[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Overlay Chain Extended Passmod Problem



Hi,

* masarati@aero.polimi.it <masarati@aero.polimi.it> [10.04.2010 07:19]:
> You don't clearly state what your configuration is, so I can only guess. 
> I presume you're using the ppolicy overlay.  I set up a syncrepl
> producer/consumer with slapo-chain on the consumer and slapo-ppolicy on
> both servers, and I'm hitting the consumer with passmod requests that are
> chained to the producer, using TLS both client to consumer and in
> chaining.  It seems to be working just fine, I had no failures after
> hundreds of operations.  Would you mind sharing your configuration and an
> example passmod, in order to reproduce the issue?  More details, e.g.
> about what TLS support you're using, and software versions would be
> helpful.

sorry  for  my  uncleary  description.  The   OpenLDAP  Master  is  at  time  a
self-compiled OpenLDAP 2.4.20  on a Sles11. The Slaves  have different packages
and are  different distros. We use  Ubuntu, Suse and Debian  installations. The
effect is always the same. In  the morning the first extended passmod operation
fails. We can't see a tcp packet  on the outgoing interface on the slave. After
the first fail all  works fine. The whole day. There are  working more than 500
User on the Samba Servers without problems.  If we restart the slapd before the
first extended passmod the operation is successfully. We have checked ntp, dns,
routing, firewalls and so on without a result. 

We  define and  undefine idletimeouts,  TLSRandFile and  so on.  But without  a
result. In the  morning before the User are working  the first extended passmod
over overlay chain and TLS fails. If we disable TLS always works fine.

I would like to know where the problem is. At the first time we searched at the
virtual systems but the problem exists also on physical machines.

Here our configure command:
---------------------------
./configure --with-tls --with-cyrus-sasl --enable-overlays --enable-modules \
--enable-rewrite --enable-wrapper  --enable-dynamic --enable-ldap

We use openssl support.

Here the OpenLDAP 2.4.20 Master configuration:
----------------------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/samba3.schema
include /usr/local/etc/openldap/schema/kerberos.schema
include /usr/local/etc/openldap/schema/siegnetz.schema

pidfile /usr/local/var/run/slapd/slapd.pid

argsfile /usr/local/var/run/slapd/slapd.args

#loglevel trace args filter stats parse  
loglevel sync 
#loglevel conns

authz-policy all

moduleload back_hdb
moduleload accesslog
moduleload syncprov
moduleload smbk5pwd

sizelimit unlimited
idletimeout 300
writetimeout 300

defaultsearchbase dc=camelot,dc=de

TLSCertificateFile /usr/local/etc/openldap/certs/cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/key.pem
TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pem
TLSVerifyClient demand

authz-regexp "uid=rzimmermann,cn=gssapi,cn=auth" "cn=ldapadmin,dc=camelot,dc=de"
authz-regexp "email=r.zimmermann@siegnetz.de,cn=r.zimmermann@siegnetz.de,ou=EDV,o=Siegnetz,l=Siegen,st=NRW,c=DE" "cn=ldapadmin,dc=camelot,dc=de"

tool-threads 1
threads 16

limits dn.exact="cn=replicator,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
limits dn.exact="cn=backupadmin,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

<snip>
ACLS
</snip>

backend hdb
database config
rootdn cn=config
rootpw {SSHA}xxxxxxx
security ssf=128

access to dn="olcDatabase={2}hdb,cn=config" attrs=olcReadOnly
 by ssf=128 dn.exact="cn=backupadmin,dc=camelot,dc=de" write
 by break

access to dn="olcDatabase={3}hdb,cn=config" attrs=olcReadOnly
 by ssf=128 dn.exact="cn=backupadmin,dc=camelot,dc=de" write
 by break

database monitor
rootdn "cn=monitoring,cn=monitor"
rootpw {SSHA}xxxxxx
security ssf=128

database hdb
suffix "cn=logs"
cachesize 10000
rootdn "cn=logs"
rootpw {SSHA}xxxxxx
directory /var/lib/ldaplogs/data
security ssf=128
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
dbconfig set_data_dir /var/lib/ldaplogs/data
dbconfig set_lg_dir /var/lib/ldaplogs/logs
dbconfig set_lk_max_objects 2000
dbconfig set_lk_max_locks 2000
dbconfig set_lk_max_lockers 2000
checkpoint 1024 5
index default eq
index objectClass,entryCSN,entryUUID eq
index reqEnd,reqResult,reqStart,reqMod eq
overlay syncprov
syncprov-reloadhint TRUE
syncprov-nopresent TRUE

database hdb
suffix "dc=camelot,dc=de"
cachesize 50000
idlcachesize 150000
security ssf=128
rootdn "cn=masteradmin,dc=camelot,dc=de"
rootpw {SSHA}xxxxxx
directory "/var/lib/ldap/data"
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
dbconfig set_data_dir /var/lib/ldap/data
dbconfig set_lg_dir /var/lib/ldap/logs
dbconfig set_lk_max_objects 2000
dbconfig set_lk_max_locks 2000
dbconfig set_lk_max_lockers 2000
index default eq
index objectClass,entryCSN,entryUUID eq
index memberUid,gidNumber,displayName,mail,uidNumber,homeDirectory,loginShell,employeeNumber eq
index sambaDomainName,sambaPrimaryGroupSID,sambaGroupType,sambaSIDList eq
index krbPrincipalName eq
index cn,sn,uid pres,eq,approx,sub
index sambaSID eq,sub
index associatedDomain,rfc822MailMember eq
index snitMailQuota,snitMailSizeMax,snitAccountStatus,snitTransportServer,snitDynamicGroupMember eq
lastmod on
checkpoint 1024 5
overlay accesslog
logdb "cn=logs"
logsuccess TRUE
logops writes
logpurge 07+00:00 01+00:00
logold (objectClass=*)

overlay syncprov
syncprov-checkpoint 100 1

overlay valsort
valsort-attr memberUid dc=camelot,dc=de alpha-ascend
valsort-attr member dc=camelot,dc=de alpha-ascend
valsort-attr snitGroupMemberMailAddress dc=camelot,dc=de alpha-ascend

overlay dynlist
dynlist-attrset groupOfNames labeledURI member

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=camelot,dc=de"

overlay refint
refint_attributes member manager owner seeAlso
refint_nothing "cn=dummyuser,dc=camelot,dc=de"

overlay unique
unique_uri ldap:///?mail?sub?
unique_uri ldap:///?uid?sub?
unique_uri ldap:///?uidNumber?sub?
unique_uri ldap:///?employeeNumber?sub?
unique_uri ldap:///?sambaSID?sub?
unique_uri ldap:///?snitPrimaryMailAddress?sub?

overlay smbk5pwd

Here the configuration of a OpenLDAP 2.4.21 Slave(Samba):
---------------------------------------------------------

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/samba3.schema
include         /usr/local/etc/openldap/schema/kerberos.schema
include         /usr/local/etc/openldap/schema/siegnetz.schema

referral ldap://master.camelot.de

pidfile         /usr/local/var/run/slapd/slapd.pid

argsfile        /usr/local/var/run/slapd/slapd.args

authz-policy	all

#loglevel        sync stats
loglevel        sync

moduleload      back_hdb
moduleload      accesslog
moduleload      syncprov
moduleload	back_ldap
moduleload	dynlist
moduleload	ppolicy
moduleload	unique

sizelimit       unlimited

idletimeout 300
writetimeout 300
conn_max_pending 256

defaultsearchbase dc=camelot,dc=de

TLSCertificateFile     /usr/local/etc/openldap/certs/cert.pem
TLSCertificateKeyFile  /usr/local/etc/openldap/certs/key.pem
TLSCACertificateFile   /usr/local/etc/openldap/certs/cacert.pem
TLSVerifyClient        demand

tool-threads      2
threads           16

overlay                chain
chain-uri              ldap://master.camelot.de
chain-tls              start
                       tls_reqcert="demand"
                       tls_cert="/usr/local/etc/openldap/certs/cert.pem"
                       tls_key="/usr/local/etc/openldap/certs/key.pem"
                       tls_cacert="/usr/local/etc/openldap/certs/cacert.pem"
chain-idassert-bind    bindmethod=simple
                       binddn="cn=sambaadmin,dc=camelot,dc=de"
                       credentials="xxxxxx"
                       mode="self"
                       flags=non-prescriptive
chain-rebind-as-user   TRUE
chain-return-error     TRUE
chain-conn-ttl         600
chain-idle-timeout     300
chain-protocol-version 3

limits dn.exact="cn=replicator,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
limits dn.exact="cn=sambaadmin,dc=camelot,dc=de" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

<snip>
ACLS
</snip>

backend           hdb
database monitor
rootdn            "cn=monitoring,cn=monitor"
rootpw            {SSHA}xxxxxx
security          ssf=128

database          config
rootdn            cn=config
rootpw            {SSHA}xxxxxx
security          ssf=128

database          hdb
suffix            "dc=camelot,dc=de"
cachesize         50000
idlcachesize      150000
security          ssf=128
rootdn            "cn=masteradmin,dc=camelot,dc=de"
rootpw            {SSHA}xxxxxxx
directory         /var/lib/ldap/data
readonly          FALSE
checkpoint        1024 5
dbconfig          set_cachesize 0 268435456 1 
dbconfig          set_lg_regionmax 262144 
dbconfig          set_lg_bsize 2097152
dbconfig          set_data_dir /var/lib/ldap/data
dbconfig          set_lg_dir /var/lib/ldap/logs
dbconfig          set_lk_max_objects 2000
dbconfig          set_lk_max_locks 2000
dbconfig          set_lk_max_lockers 2000
dbConfig          set_flags DB_LOG_AUTOREMOVE
index             default eq
index             objectClass,entryCSN,entryUUID eq
index             memberUid,gidNumber,uidNumber,mail,homeDirectory,loginShell,displayName,employeeNumber eq
index             sambaDomainName,sambaGroupType,sambaSIDList,sambaPrimaryGroupSID eq
index             sambaSID eq,sub
index             krbPrincipalName eq
index             cn,sn,uid pres,eq,approx,sub
index             associatedDomain,rfc822MailMember eq
index             snitMailQuota,snitMailSizeMax,snitAccountStatus,snitTransportServer eq
index             snitPrimaryMailAddress,snitRecipientRestrictedMailAddress,snitSenderRestrictedMailAddress,snitDynamicGroupMember eq
syncrepl          rid=001
                  provider=ldap://master.camelot.de
                  uri=ldap://master.camelot.de
                  searchbase="dc=camelot,dc=de"
                  type=refreshandpersist
                  interval=00:00:00:10
                  retry="10 6 30 6 60 +"
                  bindmethod=simple
                  binddn="cn=replicator,dc=camelot,dc=de"
                  credentials="xxxxxx"
                  schemachecking=on
                  attrs="*,+"
                  filter="(objectClass=*)"
                  scope=sub
                  logbase="cn=logs"
                  logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
                  syncdata=accesslog
                  starttls=critical
                  tls_cert=/usr/local/etc/openldap/certs/cert.pem
                  tls_key=/usr/local/etc/openldap/certs/key.pem
                  tls_cacert=/usr/local/etc/openldap/certs/cacert.pem
updateref ldap://master.camelot.de

overlay valsort
valsort-attr memberUid dc=camelot,dc=de alpha-ascend
valsort-attr member dc=camelot,dc=de alpha-ascend
valsort-attr snitGroupMemberMailAddress dc=camelot,dc=de alpha-ascend

overlay dynlist
dynlist-attrset groupOfNames labeledURI member

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=camelot,dc=de"

Regards
Ralf Zimmermann

--

 .''`.  Ralf Zimmermann
: :' :  SIEGNETZ.IT GmbH       	     
`. `'   Schneppenkauten 1a      
  `-    57076 Siegen   		
                               
	Tel.: +49 271 68193 13
	Fax.: +49 271 68193 29

	Amtsgericht Siegen HRB4838
	Geschaeftsfuehrer: Oliver Seitz
	Sitz der Gesellschaft ist Siegen
        

Attachment: signature.asc
Description: Digital signature