[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl 2.4 issue from 2.3 master

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: syncrepl 2.4 issue from 2.3 master
From: FRLinux <frlinux@gmail.com>
Date: Wed, 4 Nov 2009 11:20:30 +0000
Cc: openldap <openldap-software@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=vhjflyvf3ZOO3hiWzkFv14VL0DM4cOa5Eq7Omp26LiY=; b=XlY8ssHHcczzZMX3sk/r9Dc9L7SF5IS1ZYcIwJW0ULFDNx+ISfZqTghA/h110jYs+U q0+HBlTDdL6su4VyMGHSSrxv93tVbQZObzR2pZ5gRe2r6XcsVhSasP1J3oPrabeDiT2J F6OgVWHBVGsxVh4Llt7zqhbfGtSqTlr/Pcd7M=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=oDrmgSTxl9t3LRWd66EfJcHsXy985BggZ4+4sztAqcpHcixKPgcWhDbr1M+iFWNeQM EUtAw0XMa/23IPC42+JEz2KorGQ5LR1T1cIL0iRFYo0+vcoydUL+z+Pz1KxweXHitiYk LncQKRqQtK9L3jMpKz7CabisZbYdQMVzDNxpE=
In-reply-to: <6EC4056442A45573BFD2BC51@192.168.1.199>
References: <a8139f990909180929j42333d6ej3df60f34921564df@mail.gmail.com> <85BFAE609A5FD6079FB960C0@192.168.1.199> <a8139f990909240251l56a2c68ctcbcbf9f6b13b3347@mail.gmail.com> <a8139f990909250054n5bb576cbpd9eed5c511f4dac6@mail.gmail.com> <a8139f990910281809u71f2af0dg4624b5cf3e3b941f@mail.gmail.com> <6EC4056442A45573BFD2BC51@192.168.1.199>

On Thu, Oct 29, 2009 at 3:11 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> --On Thursday, October 29, 2009 1:09 AM +0000 FRLinux <frlinux@gmail.com>
> wrote:
>
>
>> So, am I right in the following assumption that syncrepl now only
>> supports TLS instead of plain old SSL ?
>
> No, that assumption is not correct.  There's something blocking your SSL
> usage, but I don't have the details in your email to know why.

Hello Quanah, please find my configuration file and the error with a :
slapd -d 1

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath	/usr/lib/ldap
moduleload	back_bdb
sizelimit 500
tool-threads 1
backend		bdb
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=admin,dc=example,dc=com"
rootpw       {MD5}pass_in_md5_format
password-hash {CRYPT}
password-crypt-salt-format      "$1$%.8s"
TLSCACertificateFile /etc/ldap/cert/cacert.pem
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * read
syncrepl rid=124 \
provider=ldaps://masterldap.example.com:636 \
type=refreshAndPersist  \
searchbase="dc=example,dc=com" \
scope=sub \
filter="(objectClass=*)" \
attrs="*" \
schemachecking=off \
tls_cacert=/etc/ldap/cert/cacert.pem \
saslmech=GSSAPI \
bindmethod=sasl \
binddn="cn=ldaprep,dc=example,dc=com" \
credentials=password


ldaptest:/etc/ldap# slapd -d 1
@(#) $OpenLDAP: slapd 2.4.11 (Oct 11 2008 10:18:55) $
	vorlon@borges:/home/devel/openldap/build-area/openldap-2.4.11/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=ldaptest, r=0
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=example,dc=com>
<<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
>>> dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>,
<cn=admin,dc=cp,dc=example,dc=com>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 114: rootdn is always granted unlimited privileges.
>>> dnNormalize: <>
<<< dnNormalize: <>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 131: rootdn is always granted unlimited privileges.
>>> dnNormalize: <dc=example,dc=com>
<<< dnNormalize: <dc=example,dc=com>
>>> dnNormalize: <cn=ldaprep,dc=example,dc=com>
<<< dnNormalize: <cn=ldaprep,dc=example,dc=com>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse:
( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
    2.5.13.35 (certificateMatch):     2.5.13.34
(certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
    2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse:
( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedControl $ supportedExtension $ supportedFeatures $
ldapSyntaxes $ supportedApplicationContext ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: (
2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27
NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $
modifyTimestamp ) )
    2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
    2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
    2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20
NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $
mobile $ pager ) )
    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $
gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth
$ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcHidden $
olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $
olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex ) )
    2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
    2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber )
)
    2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6
NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $
olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps
$ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $
olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile
$ olcTLSCACertificatePath $ olcTLSCertificateFile $
olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $
olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $
olcDbCryptFile $ olcDbIndex $ olcDbLockDetect $ knowledgeInformation $
sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $
businessCategory $ postalCode $ postOfficeBox $
physicalDeliveryOfficeName $ destinationIndicator $ givenName $
initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber
$ userClass $ host $ documentIdentifier $ documentTitle $
documentVersion $ documentLocation $ personalTitle $ co $
uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
    2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4
NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3
NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $
olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps
$ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $
olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile
$ olcTLSCACertificatePath $ olcTLSCertificateFile $
olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $
olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $
olcDbCryptFile $ olcDbIndex $ olcDbLockDetect $ knowledgeInformation $
sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $
businessCategory $ postalCode $ postOfficeBox $
physicalDeliveryOfficeName $ destinationIndicator $ givenName $
initials $ generationQualifier $ dnQualifier $ houseIdentifier $
dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber
$ userClass $ host $ documentIdentifier $ documentTitle $
documentVersion $ documentLocation $ personalTitle $ co $
uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
    1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1
(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $
dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $
olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $
roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $
dITRedirect ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $
supportedExtension $ supportedFeatures $ supportedApplicationContext )
)
main: TLS init def ctx failed: 1
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.

Cheers,
Steph

Follow-Ups:
- Re: syncrepl 2.4 issue from 2.3 master
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: cannot allocate 0 byte
Next by Date: Troubleshooting synchronization
Index(es):
- Chronological
- Thread