACertificateFile /usr/share/ssl/CA/cacert.pem
TLSCertificateFile /etc/ssl/server/wassup.cert
TLSCertificateKeyFile /etc/ssl/server/wassup.key
#loglevel -1
security ssf=0 update_ssf=56 simple_bind=64
# Do not allow users to change their objectClass, or POSIX uid/gid values
access to attrs=objectClass,uidNumber,gidNumber,saslAuthzTo
by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
by * read
# Do not allow anyone to read any of the encrypted passwords
access to attrs=userPassword
by ssf=56
group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
by ssf=56
dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" read
by ssf=56 * auth
# Access control the administrative group
access to dn.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm"
by dn.base="uid=root,ou=People,ou=ecmbi,o=ibm" write
by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
by * read
# Only the Local Admin should be able to access the kerberos tree
access to attrs=krb5Key
by ssf=56
group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
by ssf=56
dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" read
by * none
access to dn.sub="ou=Kerberos,ou=ecmbi,o=ibm"
by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
by dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" read
by * none
# Deny access to replicate the SSO DIT
access to dn.sub="ou=sso,ou=ecmbi,o=ibm"
by dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm" none
by * read
# read access for all, write by the user himself and write to all by admins
access to *
by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" write
by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" write
by self write
by * read
database meta
readonly on
nretries forever
suffix "ou=sso,ou=ecmbi,o=ibm"
uri "ldaps://bluepages.ibm.com/c=us,ou=sso,ou=ecmbi,o=ibm"
suffixmassage "c=us,ou=sso,ou=ecmbi,o=ibm" "c=us,ou=bluepages,o=ibm.com"
uri "ldaps://bluepages.ibm.com/c=cn,ou=sso,ou=ecmbi,o=ibm"
suffixmassage "c=cn,ou=sso,ou=ecmbi,o=ibm" "c=cn,ou=bluepages,o=ibm.com"
uri "ldap:///ou=sso,ou=ecmbi,o=ibm";
suffixmassage "ou=sso,ou=ecmbi,o=ibm" "ou=SSO Stub,ou=ecmbi,o=ibm"
subordinate
database bdb
suffix "ou=ecmbi,o=ibm"
# an unusable rootdn for features that require it.
rootdn "cn=LDAP Directory Master,ou=DSE,ou=ecmbi,o=ibm"
directory /var/lib/ldap
cachesize 1024
checkpoint 1024 15
# Indices to maintain for this database
index entryUUID,entryCSN eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
### Index for krb5
index krb5PrincipalName eq
index notesShortName eq
# enable this server as a syncrepl master
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
overlay ppolicy
ppolicy_default "cn=Default Password Policy,ou=Policies,ou=ecmbi,o=ibm"
### End database bdb config
# typically, this rule should only be used by Heimdal kerberos
authz-regexp
uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
"uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
"uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
uid=ldap/swapus.svl.ibm.com,cn=ecmbi,cn=GSSAPI,cn=auth
"uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
uid=ldap/swapus.svl.ibm.com,cn=GSSAPI,cn=auth
"uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm"
limits dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm"
size=unlimited time=unlimited
authz-regexp
uid=root,cn=ecmbi,cn=GSSAPI,cn=auth
uid=root,ou=Services,ou=ecmbi,o=ibm
authz-regexp
uid=root,cn=GSSAPI,cn=auth
uid=root,ou=Services,ou=ecmbi,o=ibm
authz-regexp
uid=([^,/]+),cn=ecmbi,cn=GSSAPI,cn=auth
uid=$1,ou=People,ou=ecmbi,o=ibm
authz-regexp
uid=([^,/]+),cn=GSSAPI,cn=auth
uid=$1,ou=People,ou=ecmbi,o=ibm
###
### Slave Configuration:
###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/ibmPerson.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
TLSCACertificateFile /usr/share/ssl/CA/cacert.pem
TLSCertificateFile /etc/ssl/server/swapus.cert
TLSCertificateKeyFile /etc/ssl/server/swapus.key
security ssf=0 update_ssf=70 simple_bind=64
# Do not allow anyone to read any of the encrypted passwords
access to attrs=userPassword
by ssf=56 group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm"
read
by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" read
by ssf=56 * auth
# Only the Local Admin should be able to access the kerberos tree
access to attrs=krb5Key
by ssf=56 group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm"
read
by ssf=56 dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" read
by * none
access to dn.sub="ou=Kerberos,ou=ecmbi,o=ibm"
by group.base="cn=Directory Admins,ou=Groups,ou=ecmbi,o=ibm" read
by dn.base="uid=Local Admin,ou=Services,ou=ecmbi,o=ibm" read
by * none
# read access for all, write by the user himself and write to all by admins
access to *
by * read
###
### Proxy to US bluepages
###
database ldap
suffix "c=us,ou=sso,ou=ecmbi,o=ibm"
uri ldaps://bluepages.ibm.com
overlay rwm
rwm-suffixmassage "c=us,ou=sso,ou=ecmbi,o=ibm" "c=us,ou=bluepages,o=ibm.com"
###
### Proxy to CSDL bluepages
###
database ldap
suffix "c=cn,ou=sso,ou=ecmbi,o=ibm"
uri ldaps://bluepages.ibm.com
overlay rwm
rwm-suffixmassage "c=cn,ou=sso,ou=ecmbi,o=ibm" "c=cn,ou=bluepages,o=ibm.com"
### Proxy bluepages so we can use its authentication
### Glue US and CSDL and our local accounts together
database meta
suffix "ou=sso,ou=ecmbi,o=ibm"
uri "ldaps:///c=us,ou=sso,ou=ecmbi,o=ibm"
uri "ldaps:///c=cn,ou=sso,ou=ecmbi,o=ibm"
uri "ldaps:///ou=sso,ou=ecmbi,o=ibm"
suffixmassage "ou=sso,ou=ecmbi,o=ibm" "ou=Build Accounts,ou=ecmbi,o=ibm"
database bdb
suffix "ou=ecmbi,o=ibm"
cachesize 1024
checkpoint 1024 15
# rootdn must be set in order for syncrepl to function
rootdn "cn=LDAP Master,ou=DSE,ou=ecmbi,o=ibm"
directory /var/lib/ldap
# Indices to maintain for this database
index entryUUID,entryCSN eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
### Index for krb5
index krb5PrincipalName eq
index notesShortName eq
overlay ppolicy
ppolicy_default "cn=Default Password Policy,ou=Policies,ou=ecmbi,o=ibm"
syncrepl rid=2
provider="ldaps://wassup.svl.ibm.com"
type=refreshAndPersist
interval=00:00:01:00
retry="1,2,3,4,5,+"
searchbase="ou=ecmbi,o=ibm"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=sasl
saslmech=gssapi
updateref ldaps://wassup.svl.ibm.com
# typically, this rule should only be used by Heimdal kerberos
authz-regexp
uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
"uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
"uid=Local Admin,ou=Services,ou=ecmbi,o=ibm"
authz-regexp
uid=root,cn=ecmbi,cn=GSSAPI,cn=auth
uid=root,ou=Services,ou=ecmbi,o=ibm
authz-regexp
uid=root,cn=GSSAPI,cn=auth
uid=root,ou=Services,ou=ecmbi,o=ibm
authz-regexp
uid=([^,/]+),cn=ecmbi,cn=GSSAPI,cn=auth
uid=$1,ou=People,ou=ecmbi,o=ibm
authz-regexp
uid=([^,/]+),cn=GSSAPI,cn=auth
uid=$1,ou=People,ou=ecmbi,o=ibm
[[logs trimmed. See http://www.openldap.org/its/?findid=3996]]