[Date Prev][Date Next] [Chronological] [Thread] [Top]

cn=config (MMR) replication causes ldapsearch -ZZ to hang on RHEL 6.7



I'm trying to move my OpenLDAP MMR configuration from RHEL 6.5 (OpenLDAP 2.4.23) to RHEL 6.7 (OpenLDAP 2.4.40).   On RHEL 6.5 it is working no with no problems.   On RHEL 6.7, the configuration causes "ldapsearch -ZZ" to hang indefinitely.

The cn=config section in slapd.conf looks like this:

# sync provider configuration
overlay syncprov
syncprov-checkpoint 1 1

syncrepl        rid=001
                provider=ldap://server1
                searchbase="cn=config"
                filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))"
                bindmethod=sasl saslmech=EXTERNAL starttls=critical
                tls_cert=/etc/openldap/csa-certs/config.crt
                tls_key=/etc/openldap/csa-certs/config.key
                tls_cacert=/etc/openldap/csa-certs/cacert.pem
                tls_reqcert=demand
                type=refreshAndPersist
                retry="5 10 10 10 30 +"
                timeout=1

syncrepl        rid=002
                provider=ldap://server2
                searchbase="cn=config"
                filter="(|(objectClass=olcDatabaseConfig)(objectClass=olcOverlayConfig))"
                bindmethod=sasl saslmech=EXTERNAL starttls=critical
                tls_cert=/etc/openldap/csa-certs/config.crt
                tls_key=/etc/openldap/csa-certs/config.key
                tls_cacert=/etc/openldap/csa-certs/cacert.pem
                tls_reqcert=demand
                type=refreshAndPersist
                retry="5 10 10 10 30 +"
                timeout=1

mirrormode on


If I comment out that section in slapd.conf then "ldapsearch -ZZ" works but (obviously) I don't get cn=config replication.

Am I doing something wrong in the configuration?   Is it a fluke that it is working on 2.4.23 in the first place?   Or does anyone know what may have changed (or is more strict or whatever) in the 2.4.40 release?

Should I try to just remove RHEL's version of OpenLDAP and install the latest from openldap.org instead?

Any assistance is highly appreciated!


Thanks,
--
Frank