[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Replication problem: slapd not creating the replog (IT'S A BU G!!!)
I should note that this appears to be more complicated:
I was not getting replication using ldappasswd which uses the
LDAP_TAG_EXOP_X_MODIFY_PASSWD (i think that's it) it modify the password
attribute. This doesn't get replicated (I'm not sure if this is intentional
or not.) which at the very least is nowhere documented and counter-intuitive
if not an outright bug.
This is, of course, a very bad thing for those of us who use pam_ldap and
set the pam_password method to exop - if you're using an ldbm directory then
your passwords will not be replicated. This means that authentication will
break down very quickly.
I've put this in the OpenLDAP ITS, but I'd love to hear from Kurt or someone
as to what exactly is suspposed to happen. adding a replog call to
back-ldbm/passwd.c either doesn't seem to work for me, but it was just a
quick ugly hack that I attempted.
More info PLEASE!
> -----Original Message-----
> From: Justin Hahn [mailto:jeh@profitlogic.com]
> Sent: Friday, July 13, 2001 1:12 PM
> To: 'openldap-software@openldap.org'
> Subject: Replication problem: slapd not creating the replog
>
>
> Hi, hopefully some can point me in the right direction.
>
> After browsing the lists, checking the samples in the tests
> directory of the
> distribution, and quadruple checking my slapd.conf's I'm completely
> puzzled.
> I'm running openldap-2.0.11 on debian (sasl, ssl, and openldap are all
> hand-built). I used to run openldap-2.0.7 and I'm pretty sure I had
> replication working there, but now I'm not so sure.
>
> The problem is as follows:
>
> 1) create database on master.
> 2) copy database to slave. (there's only 1 right now.)
> 3) start slapd and slurpd on master
> 4) start slapd on slave
> 5) make change to master, change doesn't propagate.
>
> When I investigating I noticed that no replog is being
> created. So I turned
> on config file debugging, and neither slapd nor slurpd
> complains. Next, I
> turned on full debugging for slapd and slurpd on all hosts
> and watched what
> happened if I started with fresh db's and made a change. The
> master slapd
> never even touches the replog.
>
> The replication user exists in the tree, and the password is
> correct. I can
> manually bind to the slave as the replicator and I have full
> access. The
> build passes all of the test in make test, so it doesn't
> appear to be the
> software.
> My rootpw's match on both servers.
>
> I'm pretty much at wits end, so I'd appreciate any and all
> help you can give
> me.
>
> Here's the slapd.conf on the master:
>
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4
> 2000/08/26 17:06:18
> kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
>
> #loglevel 0
>
> #security ssf=128 tls=128
> allow tls_2_anon
>
> # Load dynamic backend modules:
> # modulepath /sw/local/sbin/openldap
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> #TLSCACertificateFile /etc/openldap/ssl/ca
> TLSCertificateFile /etc/openldap/ssl/cert
> TLSCertificateKeyFile /etc/openldap/ssl/key
>
> ##############################################################
> #########
> # ldbm database definitions
> ##############################################################
> #########
> database ldbm
> suffix "o=profitlogic"
> rootdn "cn=admin,o=profitlogic"
> rootpw {SSHA}--deleted---
> directory /var/openldap-ldbm/profitlogic
> index default pres,eq
> index objectClass,uid,uidNumber,gidNumber,cn
> index uniqueMember pres
>
> replogfile /var/openldap-ldbm/profitlogic/slapd.replog
>
> replica host=ldap-ro:389
> bindmethod=simple
> tls=yes
> binddn="cn=replicant, o=profitlogic"
> credentials=--deleted--
>
> # Support sane userPassword access
> access to attribute=userPassword
> by dn="cn=admin,o=profitlogic" write
> by anonymous auth
> by self write
> by * none
>
> # The admin dn has full write access
> access to *
> by dn="cn=admin,o=profitlogic" write
> by self write
> by * read
>
> And here's the slapd.conf on the slave:
>
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4
> 2000/08/26 17:06:18
> kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
>
> loglevel 0
>
> #security ssf=128 tls=128
> allow tls_2_anon
>
> # Load dynamic backend modules:
> # modulepath /sw/local/sbin/openldap
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> #TLSCACertificateFile /etc/openldap/ssl/ca
> TLSCertificateFile /etc/openldap/ssl/cert
> TLSCertificateKeyFile /etc/openldap/ssl/key
>
> ##############################################################
> #########
> # ldbm database definitions
> ##############################################################
> #########
> database ldbm
> suffix "o=profitlogic"
> directory /var/openldap-ldbm/profitlogic
> updatedn "cn=replicant,o=profitlogic"
> updateref ldap://ldap-m0/$a
> rootdn "cn=admin,o=profitlogic"
> rootpw {SSHA}--deleted--
> index default pres,eq
> index objectClass,uid,uidNumber,gidNumber,cn
> index uniqueMember pres
>
>
> # Support sane userPassword access
> access to attribute=userPassword
> by dn="cn=admin,o=profitlogic" write
> by dn="cn=replicant,o=profitlogic" write
> by anonymous auth
> by self write
> by * none
>
> # The admin dn has full write access
> access to *
> by dn="cn=admin,o=profitlogic" write
> by dn="cn=replicant,o=profitlogic" write
> by self write
> by * read
>
>
> ----
> Justin Hahn ProfitLogic
> jhahn@profitlogic.com 11 Cambridge Center
> Systems Administrator Cambridge, MA 02142
> o: 617-218-1986 www.profitlogic.com
> m: 617-501-2743
> f: 617-218-1901
>
>