[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: seg fault with TLS syncrepl ?
Thanks Rich,
> You should make sure the openldap-debuginfo
On track : I rolled back to simple bindmethod at this
stage and have created a dedicated proxyuser for
replication.
Once I can get this package (internal procedures...),
I'll check and come back on that issue.
Thanks,
---
Olivier
On Fri, Aug 12, 2011 at 4:14 PM, Rich Megginson
<rich.megginson@gmail.com> wrote:
> On 08/12/2011 07:17 AM, Olivier wrote:
>>
>> My N-WAY replication works properly with a
>> "bindmethod=simple".
>>
>> However, I don't like keeping a password in clear in
>> a configuration file, then I tryed this :
>>
>> On server "ldap-master1.example.fr" :
>>
>> TLSVerifyClient allow
>>
>> syncrepl rid=101
>> provider=ldap://ldap-master2.example.fr:389
>> searchbase="dc=example,dc=fr"
>> schemachecking=on
>> type=refreshOnly
>> interval=00:00:01:00
>> retry="10 +"
>> bindmethod=sasl
>> saslmech=EXTERNAL
>> starttls=critical
>> tls_cert=/etc/openldap/cacerts/master1/server.crt
>> tls_key=/etc/openldap/cacerts/master1/server.key
>> tls_cacert=/etc/openldap/cacerts/CA.crt
>> tls_reqcert=demand
>>
>> On server "ldap-master2.example.fr" :
>>
>> TLSVerifyClient allow
>>
>> syncrepl rid=201
>> provider=ldap://ldap-master1.example.fr:389
>> searchbase="dc=example,dc=fr"
>> schemachecking=on
>> type=refreshOnly
>> interval=00:00:01:00
>> retry="10 +"
>> bindmethod=sasl
>> saslmech=EXTERNAL
>> starttls=critical
>> tls_cert=/etc/openldap/cacerts/master2/server.crt
>> tls_key=/etc/openldap/cacerts/master2/server.key
>> tls_cacert=/etc/openldap/cacerts/CA.crt
>>
>> I get a segmentation fault :
>>
>> ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256
>>
>> @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
>>
>> mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
>> bdb_monitor_db_open: monitoring disabled; configure monitor database to
>> enable
>> <= bdb_inequality_candidates: (entryCSN) not indexed
>> slapd starting
>> slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error,
>> ldap_start_tls failed (-1)
>> do_syncrepl: rid=101 rc -1 retrying
>> conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389)
>> conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
>> conn=1000 op=0 STARTTLS
>> conn=1000 op=0 RESULT oid= err=0 text=
>> conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
>> conn=1000 op=1 BIND dn="" method=163
>> conn=1000 op=1 BIND
>>
>> authcid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
>>
>> authzid="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
>> conn=1000 op=1 BIND
>>
>> dn="email=max@example.fr,cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
>> mech=EXTERNAL sasl_ssf=0 ssf=256
>> conn=1000 op=1 RESULT tag=97 err=0 text=
>> conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0
>> filter="(objectClass=*)"
>> conn=1000 op=2 SRCH attr=* +
>> conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
>> conn=1000 op=3 UNBIND
>> conn=1000 fd=12 closed
>> Erreur de segmentation
>>
>> The segfault happened when the second server tried to sync with the first
>> one :
>>
>> [root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256
>> @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
>>
>> mockbuild@x86-001.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
>> bdb_monitor_db_open: monitoring disabled; configure monitor database to
>> enable
>> slapd starting
>> conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389)
>> conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
>> conn=1000 op=0 STARTTLS
>> conn=1000 op=0 RESULT oid= err=0 text=
>> TLS: error: accept - force handshake failure: errno 2 - moznss error -5938
>> TLS: can't accept: TLS error -5938:Encountered end of file.
>> conn=1000 fd=12 closed (TLS negotiation failure)
>> ^C
>> daemon: shutdown requested and initiated.
>> slapd shutdown: waiting for 0 operations/tasks to finish
>> slapd stopped.
>>
>> Any idea ?
>
> Can you get a core file and a stack trace from the server that gets the seg
> fault?
> I'm assuming from the build that you are running on Fedora 14 or later, or
> RHEL6.1. You should make sure the openldap-debuginfo package is installed
> (e.g. debuginfo-install openldap) and install abrt. This will collect the
> core files in /var/spool/abrt
>>
>> NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that
>> produce the seg fault.
>>
>> ---
>> Olivier
>>
>
>