[Date Prev][Date Next] [Chronological] [Thread] [Top]

syncrepl 2.4 issue from 2.3 master



Hello, My master is a freebsd 7.2 server running 2.3.38 at the moment.
I am trying to get the replication going to a 2.4 server. Using the
same configuration file, it is able to replicate to another 2.3 server
without a hitch so I am guessing I am doing something foolish. I
understand ACLs have changed between the 2 versions but cannot see my
mistake. This is the configuration from my 2.3 master:

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/courier.schema
include         /usr/local/etc/openldap/schema/ISPEnv2.schema
include         /usr/local/etc/openldap/schema/amavis.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/freeradius.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.

referral	ldaps://masterldap.example.com

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb
# moduleload	back_ldap
# moduleload	back_ldbm
# moduleload	back_passwd
# moduleload	back_shell

backend		bdb

# security restrictions

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn.base="cn=Administrator,dc=example,dc=com" write
        by dn.base="cn=ldaprep,dc=example,dc=com" read
        by dn.base="cn=samba,ou=specialusers,dc=example,dc=com" write
        by anonymous auth
        by self write

#following sections seperated so that we can specify other groups
later that can manage specific services

#who can alter users?
access to dn.one="ou=people,dc=example,dc=com"
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

#who can make users?
access to dn.base="ou=people,dc=example,dc=com"
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

#ensure users don't screw up things they shouldn't be allowed play with.
access to attrs=objectClass,uid,uidNumber,gidNumber,homeDirectory,loginShell,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,quota
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

#ensure mail users dont screw up their own settings
access to attrs=mail,mailbox,defaultdelivery,amavisVirusLover,amavisBannedFilesLover,amavisSpamLover,amavisBypassVirusChecks,amavisBypassSpamChecks,amavisSpamQuarantineTo
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

#manage mail settings
access to dn.base="ou=aliases,dc=example,dc=com"
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

access to dn.one="ou=aliases,dc=example,dc=com"
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

access to dn.base="ou=mailscripts,dc=example,dc=com"
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

access to dn.base="ou=domains,dc=example,dc=com"
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

access to dn.one="ou=domains,dc=example,dc=com"
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by * read

access to dn.base="" by * read

#control of who gets to make acls and who can alter acls not specified above
access to dn.children="ou=acldomain,dc=example,dc=com"
        by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
        by dn.base="cn=Administrator,dc=example,dc=com" write
        by * read

access to *
     by dn.base="cn=Administrator,dc=example,dc=com" write
        by self write
        by users read
        by anonymous read

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix       "dc=example,dc=com"
rootdn       "cn=Administrator,dc=example,dc=com"
rootpw       {MD5}xxxxxxxxxxxxxxxxx
password-hash {CRYPT}
password-crypt-salt-format      "$1$%.8s"
directory       /var/db/openldap-data

TLSCACertificateFile /usr/local/etc/openldap/cert/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/cert/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/serverkey.pem

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

directory	/var/db/openldap-data

# Indices to maintain
index cn      eq
index objectClass eq,pres
index uid,uidNumber,gidNumber,memberUid eq,pres
index mail eq
index entryUUID eq




Now onto my LDAP slave, this is a Debian 5.0 install running their
packaged LDAP Server (2.4.11), here is my configuration:


# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include		/etc/ldap/schema/courier.schema
include		/etc/ldap/schema/ISPEnv2.schema
include		/etc/ldap/schema/amavis.schema
include		/etc/ldap/schema/samba.schema
include		/etc/ldap/schema/freeradius.schema
include		/etc/ldap/schema/ppolicy.schema


pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

loglevel        none

modulepath	/usr/lib/ldap
moduleload	back_bdb

sizelimit 500
tool-threads 1

backend		bdb
database        bdb

suffix          "dc=example,dc=com"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint      512 30

# Where to store the replica logs for database #1
# replogfile	/var/lib/ldap/replog

access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none


#ACLs
access to attrs=userPassword
     by dn.base="cn=admin,dc=example,dc=com" write
     by anonymous auth
     by self write


access to dn.one="ou=people,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.base="ou=people,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to attrs=objectClass,uid,uidNumber,gidNumber,homeDirectory,loginShell,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,quota
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to attrs=mail,mailbox,defaultdelivery,amavisVirusLover,amavisBannedFilesLover,amavisSpamLover,amavisBypassVirusChecks,amavisBypassSpamChecks,amavisSpamQuarantineTo
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.base="ou=aliases,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.one="ou=aliases,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.base="ou=mailscripts,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.one="ou=mailscripts,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.base="ou=domains,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.one="ou=domains,dc=example,dc=com"
     by dn.base="cn=admin,dc=example,dc=com" write
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by * read

access to dn.base="" by * read

access to dn.children="ou=acldomain,dc=example,dc=com"
	by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
	by dn.base="cn=admin,dc=example,dc=com" write
	by * read

access to *
     by dn.base="cn=admin,dc=example,dc=com" write
	by self write
	by users read
	by anonymous read

rootdn       "cn=admin,dc=example,dc=com"
rootpw       {MD5}xxxxxxxxxxxxxxxx
password-hash {CRYPT}
password-crypt-salt-format      "$1$%.8s"

TLSCACertificateFile /etc/ldap/cert/cacert.pem

# Indices to maintain
#index	objectClass	eq
index cn      eq
index uid,uidNumber,gidNumber,memberUid eq,pres
index mail eq
index entryUUID eq


syncrepl rid=124 \
provider=ldaps://masterldap.example.org:636 \
type=refreshAndPersist  \
searchbase="dc=example,dc=com" \
scope=sub \
filter="(objectClass=*)" \
attrs="*" \
schemachecking=off \
bindmethod=simple \
binddn="cn=ldaprep,dc=example,dc=com" \
credentials=xxxxxxxx

Even with this, i get (this is the end of a slapd -d 500)

Config: ** successfully added syncrepl "ldaps://masterldap.example.com:636"
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema)=0
main: TLS init def ctx failed: 1
slapd stopped.
connections_destroy: nothing to destroy.

Lists suggest that cacert might not be right, i checked mine and did
not find any problem with it (and yes, it works will all my 2.3
slaves):

# openssl x509 -text -in /etc/ldap/cert/cacert.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e8:01:da:01:ac:05:15:ad
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=IE, ST=Dublin, L=Dublin, O=ORGANISATION,
CN=masterldap.example.org
        Validity
            Not Before: May 31 15:57:37 2006 GMT
            Not After : May 30 15:57:37 2011 GMT
        Subject: C=IE, ST=Dublin, L=Dublin, O=ORGANISATION,
CN=masterldap.example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[snip]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
[snip]
            X509v3 Authority Key Identifier:
[snip]

DirName:/C=IE/ST=Dublin/L=Dublin/O=ORGANISATION/CN=masterldap.example.org
                serial:E8:01:DA:01:AC:05:15:AD

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
[snip]
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----


Any help appreciated.
Cheers,
Steph