Firman Indra Buana wrote:
Hi Omar,
Sorry for my bad english I mean binddn and rootdn on the consumer could be different as from the master. Thank You,
Omar Al-Tabari wrote:
I just need to mention this: do both the provider and consumer have to have the same suffix?
also when configuring the TLS options, I'll have two server certificates, one for the provider and the other one for the consumer, how do i make them communicate using TLS with each other although they have different certs?
Firman Indra Buana wrote:
Hi Omar,
Please look at may change on you consumer conf, that is why modify failed. On the test program binddn could not be the same as rootdn on the master configuration. But if updatedn change is running let it be dont try other things.
Thank You,
Omar Al-Tabari wrote:
My Master slapd.conf looks like this: ***************** include /var/openldap/etc/openldap/schema/core.schema include /var/openldap/etc/openldap/schema/cosine.schema include /var/openldap/etc/openldap/schema/inetorgperson.schema include /var/openldap/etc/openldap/schema/nis.schema include /var/openldap/etc/openldap/schema/samba.schema include /var/openldap/etc/openldap/schema/redhat/autofs.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /var/openldap/var/run/slapd.pid argsfile /var/openldap/var/run/slapd.args
database bdb suffix "dc=ldaptest,dc=batelco,dc=jo" rootdn "cn=Manager,dc=ldaptest,dc=batelco,dc=jo" #rootpw {SSHA}6knlCh6UiA1U2EH9zgVCYddyT5wp/e7I rootpw secret
# Mode 700 recommended. directory /var/openldap/var/openldap-data
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index entryUUID,entryCSN eq
overlay syncprov
#syncprov-checkpoint 100 10
#syncprov-sessionlog 100
********************
As you can see i didnt put any access rules cause i cant seem to make them work proparly, so i am binding using the rootdn. As for the consumer it look like this:
****************
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /openldap/etc/openldap/schema/core.schema
include /openldap/etc/openldap/schema/cosine.schema
include /openldap/etc/openldap/schema/inetorgperson.schema
include /openldap/etc/openldap/schema/nis.schema
include /openldap/etc/openldap/schema/samba.schema
include /openldap/etc/openldap/schema/redhat/autofs.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /openldap/var/run/slapd.pid argsfile /openldap/var/run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database bdb suffix "dc=ldaptest,dc=batelco,dc=jo" rootdn "cn=Manager,dc=ldaptest,dc=batelco,dc=jo" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /openldap/var/openldap-data # Indices to maintain index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index entryUUID,entryCSN eq
syncrepl rid=1 provider=ldap://ldaptest.batelco.jo binddn="cn=manager,dc=ldaptest,dc=batelco,dc=jo" bindmethod=simple credentials=secret searchbase="dc=ldaptest,dc=batelco,dc=jo" filter="(objectClass=*)" attrs="*" schemachecking=off scope=sub type=refreshAndPersist
updatedn="cn=Manager,dc=ldaptest,dc=batelco,dc=jo"
********************8
both the consumer and provider have the same suffix, i dont know if that is the way it should be, but wont that make problems when i try to implement TLS "thats if i can get this running in the first place".
thank you in advance, i really need the help right now.
Firman Indra Buana wrote:
Hi Omar,
Could you give me full of you slapd.conf, your master and your costumer, you could edit it if there is some information that I should'nt know.
Thank You,
Omar Al-Tabari wrote:
I replaced the search bas with the rootdn, but this is what i got:
[root@ldaptest libexec]# ./slapd -d256 -u ldap -h "ldap:///"
@(#) $OpenLDAP: slapd 2.3.2beta (Mar 28 2005 13:05:53) $
root@ldaptest:/root/openldap-2.3.2beta/servers/slapd
bdb_db_init: Initializing BDB database
16: unknown tls_option <b>
slapd starting
conn=0 fd=12 ACCEPT from IP=172.16.5.108:2089 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=manager,dc=ldaptest,dc=batelco,dc=jo" method=128
conn=0 op=0 BIND dn="cn=Manager,dc=ldaptest,dc=batelco,dc=jo" mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="cn=manager,dc=ldaptest,dc=batelco,dc=jo" scope=2 deref=0 filter="(objectClass=*)"
conn=0 op=1 SRCH attr=* structuralObjectClass entryCSN
findbase failed! 32
conn=0 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
conn=0 op=2 UNBIND
conn=0 fd=12 closed
but the consumer didnt give me an ldap_modify error, when I changed the searchbase to the old one the consumer gave me this:
[root@mc libexec]# ./slapd -d256 -u ldap -h "ldap:///"
@(#) $OpenLDAP: slapd 2.3.2beta (Mar 24 2005 11:18:51) $
root@mc:/root/openldap-2.3.2beta/servers/slapd
bdb_db_init: Initializing BDB database
16: unknown tls_option <b>
slapd starting
request 1 done
be_modify failed (32)
Firman Indra Buana wrote:
hi Omar,
Replace the searchbase with the rootdn of your master, try it. Again, look at the sample of "test" in openldap installer, there is a lot of example there that you could try it first.
Omar Al-Tabari wrote:
But there is "dc=ldaptest,dc=batelco,dc=jo" in master database, then how does its ldap server function??
Openldap v2.3 is working fine on the master server and i can search it, query it and all that, but still Syncrepl doesnt work!!
Firman Indra Buana wrote:
Simple!!!! no dc=ldaptest,dc=batelco,dc=jo in master database and you could not bind it, I try syncrepl and nothing problem with it, just try the test program from openldap installer and you would understand it more, try with simple and go to advanced. Hope this is help.
Omar Al-Tabari wrote:
Omar Al-Tabari wrote:
Howard Chu wrote:
I'm sorry i didnt quite understand your question, I'm not that very good configuring these things as you may have noticed :)Omar Al-Tabari wrote:
Omar Al-Tabari wrote:
Howard Chu wrote:
Read the 2.3 Admin Guide. The provider configuration in 2.3 is not identical to 2.2, as I've mentioned here a number of times.
now i've read the 2.3 manual and here's what i added to my slapd.conf:
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index entryUUID,entryCSN eq
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
and i've also updated my consumers slapd.conf:
syncrepl rid=123
provider=ldap://ldaptest.batelco.jo:389
type=refreshOnly
interval=00:00:01:00
searchbase="dc=ldaptest,dc=batelco,dc=jo"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=manager,dc=ldaptest,dc=batelco,dc=jo"
credentials=secret
That looks reasonable.
I also tried out the "type=refreshAndPersist" mode on the consumer and this is the output after starting both the provider and consumer:
bdb_db_init: Initializing BDB database 16: unknown tls_option <b> slapd starting request 1 done be_modify failed (32)
That looks bad. There are other errors in your slapd.conf file that need to be fixed.
Does the entry corresponding to the database suffix exist in your database?
this is what i got with debug level 9
*****************************
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_scanf fmt ({iaa}) ber:
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
bdb_dn2entry("dc=ldaptest,dc=batelco,dc=jo")
=> bdb_dn2id("dc=ldaptest,dc=batelco,dc=jo")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
ldap_search_ext
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
ldap_send_initial_request
ldap_send_server_request
ber_flush: 150 bytes to sd 10
=>do_syncrep2
ldap_result msgid -1
ldap_chkResponseList for msgid=-1, all=0
ldap_chkResponseList returns NULL
wait4msg (timeout 0 sec, 0 usec), msgid -1
wait4msg continue, msgid -1, all 0
** Connections:
* host: ldaptest.batelco.jo port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Apr 6 15:11:28 2005
** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=-1, all=0 ldap_chkResponseList returns NULL ldap_int_select connection_get(10): got connid=0 daemon: added 10r daemon: activity on 1 descriptors daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10): got connid=0 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL =>do_syncrepl =>do_syncrep2 ldap_result msgid -1 ldap_chkResponseList for msgid=-1, all=0 ldap_chkResponseList returns NULL wait4msg (timeout 0 sec, 0 usec), msgid -1 wait4msg continue, msgid -1, all 0 ** Connections: * host: ldaptest.batelco.jo port: 389 (default) refcnt: 2 status: Connected last used: Wed Apr 6 15:11:28 2005 ****************************************
any clues?
it has "<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)" what does that mean?