Oh the wise and mighty of the openLDAP community,
I have an issue that I have not been able to understand. Partially because
I練 an enthusitis, not an expert in the domain. That being said, I've used
an openLDAP RPM compiled by one of the fellow *nix admins:
http://staff.telkomsa.net/packages - Yes, besides the security reasons I'm
desparate enough to try this. I'll eventually use the spec to compile my own
RPM.
I'm running CentOS 5.7 x86_64 with the latest packages. I was able to
successfully install and configure openLDAP but when I attempt to start it
with MIrrorMode, it will not start. I ran slaptest to figure out where it's
hanging up on:
[root@ldap1 ~]# slaptest2.4 -f /etc/openldap2.4/slapd.conf
/etc/openldap2.4/slapd.conf: line 207: rootDN must be defined before
syncrepl may be used
slaptest2.4: bad configuration file!
Any suggestions why it continues to complain about rootDN? I have it
specified and if slapd is going through the lines, it should have picked up
the rootdn before syncrepl. Thoughts?
Here is my slapd.conf:
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/corba.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/java.schema
include /usr/share/openldap2.4/schema/krb5-kdc.schema
include /usr/share/openldap2.4/schema/kerberosobject.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/autofs.schema
include /usr/share/openldap2.4/schema/samba.schema
include /usr/share/openldap2.4/schema/kolab.schema
include /usr/share/openldap2.4/schema/evolutionperson.schema
include /usr/share/openldap2.4/schema/calendar.schema
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/dnszone.schema
include /usr/share/openldap2.4/schema/dhcp.schema
#include /usr/share/openldap2.4/schema/rfc822-MailMember.schema
#include /usr/share/openldap2.4/schema/pilot.schema
#include /usr/share/openldap2.4/schema/qmail.schema
#include /usr/share/openldap2.4/schema/mull.schema
#include /usr/share/openldap2.4/schema/netscape-profile.schema
#include /usr/share/openldap2.4/schema/trust.schema
include /etc/openldap2.4/schema/local.schema
include /etc/openldap2.4/slapd.access.conf
access to dn.subtree="dc=domain,dc=pvt"
by group="cn=Replicator,ou=Group,dc=domain,dc=pvt"
by users read
by anonymous read
pidfile /var/run/ldap2.4/slapd.pid
argsfile /var/run/ldap2.4/slapd.args
modulepath /usr/lib64/openldap2.4
# database backend modules available:
#moduleloadback_dnssrv.la
#moduleloadback_ldap.la
#moduleloadback_meta.la
moduleloadback_monitor.la
#moduleloadback_passwd.la
#moduleloadback_sql.la
# overlay modules available:
#moduleload accesslog.la
#moduleload denyop.la
#moduleload dyngroup.la
#moduleload dynlist.la
#moduleload glue.la
#moduleload lastmod.la
#moduleload pcache.la
#moduleload ppolicy.la
#moduleload refint.la
#moduleload retcode.la
#moduleload rwm.la
moduleload syncprov.la
#moduleload translucent.la
#moduleload unique.la
#contrib overlays
#moduleloadsmbk5pwd.so
# SASL config
#sasl-host ldap.domain.com
# To allow TLS-enabled connections, create /etc/ssl/openldap2.4/ldap.pem
# and uncomment the following lines.
#TLSRandFile/dev/random
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile/etc/pki/tls/private/ldap.pem
TLSCertificateKeyFile /etc/pki/tls/private/ldap.pem
#TLSCACertificatePath /etc/ssl/openldap2.4/
#TLSCACertificateFile/etc/ssl/cacert.pem
TLSCACertificateFile/etc/pki/tls/private/ldap.pem
#TLSVerifyClient never # ([never]|allow|try|demand)
# logging
#loglevel 256
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=domain,dc=pvt"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Manager,dc=domain,dc=pvt"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided.See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}[NeeeNer NeeeNer NeeeNer]
# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap2.4
# Tuning settings, please see the man page for slapd-bdb for more
information
# as well as the DB_CONFIG file in the database directory
# commented entries are at their defaults
# In-memory cache size in entries
#cachesize 1000
# Checkpoint the bdb database after 256kb of writes or 5 minutes have passed
# since the last checkpoint
checkpoint 256 5
# Indices to maintain
index objectClass eq
# persion-type searches
index cn,mail,surname,givenname
eq,subinitial
# nss_ldap exact searches:
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
# username completion via nss_ldap needs uid indexed sub:
index uid
eq,subinitial
# samba:
index sambaSID,sambaDomainName,displayName eq
# autofs:
#index nisMapName eq
# bind sdb_ldap:
#index zoneName,relativeDomainName eq
# sudo
index sudoUser eq
# syncprov
#indexentryCSN,entryUUIDeq
limits group="cn=Replicator,ou=Group,dc=domain,dc=pvt"
size=unlimited
time=unlimited
database monitor
overlay syncprov
syncprov-checkpoint 10 1
syncprov-sessionlog 100
syncrepl rid=000
provider=ldap://ldap1.oak.domain.pvta
type=refreshAndPersist
interval=01:00:00:00
retry="5 5 300 +"
rootdn="dc=domain,dc=pvt"
attrs="*,+"
bindmethod=simple
binddn="cn=Manager,dc=domain,dc=pvt"
credentials=domain1
syncrepl rid=001
provider=ldap://ldap2.oak.domain.pvt
type=refreshAndPersist
interval=01:00:00:00
retry="5 5 300 +"
rootdn="dc=domain,dc=pvt"
attrs="*,+"
bindmethod=simple
binddn="cn=Manager,dc=domain,dc=pvt"
credentials=domain1
mirrormode TRUE
serverID 1