[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7107) cn=config syncrepl fails with "controls require LDAPv3" on bound v3 connection



Full_Name: Brandon Hume
Version: 2.4.28
OS: RHEL EL6.1, kernel 2.6.32-131.12.1.el6.x86_64
URL: http://den.bofh.ca/~hume/ol_v3_fail_syslog.txt
Submission from: (NULL) (2001:410:a010:2:223:aeff:fe74:400e)


OpenLDAP 2.4.28 compiled with BerkeleyDB 5.2.36, attempting to configure for
multi-master replication.  Problems occurred with the second server complaining
about operations errors while attempting to replicate the cn=config tree; I've
been able to reproduce the problem from the command line using ldapsearch from
the same compile.

The host is RHEL 6.1 running inside VMWare.  Version of OpenLDAP is 2.4.28,
compiled with BerkeleyDB 5.2.36 (no patches available from Oracle at the time I
downloaded).  Configuration options used are visible in
http://den.bofh.ca/~hume/config_ol_sh.txt

The problem does *not* seem to be consistent, as *sometimes* it will work but
most of the time not.  I've run the example query once, had it fail, run it
again immediately and had it succeed, and then again fail a dozen times in a
row.  Wireshark traces showed the connection was established using LDAPv3;
putting the server in debug "Any" mode also confirms the same.  The syslogs
generated are viewable at http://den.bofh.ca/~hume/ol_v3_fail_syslog.txt

I've compiled 2.4.27 with the same options and it *seemed* to behave, though I
may have merely gotten lucky.

Example ldapsearch invocation:

$ /appl/ldap/bin/ldapsearch -x -D 'cn=config' -h kil-ds-3.its.dal.ca -b
cn=config -w bindpass -s sub -E sync=rp -e manageDSAit 'objectclass=*'
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: objectclass=*
# requesting: ALL
# with manageDSAit control
#

# search result
search: 2
result: 2 Protocol error
text: controls require LDAPv3

# numResponses: 1
ldap_result: Can't contact LDAP server (-1)


These servers are not yet in production and I have ~two weeks to play and tweak
to generate more debugging information if you'd find it useful.