[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl failure logs/configuring alias deref

Paul B. Henson wrote:
Finally, I ended up having to disable TLS on the replica and temporarily
allow plaintext authentication on the master.

Just adding "packets" to your debug level would have given you readable packet logs, without having to compromise security by disabling TLS.

On reviewing the packet capture, it was immediately obvious that the search
Was failing with a protocol error because derefAliases was set to always. A
quick Google search indicated that other people have had a similar problem,
generally because they changed the global LDAP configuration file.

Indeed, I had switched to NFS home directories with the auto mounter, and
LDAP integration for my deployment required dereferencing aliases by the
auto mount client, so I had set "DEREF always" in /etc/openldap/ldap.conf,
which is being inherited by slapd.

It would be useful if replication failure provided better error messages;
something in the logs indicating that a protocol error had occurred because
of an invalid dereferencing setting would have saved me a lot of time.

If you want suggestions to actually get acted on, submit an ITS.

Also, if alias dereferencing is not valid for a syncrepl query, shouldn't
the server simply override that setting from the global configuration and
do the right thing?


In any case, I find myself stuck: the auto mounter requires alias
dereferencing in order to work; while slapd requires alias dereferencing

There appears to be three ways to define configuration: the global
configuration file, a configuration file in the home directory, or an
environment variable.

Re-read ldap.conf(5). There are other choices as well.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/