Re: syncrepl failure logs/configuring alias deref

[Howard Chu <hyc@symas.com>]

Paul B. Henson wrote:
> Finally, I ended up having to disable TLS on the replica and temporarily
> allow plaintext authentication on the master.

Just adding "packets" to your debug level would have given you readable packet 
logs, without having to compromise security by disabling TLS.

> On reviewing the packet capture, it was immediately obvious that the search
> Was failing with a protocol error because derefAliases was set to always. A
> quick Google search indicated that other people have had a similar problem,
> generally because they changed the global LDAP configuration file.
>
> Indeed, I had switched to NFS home directories with the auto mounter, and
> LDAP integration for my deployment required dereferencing aliases by the
> auto mount client, so I had set "DEREF always" in /etc/openldap/ldap.conf,
> which is being inherited by slapd.
>
> It would be useful if replication failure provided better error messages;
> something in the logs indicating that a protocol error had occurred because
> of an invalid dereferencing setting would have saved me a lot of time.

If you want suggestions to actually get acted on, submit an ITS.

> Also, if alias dereferencing is not valid for a syncrepl query, shouldn't
> the server simply override that setting from the global configuration and
> do the right thing?

Ditto.

> In any case, I find myself stuck: the auto mounter requires alias
> dereferencing in order to work; while slapd requires alias dereferencing
> disabled.
>
> There appears to be three ways to define configuration: the global
> configuration file, a configuration file in the home directory, or an
> environment variable.

Re-read ldap.conf(5). There are other choices as well.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/