[Date Prev][Date Next] [Chronological] [Thread] [Top]

Trying to set up multimaster syncrepl, error attribute 'olcTLSCertificateFile' not allowed , why?



I inherited a pair  of (interestingly configured) ldap servers from a previous owner and I'm trying to get them to replicate to each other (actually, starting with two new VM copies, with the goal of ending up with four masters spread over two data centers). The VM's are running  RHEL6 and openldap 2.4.40.

When I try to add replication using the  ldif included at the bottom of this post , I get this error and then cannot restart slapd
--
[root@ldap01 tmp]#  ldapmodify  -Y  EXTERNAL -H ldapi:/// -f /tmp/repl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config"

modifying entry "olcDatabase={2}bdb,cn=config"
ldap_modify: Object class violation (65)
        additional info: attribute 'olcTLSCertificateFile' not allowed
--

slapd restart error in the log is
read_config: no serverID / URL match found. Check slapd -h arguments.

(I assume this is coming from my three new syncprov providers which have nothing to provide?)

The only reference I found to TLS anywhere was here

[root@ldap01 tmp]# slapcat -s olcDatabase=\{2}bdb,cn=config |grep TLS
olcTLSCertificateFile: /etc/pki/tls/certs/foobar_cert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/foobar_key.pem

Those files do not exist, never have!
 (I admit I tried, and failed, to delete the reference)

What can I do to fix the TLS error? Where is there a TLS dependency in this picture? Thank you for any clues!

[root@ldap01 tmp]# cat post.ldif
olcServerID: 1 ldap://ldap02.example.com
olcServerID: 2 ldap://ldap2.example.com
olcServerID: 3 ldap://ldap.example.com

dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
  provider=ldap://ldap02.example.com
  binddn="uid=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials="managerpassword"
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 +"
  timeout=1
olcSyncRepl: rid=002
  provider=ldap://ldap2.example.com
  binddn="uid=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials="managerpassword"
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 1 300 12 7200 +"
  timeout=1
olcSyncRepl: rid=003
  provider=ldap://ldap.example.com
  binddn="uid=Manager,dc=example,dc=com"
  bindmethod=simple
  credentials="managerpassword"
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  retry="60 1 300 12 7200 +"
  timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE



thank you very much!