[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
syncrepl 2.4 issue from 2.3 master
- To: openldap <openldap-software@openldap.org>
- Subject: syncrepl 2.4 issue from 2.3 master
- From: FRLinux <frlinux@gmail.com>
- Date: Fri, 18 Sep 2009 17:29:08 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=TqXZ1mXIdC2/VSml/CkqoXGpBmaPahvW6xGRTl0fITU=; b=G+ndxY7+b238QamgyZQtCwC+zNM5D1B4v1GVnSGgeHTR46HogIHbSJQZb4jDlDVWRp VfwrN8ggJ/+3lAvuRghBd0OSZ7PI5yQ3OjOlES7yzDlXqGEwFvGQrIQl/qUBpzHLuySb J1m2CXsUDQTw0lnWXvORV46u42JyHLfvMUOak=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=X2tasCL+QVXqF70np+03d2FZGFPqiZ0zw638UHNM5xgiCH7tKkpY0x+1Rn+TQHld7I vVW4D0QpiN6ZKh0JMcxNEBt0LdIGtNGByEhQutU051AyRww8VCAE7/f8sbV3+hPVGCtb v5dzhhczkaDhF2Ei5Wb3RCTrQsBBMokozUZ74=
Hello, My master is a freebsd 7.2 server running 2.3.38 at the moment.
I am trying to get the replication going to a 2.4 server. Using the
same configuration file, it is able to replicate to another 2.3 server
without a hitch so I am guessing I am doing something foolish. I
understand ACLs have changed between the 2 versions but cannot see my
mistake. This is the configuration from my 2.3 master:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/courier.schema
include /usr/local/etc/openldap/schema/ISPEnv2.schema
include /usr/local/etc/openldap/schema/amavis.schema
include /usr/local/etc/openldap/schema/samba.schema
include /usr/local/etc/openldap/schema/freeradius.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
referral ldaps://masterldap.example.com
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleload back_ldap
# moduleload back_ldbm
# moduleload back_passwd
# moduleload back_shell
backend bdb
# security restrictions
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn.base="cn=Administrator,dc=example,dc=com" write
by dn.base="cn=ldaprep,dc=example,dc=com" read
by dn.base="cn=samba,ou=specialusers,dc=example,dc=com" write
by anonymous auth
by self write
#following sections seperated so that we can specify other groups
later that can manage specific services
#who can alter users?
access to dn.one="ou=people,dc=example,dc=com"
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
#who can make users?
access to dn.base="ou=people,dc=example,dc=com"
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
#ensure users don't screw up things they shouldn't be allowed play with.
access to attrs=objectClass,uid,uidNumber,gidNumber,homeDirectory,loginShell,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,quota
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
#ensure mail users dont screw up their own settings
access to attrs=mail,mailbox,defaultdelivery,amavisVirusLover,amavisBannedFilesLover,amavisSpamLover,amavisBypassVirusChecks,amavisBypassSpamChecks,amavisSpamQuarantineTo
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
#manage mail settings
access to dn.base="ou=aliases,dc=example,dc=com"
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.one="ou=aliases,dc=example,dc=com"
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="ou=mailscripts,dc=example,dc=com"
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="ou=domains,dc=example,dc=com"
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.one="ou=domains,dc=example,dc=com"
by dn.base="cn=Administrator,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="" by * read
#control of who gets to make acls and who can alter acls not specified above
access to dn.children="ou=acldomain,dc=example,dc=com"
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by dn.base="cn=Administrator,dc=example,dc=com" write
by * read
access to *
by dn.base="cn=Administrator,dc=example,dc=com" write
by self write
by users read
by anonymous read
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Administrator,dc=example,dc=com"
rootpw {MD5}xxxxxxxxxxxxxxxxx
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"
directory /var/db/openldap-data
TLSCACertificateFile /usr/local/etc/openldap/cert/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/cert/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/serverkey.pem
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
directory /var/db/openldap-data
# Indices to maintain
index cn eq
index objectClass eq,pres
index uid,uidNumber,gidNumber,memberUid eq,pres
index mail eq
index entryUUID eq
Now onto my LDAP slave, this is a Debian 5.0 install running their
packaged LDAP Server (2.4.11), here is my configuration:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/courier.schema
include /etc/ldap/schema/ISPEnv2.schema
include /etc/ldap/schema/amavis.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/freeradius.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
database bdb
suffix "dc=example,dc=com"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
#ACLs
access to attrs=userPassword
by dn.base="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
access to dn.one="ou=people,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="ou=people,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to attrs=objectClass,uid,uidNumber,gidNumber,homeDirectory,loginShell,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,quota
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to attrs=mail,mailbox,defaultdelivery,amavisVirusLover,amavisBannedFilesLover,amavisSpamLover,amavisBypassVirusChecks,amavisBypassSpamChecks,amavisSpamQuarantineTo
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="ou=aliases,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.one="ou=aliases,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="ou=mailscripts,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.one="ou=mailscripts,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="ou=domains,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.one="ou=domains,dc=example,dc=com"
by dn.base="cn=admin,dc=example,dc=com" write
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by * read
access to dn.base="" by * read
access to dn.children="ou=acldomain,dc=example,dc=com"
by group.base="cn=sysadmins,ou=acldomain,dc=example,dc=com" write
by dn.base="cn=admin,dc=example,dc=com" write
by * read
access to *
by dn.base="cn=admin,dc=example,dc=com" write
by self write
by users read
by anonymous read
rootdn "cn=admin,dc=example,dc=com"
rootpw {MD5}xxxxxxxxxxxxxxxx
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"
TLSCACertificateFile /etc/ldap/cert/cacert.pem
# Indices to maintain
#index objectClass eq
index cn eq
index uid,uidNumber,gidNumber,memberUid eq,pres
index mail eq
index entryUUID eq
syncrepl rid=124 \
provider=ldaps://masterldap.example.org:636 \
type=refreshAndPersist \
searchbase="dc=example,dc=com" \
scope=sub \
filter="(objectClass=*)" \
attrs="*" \
schemachecking=off \
bindmethod=simple \
binddn="cn=ldaprep,dc=example,dc=com" \
credentials=xxxxxxxx
Even with this, i get (this is the end of a slapd -d 500)
Config: ** successfully added syncrepl "ldaps://masterldap.example.com:636"
=> ldap_bv2dn(cn=Subschema,0)
<= ldap_bv2dn(cn=Subschema)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=subschema)=0
main: TLS init def ctx failed: 1
slapd stopped.
connections_destroy: nothing to destroy.
Lists suggest that cacert might not be right, i checked mine and did
not find any problem with it (and yes, it works will all my 2.3
slaves):
# openssl x509 -text -in /etc/ldap/cert/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e8:01:da:01:ac:05:15:ad
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IE, ST=Dublin, L=Dublin, O=ORGANISATION,
CN=masterldap.example.org
Validity
Not Before: May 31 15:57:37 2006 GMT
Not After : May 30 15:57:37 2011 GMT
Subject: C=IE, ST=Dublin, L=Dublin, O=ORGANISATION,
CN=masterldap.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
[snip]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
[snip]
X509v3 Authority Key Identifier:
[snip]
DirName:/C=IE/ST=Dublin/L=Dublin/O=ORGANISATION/CN=masterldap.example.org
serial:E8:01:DA:01:AC:05:15:AD
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
[snip]
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
Any help appreciated.
Cheers,
Steph