[Date Prev][Date Next] [Chronological] [Thread] [Top]

Trying to perform mirror sync , but getting - TLS: error: the certificate '/etc/openldap/certs/xxx.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.

I've recently updated both my openldap servers to 2.4.39 version and everything seems to be working EXCEPT the mirror synchronization which was the issue I had previously with 2.4.23
Running on CentOS 6.5
 
Setup -
 
Server1(provider):    ldap-east.xxxxx.net
Server2(consumer):  ldap-west.xxxxx.net
 
Not using self signed certs.  Instead have a SAN(Subject Alternative Name)cert from DigiCert with 4 hostnames:
 
ldap.xxxxx.net
ldap-1.xxxxx.net
ldap-2.xxxxx.net
ldap-alt.xxxxx.net
 
I'm using slapd.conf vs cn=config.
 
 
The details:
 
[root@ldap-east certs]# slapd -d sync
541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $
        root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
541b16ed /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema
541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges.
541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
541b16ed slapd starting
TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully loaded from PEM file.
TLS: no unlocked certificate for certificate 'CN=ldap.xxxxx.net,O="xxxxxx, INC.",L=Alviso,ST=California,C=US'.
541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
 
 
*** I wonder if there is something about SAN certs where ldap is having issues ?
*** Since it is a signed CA cert in a mirror sync setup do I need to set it up in the local CA(using certutil) and add it?  (didn't have to for non-sync use)
*** Unclear of 'not found in database' - which one?  I've tried adding it using certutil in various permutations of setting adding the cert to the local CA database with all the various SAN names as different nick names
*** I've also setup symlinks in /etc/openldap/certs pointing from the hashes -> certs - but all of these with the exact same output as above.
 
 
 
From the debug log:

Sep 18 13:39:30 ldap-east slapd[18966]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $#012#011root@admin.xxxxx.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema
Sep 18 13:39:30 ldap-east slapd[18966]: PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges.
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn=Subschema>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn=subschema>
Sep 18 13:39:30 ldap-east slapd[18966]: matching_rule_use_init
Sep 18 13:39:30 ldap-east slapd[18966]:     1.2.840.113556.1.4.804 (integerBitOrMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     1.2.840.113556.1.4.803 (integerBitAndMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.39 (certificateListMatch):
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.38 (certificateListExactMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.35 (certificateMatch):
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.34 (certificateExactMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.30 (objectIdentifierFirstComponentMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.29 (integerFirstComponentMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.28 (generalizedTimeOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $ modifyTimestamp $ sudoNotBefore $ sudoNotAfter ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.27 (generalizedTimeMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $ sudoNotBefore $ sudoNotAfter ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.24 (protocolInformationMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.23 (uniqueMemberMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.22 (presentationAddressMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.20 (telephoneNumberMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.18 (octetStringOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.18 NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.17 (octetStringMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.16 (bitStringMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.15 (integerOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.15 NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.14 (integerMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.13 (booleanMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcAccessLogSuccess $ olcRwmNormalizeMapped $ olcRwmDropUnrequested $ olcSpNoPresent $ olcSpReloadHint $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $ olcDbSessionTrackingRequest $ olcDbNoRefs $ olcDbNoUndefFilter $ olcChainCacheURI $ olcChainReturnError ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.11 (caseIgnoreListMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.9 (numericStringOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.9 NAME 'numericStringOrderingMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.8 (numericStringMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.7 (caseExactSubstringsMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.6 (caseExactOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOffi
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.5 (caseExactMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.4 (caseIgnoreSubstringsMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.3 (caseIgnoreOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOff
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.2 (caseIgnoreMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName
Sep 18 13:39:30 ldap-east slapd[18966]:     1.2.36.79672281.1.13.3 (rdnMatch):
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.1 (distinguishedNameMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
Sep 18 13:39:30 ldap-east slapd[18966]:     2.5.13.0 (objectIdentifierMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
Sep 18 13:39:30 ldap-east slapd[18966]: slapd startup: initiated.
Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "cn=config"
Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open
Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: No explicit ACL for back-config configured. Using hardcoded default
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=config"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=module{0}"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=schema"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={0}core>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={0}core>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={0}core"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={1}cosine>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={1}cosine>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={1}cosine"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={2}inetorgperson>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={2}inetorgperson>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={2}inetorgperson"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={3}nis>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={3}nis>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={3}nis"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={4}sudo>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={4}sudo>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={4}sudo"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={-1}frontend"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={0}config"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={1}ldap"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={0}rwm"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={2}bdb"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={0}syncprov"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={1}glue"
Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: ldap_back_db_open: URI=ldap://ad1.xxxxx.net
Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: database "dc=xxxxx,dc=net": dbenv_open(/var/lib/ldap).
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)", at: "contextCSN"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net")
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_dn2id("dc=xxxxx,dc=net")
Sep 18 13:39:30 ldap-east slapd[18966]: <= bdb_dn2id: got id=0x7
Sep 18 13:39:30 ldap-east slapd[18966]: entry_decode: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: <= entry_decode(dc=xxxxx,dc=net)
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0
Sep 18 13:39:30 ldap-east slapd[18966]: slapd starting
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 4r listener=(nil)
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 7r listener=0x7f37cb13f7c0
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 8r listener=0x7f37cb13f8a0
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on:
Sep 18 13:39:30 ldap-east slapd[18966]:
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrepl rid=001
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)", at: "contextCSN"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net")
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result not in cache (contextCSN)
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access to "dc=xxxxx,dc=net" "contextCSN" requested
Sep 18 13:39:30 ldap-east slapd[18966]: <= root access granted
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access granted by manage(=mwrscxd)
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in cache (contextCSN)
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in cache (contextCSN)
Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrep2 rid=001
Sep 18 13:39:30 ldap-east slapd[18966]: do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 13r listener=(nil)
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on:
Sep 18 13:39:30 ldap-east slapd[18966]:
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero
 
slapd.conf
 
[root@ldap-east openldap]# cat slapd.conf
 
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/sudo.schema
 
allow bind_v2
 
TLSCertificateFile /etc/openldap/certs/ldap_xxxxx_net.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap_xxxxx_net.key
TLSCACertificateFile /etc/openldap/certs/CAcompany.crt
 
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
 
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
 
moduleload accesslog.la
moduleload rwm.la
moduleload syncprov.la
 

disallow bind_anon
 
moduleload     back_bdb
moduleload     back_ldap
 
backend        bdb
 
moduleload      syncprov
 

database        ldap
suffix          "ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net"
uri             ldap://ad1.xxxxx.net/
rebind-as-user
idassert-bind   bindmethod=simple
                binddn="cn=username,ou=users,ou=xxxxxx,dc=ad,dc=xxxxx,dc=net"
                credentials="xxxxxxxxx"
                mode=none
idassert-authzFrom "*"
chase-referrals yes
subordinate
 
overlay rwm
rwm-map attribute uid sAMAccountName
 

database        bdb
suffix          "dc=xxxxx,dc=net"
checkpoint      1024 15
rootdn          "cn=Manager,dc=xxxxx,dc=net"
rootpw                  {SSHA}xxxxxxxxxxx
 
directory       /var/lib/ldap
 
 
 
access to *
        by dn.base="cn=TestSync,ou=Roles,dc=xxxxx,dc=net" write
        by * break
 
# Generic ACL section
access to attrs=userPassword,shadowLastChange
        by dn="cn=Manager,dc=xxxxx,dc=net" write
        by anonymous auth
        by self write
        by * none
 
# Specific ACL section to restrict userPassword to be used for authentication only - 8-15-14
#access to to dn.children="ou=People,dc=xxxxx,dc=net" write
#       attrs=userPasswrod
#       by self write
#       by * auth
#       by dn.children="ou=Customers,ou=People,dc=xxxxx,dc=net" write
 
 
 

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
 
index entryCSN,entryUUID                eq
 

#LDAP Sync - Master
serverID 1
overlay syncprov
 
syncprov-checkpoint 100 10
 
syncprov-sessionlog 100
 
#LDAP Sync - Slave
syncrepl      rid=001
        provider=ldaps://ldap-west.xxxxx.net
        bindmethod=simple
        binddn="cn=TestSync,ou=Roles,dc=xxxxx,dc=net"
        credentials=xxxxxxx
        searchbase="dc=xxxxx,dc=net"
        schemachecking=on
        type=refreshAndPersist
        retry="60 +"
mirrormode on
 
loglevel -1