[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Slapd Replication Problem
- To: openldap-software@OpenLDAP.org
- Subject: Slapd Replication Problem
- From: Brian White <bcwhite@precidia.com>
- Date: Wed, 13 Sep 2006 11:39:16 -0400
- Organization: Precidia Technologies http://www.precidia.com/
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20060803 Debian/1.7.8-1sarge7.2.1
Slapd Version: 2.3.25
Perhaps I'm missing something pretty obvious about replicated slapd
servers, but I simply cannot get it to work.
My master server has
replica uri=ldap://titan.ott.precidia.com
binddn="uid=slapd,ou=Services,dc=precidia"
bindmethod=simple credentials=secret
My slave server has
updatedn uid=slapd,ou=Services,dc=precidia
updateref ldap://tolkien.ott.precidia.com
I've copied the db files by hand and restarted both machines. When I do
a password change (via ldappasswd) on the master, I see an attempt to
change it on the slave but it fails. Attached is the slave's log( and
the slave's full config file). You can see it connect with a DN of
"uid=slapd,ou=Services,dc=precidia" and get authenticated. But then
when the modify comes it, it fails with:
Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] applying none(=0) (stop)
Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] mask: none(=0)
Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access
denied by none(=0)
Sep 13 10:44:07 titan slapd[5789]: bdb_modify: modify failed (50)
I'd appreciate any help someone can give me! Thanks!
Brian
( bcwhite@precidia.com )
-------------------------------------------------------------------------------
Relationships go through seasons. Winter often comes before Spring.
Sep 13 10:44:07 titan slapd[5789]: daemon: activity on 1 descriptor
Sep 13 10:44:07 titan slapd[5789]: daemon: listen=7, new connection on 12
Sep 13 10:44:07 titan slapd[5789]: daemon: added 12r
Sep 13 10:44:07 titan slapd[5789]: conn=0 fd=12 ACCEPT from IP=10.0.1.2:1067 (IP=0.0.0.0:389)
Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=6 active_threads=0 tvp=NULL
Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=7 active_threads=0 tvp=NULL
Sep 13 10:44:07 titan slapd[5789]: daemon: activity on 1 descriptor
Sep 13 10:44:07 titan slapd[5789]: daemon: activity on:
Sep 13 10:44:07 titan slapd[5789]: 12r
Sep 13 10:44:07 titan slapd[5789]:
Sep 13 10:44:07 titan slapd[5789]: daemon: read activity on 12
Sep 13 10:44:07 titan slapd[5789]: connection_get(12)
Sep 13 10:44:07 titan slapd[5789]: connection_get(12): got connid=0
Sep 13 10:44:07 titan slapd[5789]: connection_read(12): checking for input on id=0
Sep 13 10:44:07 titan slapd[5789]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=6 active_threads=0 tvp=NULL
Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=7 active_threads=0 tvp=NULL
Sep 13 10:44:07 titan slapd[5789]: do_bind
Sep 13 10:44:07 titan slapd[5789]: >>> dnPrettyNormal: <uid=slapd,ou=Services,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: <<< dnPrettyNormal: <uid=slapd,ou=Services,dc=precidia>, <uid=slapd,ou=services,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: do_bind: version=3 dn="uid=slapd,ou=Services,dc=precidia" method=128
Sep 13 10:44:07 titan slapd[5789]: conn=0 op=0 BIND dn="uid=slapd,ou=Services,dc=precidia" method=128
Sep 13 10:44:07 titan slapd[5789]: ==> bdb_bind: dn: uid=slapd,ou=Services,dc=precidia
Sep 13 10:44:07 titan slapd[5789]: bdb_dn2entry("uid=slapd,ou=services,dc=precidia")
Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("dc=precidia")
Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x00000001
Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("ou=services,dc=precidia")
Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x000000a4
Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("uid=slapd,ou=services,dc=precidia")
Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x000000a6
Sep 13 10:44:07 titan slapd[5789]: entry_decode: "uid=slapd,ou=Services,dc=precidia"
Sep 13 10:44:07 titan slapd[5789]: <= entry_decode(uid=slapd,ou=Services,dc=precidia)
Sep 13 10:44:07 titan slapd[5789]: => access_allowed: auth access to "uid=slapd,ou=Services,dc=precidia" "userPassword" requested
Sep 13 10:44:07 titan slapd[5789]: => acl_get: [1] attr userPassword
Sep 13 10:44:07 titan slapd[5789]: access_allowed: no res from state (userPassword)
Sep 13 10:44:07 titan slapd[5789]: => acl_mask: access to entry "uid=slapd,ou=Services,dc=precidia", attr "userPassword" requested
Sep 13 10:44:07 titan slapd[5789]: => acl_mask: to value by "", (=0)
Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: anonymous
Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [1] applying auth(=xd) (stop)
Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [1] mask: auth(=xd)
Sep 13 10:44:07 titan slapd[5789]: => access_allowed: auth access granted by auth(=xd)
Sep 13 10:44:07 titan slapd[5789]: conn=0 op=0 BIND dn="uid=slapd,ou=Services,dc=precidia" mech=SIMPLE ssf=0
Sep 13 10:44:07 titan slapd[5789]: do_bind: v3 bind: "uid=slapd,ou=Services,dc=precidia" to "uid=slapd,ou=Services,dc=precidia"
Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: conn=0 op=0 p=3
Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: err=0 matched="" text=""
Sep 13 10:44:07 titan slapd[5789]: send_ldap_response: msgid=1 tag=97 err=0
Sep 13 10:44:07 titan slapd[5789]: conn=0 op=0 RESULT tag=97 err=0 text=
Sep 13 10:44:07 titan slapd[5789]: daemon: activity on 1 descriptor
Sep 13 10:44:07 titan slapd[5789]: daemon: activity on:
Sep 13 10:44:07 titan slapd[5789]: 12r
Sep 13 10:44:07 titan slapd[5789]:
Sep 13 10:44:07 titan slapd[5789]: daemon: read activity on 12
Sep 13 10:44:07 titan slapd[5789]: connection_get(12)
Sep 13 10:44:07 titan slapd[5789]: connection_get(12): got connid=0
Sep 13 10:44:07 titan slapd[5789]: connection_read(12): checking for input on id=0
Sep 13 10:44:07 titan slapd[5789]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=6 active_threads=0 tvp=NULL
Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=7 active_threads=0 tvp=NULL
Sep 13 10:44:07 titan slapd[5789]: do_modify
Sep 13 10:44:07 titan slapd[5789]: do_modify: dn (uid=bcwhite,ou=People,dc=precidia)
Sep 13 10:44:07 titan slapd[5789]: => get_ctrls
Sep 13 10:44:07 titan slapd[5789]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
Sep 13 10:44:07 titan slapd[5789]: <= get_ctrls: n=1 rc=0 err=""
Sep 13 10:44:07 titan slapd[5789]: >>> dnPrettyNormal: <uid=bcwhite,ou=People,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: <<< dnPrettyNormal: <uid=bcwhite,ou=People,dc=precidia>, <uid=bcwhite,ou=people,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: >>> dnPretty: <cn=root,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: <<< dnPretty: <cn=root,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: >>> dnNormalize: <cn=root,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: <<< dnNormalize: <cn=root,dc=precidia>
Sep 13 10:44:07 titan slapd[5789]: modifications:
Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: userPassword
Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 38
Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: entryCSN
Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 32
Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: modifiersName
Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 19
Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: modifyTimestamp
Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 15
Sep 13 10:44:07 titan slapd[5789]: conn=0 op=1 MOD dn="uid=bcwhite,ou=People,dc=precidia"
Sep 13 10:44:07 titan slapd[5789]: conn=0 op=1 MOD attr=userPassword entryCSN modifiersName modifyTimestamp
Sep 13 10:44:07 titan slapd[5789]: slap_global_control: unavailable control: 2.16.840.1.113730.3.4.2
Sep 13 10:44:07 titan slapd[5789]: bdb_modify: uid=bcwhite,ou=People,dc=precidia
Sep 13 10:44:07 titan slapd[5789]: bdb_dn2entry("uid=bcwhite,ou=people,dc=precidia")
Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("ou=people,dc=precidia")
Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x00000002
Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("uid=bcwhite,ou=people,dc=precidia")
Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x0000005d
Sep 13 10:44:07 titan slapd[5789]: entry_decode: "uid=bcwhite,ou=People,dc=precidia"
Sep 13 10:44:07 titan slapd[5789]: <= entry_decode(uid=bcwhite,ou=People,dc=precidia)
Sep 13 10:44:07 titan slapd[5789]: bdb_modify_internal: 0x0000005d: uid=bcwhite,ou=People,dc=precidia
Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access to "uid=bcwhite,ou=People,dc=precidia" "userPassword" requested
Sep 13 10:44:07 titan slapd[5789]: => acl_get: [1] attr userPassword
Sep 13 10:44:07 titan slapd[5789]: access_allowed: no res from state (userPassword)
Sep 13 10:44:07 titan slapd[5789]: => acl_mask: access to entry "uid=bcwhite,ou=People,dc=precidia", attr "userPassword" requested
Sep 13 10:44:07 titan slapd[5789]: => acl_mask: to all values by "uid=slapd,ou=services,dc=precidia", (=0)
Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: anonymous
Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: self
Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: *
Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] applying none(=0) (stop)
Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] mask: none(=0)
Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access denied by none(=0)
Sep 13 10:44:07 titan slapd[5789]: bdb_modify: modify failed (50)
Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: conn=0 op=1 p=3
Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: err=50 matched="" text=""
Sep 13 10:44:07 titan slapd[5789]: send_ldap_response: msgid=2 tag=103 err=50
Sep 13 10:44:07 titan slapd[5789]: conn=0 op=1 RESULT tag=103 err=50 text=
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 2047
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
checkpoint 512 30
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=precidia"
# Where the database file are physically stored for database #1
directory "/var/lib/slapd"
# Indexing options for database #1
index objectClass eq
index cn pres,sub,eq,approx
index sn pres,sub,eq
index givenName pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
#index sambaPrimaryGroups eq
index sambaDomainName eq
index default sub
# Save the time that the entry gets modified, for database #1
lastmod on
# This is only a replica.
updatedn uid=slapd,ou=Services,dc=precidia
updateref ldap://tolkien.ott.precidia.com
# password hash algorithm
password-hash {SSHA}
# Admin (root) access
rootdn cn=root,dc=precidia
rootpw {crypt}hidden
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to attrs=shadowLastChange
by self write
by * read
# Allow the "ldap admin dn" access, but deny everyone else
access to attrs=sambaLMPassword,sambaNTPassword
by dn="uid=samba,ou=Services,dc=precidia" write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="uid=slapd,ou=Services,dc=precidia" write
by dn="uid=samba,ou=Services,dc=precidia" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,dc=precidia"
# by dn="uid=bcwhite,ou=People,dc=precidia" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"