[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5984) chain/syncprov problems

Full_Name: Quanah Gibson-Mount
Version: 2.4.15
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.29.239)


In a discussion with a user on the #openldap channel in IRC, they noted that if
they had both the chain and syncprov overlays enabled in their configuration,
slapd would refuse to start.  Commenting out either one allowed slapd to start. 
I didn't see any obvious misconfigurations on their part.  Configs as follows:

include         /usr/local/openldap-2.4.15/etc/openldap/schema/core.schema
include         /usr/local/openldap-2.4.15/etc/openldap/schema/cosine.schema
include         /usr/local/openldap-2.4.15/etc/openldap/schema/inetorgperson.schema
include         /usr/local/openldap-2.4.15/etc/openldap/schema/misc.schema
include         /usr/local/openldap-2.4.15/etc/openldap/schema/nis.schema
include         /usr/local/openldap-2.4.15/etc/openldap/schema/dyngroup.schema

pidfile         /usr/local/openldap-2.4.15/var/run/slapd.pid
argsfile        /usr/local/openldap-2.4.15/var/run/slapd.args

modulepath	/usr/local/openldap-2.4.15/libexec/openldap
moduleload	accesslog.la
moduleload	auditlog.la
moduleload	back_bdb.la
moduleload	back_ldap.la
moduleload	back_monitor.la
moduleload	dyngroup.la
moduleload	ppolicy.la
moduleload	syncprov.la
moduleload	unique.la

# TLS Section
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /usr/local/openldap-2.4.15/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/openldap-2.4.15/etc/openldap/servercert.pem
TLSCertificateKeyFile /usr/local/openldap-2.4.15/etc/openldap/serverkey.pem
TLSVerifyClient never
security tls=256

password-crypt-salt-format     "$1$%.8s$"

loglevel 256
loglevel stats sync

overlay chain
chain-uri "ldap://xxx";
chain-idassert-bind
    bindmethod="simple"
    binddn="cn=Manager,dc=XYX,dc=com"
    credentials="secret"
    mode="self"
    chain-tls                  start
    chain-return-error         TRUE


database        bdb
suffix          "dc=XYZ,dc=com"
rootdn          "cn=Manager,dc=XYZ,dc=com"
rootpw          secret
directory       /usr/local/openldap-2.4.15/var/openldap-data/XYZ.com-slave


overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

syncrepl rid=010
    provider=ldap://xxx
    type=refreshAndPersist
    interval=00:00:00:05
    searchbase="dc=XYZ,dc=com"
    bindmethod=simple
    binddn="cn=SyncRepl,dc=XYZ,dc=com"
    credentials=secret
    retry="5 5 300 5"
    starttls=yes
    tls_reqcert=never



slapd -d -1 output wasn't too helpful, either:

@(#) $OpenLDAP: slapd 2.4.15 (Mar  2 2009 11:27:50) $
        bill@crash:/home/bill/openldap-2.4.15/servers/slapd
ldap_pvt_gethostbyname_a: host=crash, r=0
daemon_init: listen on ldap://
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap://)
daemon: listener initialized ldap://
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=XYZ,dc=com>
<<< dnPrettyNormal: <dc=XYZ,dc=com>, <dc=XYZ,dc=com>
>>> dnPrettyNormal: <cn=Manager,dc=XYZ,dc=com>
<<< dnPrettyNormal: <cn=Manager,dc=XYZ,dc=com>, <cn=manager,dc=XYZ,dc=com>
>>> dnNormalize: <cn=Manager,dc=XYZ,dc=com>
<<< dnNormalize: <cn=manager,dc=XYZ,dc=com>
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.