[Date Prev][Date Next]
Re: syncrepl failure logs/configuring alias deref
Paul B. Henson wrote:
Finally, I ended up having to disable TLS on the replica and temporarily
allow plaintext authentication on the master.
Just adding "packets" to your debug level would have given you readable packet
logs, without having to compromise security by disabling TLS.
On reviewing the packet capture, it was immediately obvious that the search
Was failing with a protocol error because derefAliases was set to always. A
quick Google search indicated that other people have had a similar problem,
generally because they changed the global LDAP configuration file.
Indeed, I had switched to NFS home directories with the auto mounter, and
LDAP integration for my deployment required dereferencing aliases by the
auto mount client, so I had set "DEREF always" in /etc/openldap/ldap.conf,
which is being inherited by slapd.
It would be useful if replication failure provided better error messages;
something in the logs indicating that a protocol error had occurred because
of an invalid dereferencing setting would have saved me a lot of time.
If you want suggestions to actually get acted on, submit an ITS.
Also, if alias dereferencing is not valid for a syncrepl query, shouldn't
the server simply override that setting from the global configuration and
do the right thing?
In any case, I find myself stuck: the auto mounter requires alias
dereferencing in order to work; while slapd requires alias dereferencing
There appears to be three ways to define configuration: the global
configuration file, a configuration file in the home directory, or an
Re-read ldap.conf(5). There are other choices as well.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/