Hi Dieter, >> Hi all, >> >> I think I have a problem with the overlay chain and tls. We have one physical >> master and two slaves in VMware Vsphere4. Our configuration runs normally fine, >> but sometimes we can't modify entries like passwords to the master. Then we >> must restart the slapd at the slaves. After restarting slapd all works fine. >> Then slapd works fine the wholy day. We can change entries or set passwords on >> the slaves. Next morning we must restart the slapd again, because we can't >> modify entries from the slaves. But we can query the slapd and syncrepl works >> fine. Only things over the overlay chains doesn't work. I have the problem not >> only with Version 2.4.20. I tested more Versions and actually 2.4.21 from >> pysically hardware. >> >> If I can't set entries on the slave I don't see any tcp packets from the slave >> to the master. DNS, time and so on looks fine and everything else is working. >> And if we restart slapd everything is working. Does anybody know what is going >> wrong and if there exits a workaround. I read some things abount /dev/random, >> /dev/urandom and kernel 2.6 in VMware. Can this be the problem? >> >> Here the overlay chain configuration. >> >> <snip slapd.conf> >> overlay chain >> chain-uri "ldap://eisenherz.camelot.de/"; >> chain-idassert-bind bindmethod=simple >> binddn="cn=ldapadmin,dc=camelot,dc=de" >> credentials="xxxxxx" >> mode="self" >> chain-rebind-as-user TRUE >> chain-return-error TRUE >> chain-tls start >> </snip slapd.conf> >> >> Any help is appreciated. > >What version is this? >I found that with 2.4.21 a tls_cacert option solved my problem. I have the problem in 2.4.12, 2.4.18, 2.4.19, 2.4.20 and 2.4.21. >chain-tls start > tls_cacert="/opt/openldap/etc/openldap/certs/avciCA.pem > tls_reqcert="demand" > >slapd-ldap(5) provides more TLS options. > I know and I have configured some of them. But the problem still exists. I can't see any packets on the network device from the slave to the master. If I restart the slave slapd then all works fine for a time. But I will read the man page again. Today have sent a mail to the list with two traces. One with a successfull passmod and one with nonworking passmod. Here the link: http://www.openldap.org/lists/openldap-technical/201003/msg00019.html The differences in the traces are hdb_dn2id entries. When the passmod over the slave is ok then I can see entries like: bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") => hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de") <= hdb_dn2id: got id=0x5 entry_decode: "" <= entry_decode() or => hdb_dn2id("ou=policies,dc=camelot,dc=de") <= hdb_dn2id: got id=0x9 => hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de") <= hdb_dn2id: got id=0xa entry_decode: "" <= entry_decode() When the passmod failed these entries are not in the trace. After restarting the slapd I can change passwords over the slaves and I can see the hdb_dn2id entries in the trace. Regards Ralf Zimmermann -- .''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen Tel.: +49 271 68193 13 Fax.: +49 271 68193 29 Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen
Attachment:
signature.asc
Description: Digital signature