[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7198) slapd coredumps when Master server unavailable



Full_Name: Andre Cardinal
Version: 2.4.24
OS: Oracle (Solaris) 10
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (206.47.249.246)


Our Openldap Master server crashed with a hardware memory error and the
slave/replica, which is read only,  coredumped 2 hours later, and would coredump
4 minutes after  restarting slapd thereafter.

Disabling  syncrepl stopped the coredumps. (i.e. commenting out all the lines in
the syncrepl portion of slapd.conf in the replica. See following.

Text in <> is sanitized for obvious reasons.

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/ces.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/openldap-run/slapd.pid
argsfile        /usr/local/var/openldap-run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la
allow bind_v2

loglevel 256 
#loglevel 4095 
#logfile /var/log/ldap.log

# The next three lines allow use of TLS for encrypting connections using a
# test certificate
#TLSCACertificateFile /usr/local/etc/openldap/certs/test_with_ca.pem
#TLSCertificateFile /usr/local/etc/openldap/certs/test_with_ca.pem
#TLSCertificateKeyFile /usr/local/etc/openldap/certs/test_with_ca.pem

#ICM Certs for PROD

TLSCACertificateFile /usr/local/etc/openldap/certs/Slave-ICM.pem
TLSCertificateFile /usr/local/etc/openldap/certs/Slave-ICM.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/Slave-ICM.pem

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#configure timelimits and sizelimits
sizelimit unlimited
timelimit unlimited

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "<suffix>"
rootdn          "<Root DN>"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}<encrypted password>       
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory      /usr/local/var/openldap-data
#directory      /data/openldap
# Indices to maintain
index   objectClass     eq
index   cesSubjectDN    eq,pres
index   cn              eq

#
#Equality Indexing for Replication
#
index   entryCSN,entryUUID eq

syncrepl rid=123
        provider=ldap://<Master Server>
        type=refreshAndPersist
        interval=00:00:00:10
        retry="30 +"
        searchbase="<suffix>"
        filter="(objectClass=*)"
        scope=sub
        attrs="*"
        schemachecking=off
        bindmethod=simple
        binddn="cn=<bindDN>"
        credentials=<password>