[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.4(slave) replication to openldap2.3(provider not working

Sorry Philip

here is my slap.conf file from one of the openldap 2.3 (consumer) which is working fine

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=kinect,dc=co,dc=nz"
rootdn          "cn=Manager,dc=kinect,dc=co,dc=nz"

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

rootpw          {SSHA}vO/5mpk4CMOKDelv36BpjksRaHFjgqh1
password-hash {CRYPT}
password-crypt-salt-format "%s"

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap
checkpoint 128 15

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryUUID                               eq
index entryCSN                                eq

#threads               64
# Unlimited query size
sizelimit unlimited

syncrepl rid=3
        provider=ldap://testaaa-int.dcnztest.co.nz:389
        bindmethod=simple
        binddn="cn=sync,dc=kinect,dc=co,dc=nz"
        credentials=ieLeik8v
        type=refreshAndPersist
        retry="05 +"
        searchbase="dc=kinect,dc=co,dc=nz"
        schemachecking=off


I used the above file to config slave for openldap2.4

here are the steps

#slapcat -f slapd.conf -F /tmp/ldap -n 0 - This will create cn=config format in /tmp/ldap using the slapd.conf file from openldap 2.3

#rm -rf /etc/openldap/slapd.d/*  - remove the current files in /etc/openldap/slapd.d

# cp -rp /tmp/ldap/cn\=config* /etc/openldap/slapd.d/ - copy the cn=config created above to /etc/openldap/slapd.d

# chown -R ldap: /etc/openldap/slapd.d  - change ownership to ldap:ldap

#slaptest -uF /etc/openldap/slapd.d - successful

#/etc/init.d/slapd start

In the logs in gave an error
Mar 18 11:49:45 vm-nix-t01 slapd[2049]: null_callback : error code 0x50
Mar 18 11:49:45 vm-nix-t01 slapd[2049]: syncrepl_entry: rid=003 be_add cn=Dial_IP,ou=Group,ou=auth,dc=kinect,dc=co,dc=nz failed (80)
Mar 18 11:49:45 vm-nix-t01 slapd[2049]: do_syncrepl: rid=003 rc 80 retrying
Mar 18 11:49:50 vm-nix-t01 slapd[2049]: bdb(dc=kinect,dc=co,dc=nz): Lock table is out of available lock entries
Mar 18 11:49:50 vm-nix-t01 slapd[2049]: => bdb_idl_insert_key: c_put id failed: Cannot allocate memory (12)
Mar 18 11:49:50 vm-nix-t01 slapd[2049]: null_callback : error code 0x50
Mar 18 11:49:50 vm-nix-t01 slapd[2049]: syncrepl_entry: rid=003 be_add cn=Dial_IP,ou=Group,ou=auth,dc=kinect,dc=co,dc=nz failed (80)
Mar 18 11:49:50 vm-nix-t01 slapd[2049]: do_syncrepl: rid=003 rc 80 retrying
Mar 18 11:49:55 vm-nix-t01 slapd[2049]: bdb(dc=kinect,dc=co,dc=nz): Lock table is out of available lock entries
Mar 18 11:49:55 vm-nix-t01 slapd[2049]: => bdb_idl_insert_key: c_put id failed: Cannot allocate memory (12)
Mar 18 11:49:55 vm-nix-t01 slapd[2049]: null_callback : error code 0x50
Mar 18 11:49:55 vm-nix-t01 slapd[2049]: syncrepl_entry: rid=003 be_add cn=Dial_IP,ou=Group,ou=auth,dc=kinect,dc=co,dc=nz failed (80)
Mar 18 11:49:55 vm-nix-t01 slapd[2049]: do_syncrepl: rid=003 rc 80 retrying


But since I increase the value of the DB_CONFIG, it took out that above and only log stop and start openldap

Mar 18 15:02:22 vm-nix-t01 slapd[3178]: slapd stopped.
Mar 18 15:04:18 vm-nix-t01 slapd[1478]: @(#) $OpenLDAP: slapd 2.4.23 (Oct 31 2012 08:14:14) $#012#011mockbuild@x86-022.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
Mar 18 15:04:20 vm-nix-t01 slapd[1479]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Mar 18 15:04:20 vm-nix-t01 slapd[1479]: slapd starting


slapd.conf of the PROVIDER
# cat /etc/openldap/slapd.conf
..............
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include /etc/openldap/schema/freeradius.schema

# Logging
loglevel        none

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/tls/testaaa-int.dcnztest.co.nz.crt
TLSCertificateKeyFile /etc/openldap/tls/testaaa-int.dcnztest.co.nz.key

#######################################################################
# security policies
#######################################################################

# prevent anonymous lookups of hashed passwords
access to attrs=userPassword
        by dn.exact="cn=sync,dc=kinect,dc=co,dc=nz" read
        by dn.exact="uid=client-root,ou=auth,dc=kinect,dc=co,dc=nz" write
        by self write
        by anonymous auth
        by * none

# default allow all
access to *
        by self write
        by users read
        by anonymous read


# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=kinect,dc=co,dc=nz"
rootdn          "cn=Manager,dc=kinect,dc=co,dc=nz"
#threads         64
# Allow unlimited length DB queries - important for ensuring reliable sync
sizelimit       unlimited

rootpw          {SSHA}vO/5mpk4CMOKDelv36BpjksRaHFjgqh1
password-hash {CRYPT}
password-crypt-salt-format "%s"


directory       /var/lib/ldap
checkpoint      128 15

# Indices to maintain for this database
index entryUUID                         eq
index entryCSN                          eq
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

overlay syncprov
syncprov-checkpoint 100 10
syncproc-sessionlog 100


On the consumer openldap 2.4, there is no slapd.conf file, but here is the cn\=config.ldif.  This is another question that I am trying to understand, the manual is talking about slapd.conf in 2.4, but it doesn't exist by default

[root@vm-nix-t01 ~]# cat /etc/openldap/slapd.d/cn\=config.ldif
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: ../slapd.conf
olcConfigDir: /tmp/ldap
olcAllows: bind_v2
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcLocalSSF: 71
olcPasswordCryptSaltFormat: %s
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSaslSecProps: noplain,noanonymous
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCACertificateFile: /etc/openldap/tls/test02aaa.pem
olcTLSCertificateFile: /etc/openldap/tls/test02aaa.pem
olcTLSCertificateKeyFile: /etc/openldap/tls/test02aaa-key.pem
olcTLSVerifyClient: never
olcToolThreads: 1
olcWriteTimeout: 0
structuralObjectClass: olcGlobal
entryUUID: 7f528bf2-4271-1033-8d3c-451e105bb7d9
creatorsName: cn=config
createTimestamp: 20140317224452Z
entryCSN: 20140317224452.209642Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140317224452Z






On 18 March 2014 18:40, Philip Guenther <pguenther@proofpoint.com> wrote:
On Mon, 17 Mar 2014, Andrew Belford wrote:
> I have just registered on the mail list seeking for assistance of how to
> get openldap replication working  between 2.3 and 2.4 openldap.

Time to read the "Changes Since Previous Release" section of the 2.4 admin
guide:
        http://www.openldap.org/doc/admin24/appendix-changes.html


> My provider is running on 2.3(openldap)  which replicates successfully
> to a 2.3(openldap slave).  Recently we build a rhel6 host that comes
> with openldap 2.4 with the intention to run openldap on it as slave.
>
> I have stand up the new slave(2.4 openldap) using the same configuration of
> the other running slave(2.3openldap)
> I have managed to slapadd the ldif  of the master to the new slave
> slapadd -l /tmp/AAA01_20140314.ldif
>
> However, if I try and search for entries, it shows the following but I am
> expecting 32K objects

Item B.2 at
        http://www.openldap.org/doc/admin24/appendix-upgrading.html
?


> I also don't see any replication details in /var/log/slapd.log

Since you don't mention how you configured replication to this 2.4 box or
what output you were expecting, I can't help on this.


Philip Guenther