Hi Dieter,
>> Hi all,
>>
>> I think I have a problem with the overlay chain and tls. We have one physical
>> master and two slaves in VMware Vsphere4. Our configuration runs normally fine,
>> but sometimes we can't modify entries like passwords to the master. Then we
>> must restart the slapd at the slaves. After restarting slapd all works fine.
>> Then slapd works fine the wholy day. We can change entries or set passwords on
>> the slaves. Next morning we must restart the slapd again, because we can't
>> modify entries from the slaves. But we can query the slapd and syncrepl works
>> fine. Only things over the overlay chains doesn't work. I have the problem not
>> only with Version 2.4.20. I tested more Versions and actually 2.4.21 from
>> pysically hardware.
>>
>> If I can't set entries on the slave I don't see any tcp packets from the slave
>> to the master. DNS, time and so on looks fine and everything else is working.
>> And if we restart slapd everything is working. Does anybody know what is going
>> wrong and if there exits a workaround. I read some things abount /dev/random,
>> /dev/urandom and kernel 2.6 in VMware. Can this be the problem?
>>
>> Here the overlay chain configuration.
>>
>> <snip slapd.conf>
>> overlay chain
>> chain-uri "ldap://eisenherz.camelot.de/";;
>> chain-idassert-bind bindmethod=simple
>> binddn="cn=ldapadmin,dc=camelot,dc=de"
>> credentials="xxxxxx"
>> mode="self"
>> chain-rebind-as-user TRUE
>> chain-return-error TRUE
>> chain-tls start
>> </snip slapd.conf>
>>
>> Any help is appreciated.
>
>What version is this?
>I found that with 2.4.21 a tls_cacert option solved my problem.
I have the problem in 2.4.12, 2.4.18, 2.4.19, 2.4.20 and 2.4.21.
>chain-tls start
> tls_cacert="/opt/openldap/etc/openldap/certs/avciCA.pem
> tls_reqcert="demand"
>
>slapd-ldap(5) provides more TLS options.
>
I know and I have configured some of them. But the problem still exists. I
can't see any packets on the network device from the slave to the master. If I
restart the slave slapd then all works fine for a time.
But I will read the man page again.
Today have sent a mail to the list with two traces. One with a successfull
passmod and one with nonworking passmod. Here the link:
http://www.openldap.org/lists/openldap-technical/201003/msg00019.html
The differences in the traces are hdb_dn2id entries. When the passmod over the
slave is ok then I can see entries like:
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
=> hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x5
entry_decode: ""
<= entry_decode()
or
=> hdb_dn2id("ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x9
=> hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0xa
entry_decode: ""
<= entry_decode()
When the passmod failed these entries are not in the trace. After restarting
the slapd I can change passwords over the slaves and I can see the hdb_dn2id
entries in the trace.
Regards
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
Attachment:
signature.asc
Description: Digital signature