[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl 2.4 issue from 2.3 master

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: syncrepl 2.4 issue from 2.3 master
From: FRLinux <frlinux@gmail.com>
Date: Wed, 4 Nov 2009 17:07:32 +0000
Cc: openldap <openldap-software@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3Ns82NAMF9cXEoYxp9lbO6bgHA9U4vqjYr6qmbYhZd0=; b=c8mP7V+2IcTZDhDf5Hb7reRaFs7n10iF6zm3YBlKXFi8+QkJ6xHOGIN7HlNPqNPui2 XcIFmHhe47av1etnGLussMs3ul3Fz1voFsxixDBQra3DpdbJiNlFwynTZ2IGc1FoQchE 209sWosxmKQOI/UVHebc/c0rD7Yae9clu4GT4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=YjhL43AR3Ru7CRwOJSBKZ+zf+QPKDixprn9XC8SXJXywgE+yo6Loi3bQvx7vwODR3C MJJ2Whry0ZvKbyXuKzMJMeLthnr6HCDbfpmdgH1muYP8Lovkj4T48YAoRicH+WE3BbP/ bztU+6v2Cg8AP19BuOx9FhvhWZ8t5uTW9LeQo=
In-reply-to: <659024C87F51BBFDE072BCD1@192.168.1.199>
References: <a8139f990909180929j42333d6ej3df60f34921564df@mail.gmail.com> <85BFAE609A5FD6079FB960C0@192.168.1.199> <a8139f990909240251l56a2c68ctcbcbf9f6b13b3347@mail.gmail.com> <a8139f990909250054n5bb576cbpd9eed5c511f4dac6@mail.gmail.com> <a8139f990910281809u71f2af0dg4624b5cf3e3b941f@mail.gmail.com> <6EC4056442A45573BFD2BC51@192.168.1.199> <a8139f990911040320w5a1a474fq6031e3aa821caf54@mail.gmail.com> <659024C87F51BBFDE072BCD1@192.168.1.199>

On Wed, Nov 4, 2009 at 4:15 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> 2.4.11? Seriously?  You can't even replicate 2.3 to 2.4 with that old of a
> release, and if it is Debian/Ubuntu based, there's been all sorts of fixes
> to the GnuTLS support since then.

Well, this is what Debian stable gives me. I usually have OpenLDAP on
FreeBSD but unfortunately, we use Debian also for slave servers. This
is a practical production choice.

Now, moving to testing, i got OpenLDAP 2.4.17 and it does indeed try
to negociate now, but still fails, thanks for your help:

ldaptest:~# slapd -d 1
@(#) $OpenLDAP: slapd 2.4.17 (Jul 28 2009 11:07:38) $
	@borges:/home/devel/openldap/build-area/openldap-2.4.17/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=ldaptest, r=0
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008)
bdb_db_init: Initializing BDB database
>>> dnPrettyNormal: <dc=example,dc=com>
<<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
>>> dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnPrettyNormal: <cn=admin,dc=cp,dc=example,dc=com>,
<cn=admin,dc=cp,dc=example,dc=com>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 114: rootdn is always granted unlimited privileges.
>>> dnNormalize: <>
<<< dnNormalize: <>
>>> dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
<<< dnNormalize: <cn=admin,dc=cp,dc=example,dc=com>
/etc/ldap/slapd.conf: line 131: rootdn is always granted unlimited privileges.
>>> dnNormalize: <dc=example,dc=com>
<<< dnNormalize: <dc=example,dc=com>
>>> dnNormalize: <cn=ldaprep,dc=example,dc=com>
<<< dnNormalize: <cn=ldaprep,dc=example,dc=com>
syncrepl rid=124 searchbase="dc=example,dc=com": no retry defined, using default
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse:
( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES (
altServer $ olcDbConfig $ mail $ dc $ associatedDomain $ email $
aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $
janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $
memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $
macAddress $ bootFile $ nisMapEntry ) )
    2.5.13.39 (certificateListMatch):     2.5.13.38
(certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME
'certificateListExactMatch' APPLIES ( authorityRevocationList $
certificateRevocationList $ deltaRevocationList ) )
    2.5.13.35 (certificateMatch):     2.5.13.34
(certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME
'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
    2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse:
( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedControl $ supportedExtension $ supportedFeatures $
ldapSyntaxes $ supportedApplicationContext ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: (
2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $
olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27
NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $
modifyTimestamp ) )
    2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
    2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
    2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20
NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $
mobile $ pager ) )
    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $
gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth
$ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey
$ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $
olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring
$ olcReadOnly $ olcReverseLookup $ olcDbChecksum $ olcDbNoSync $
olcDbDirtyRead $ olcDbLinearIndex ) )
    2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
    2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber )
)
    2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7
NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6
NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $
olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm
$ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $
olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory
$ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber
$ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode
$ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $
houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $
drink $ roomNumber $ userClass $ host $ documentIdentifier $
documentTitle $ documentVersion $ documentLocation $ personalTitle $
co $ uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
    2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4
NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3
NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $
destinationIndicator $ dnQualifier ) )
    2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $
olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin
$ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm
$ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $
olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory
$ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber
$ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode
$ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $
givenName $ initials $ generationQualifier $ dnQualifier $
houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $
drink $ roomNumber $ userClass $ host $ documentIdentifier $
documentTitle $ documentVersion $ documentLocation $ personalTitle $
co $ uniqueIdentifier $ organizationalStatus $ buildingName $
documentPublisher $ ipServiceProtocol $ nisMapName $ carLicense $
departmentNumber $ displayName $ employeeNumber $ employeeType $
preferredLanguage ) )
    1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1
(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $
dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $
olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ member $ owner $
roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $
dITRedirect ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $
supportedExtension $ supportedFeatures $ supportedApplicationContext )
)
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=module{0}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}nis"
config_build_entry: "cn={3}inetorgperson"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}bdb"
backend_startup_one: starting "dc=example,dc=com"
bdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap).
slapd starting
=>do_syncrepl rid=124
ldap_create
ldap_url_parse_ext(ldaps://ldapmaster.cp.example.com:636)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapmaster.cp.example.com:636
ldap_new_socket: 14
ldap_prepare_socket: 14
ldap_connect_to_host: Trying 2001:770:60:1:214:5eff:fe0a:bec 636
ldap_pvt_connect: fd: 14 tm: -1 async: 0
ldap_int_sasl_open: host=ldapmaster.cp.example.com
slap_client_connect: URI=ldaps://ldapmaster.example.com:636
ldap_sasl_interactive_bind_s failed (-6)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 14
ldap_free_connection: actually freed
do_syncrepl: rid=124 rc -6 retrying
^Cdaemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd shutdown: initiated
====> bdb_cache_release_all
slapd destroy: freeing system resources.
syncinfo_free: rid=124

Follow-Ups:
- Re: syncrepl 2.4 issue from 2.3 master
  - From: FRLinux <frlinux@gmail.com>
- Re: syncrepl 2.4 issue from 2.3 master
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Re: syncrepl 2.4 issue from 2.3 master
  - From: FRLinux <frlinux@gmail.com>

Prev by Date: Re: syncrepl 2.4 issue from 2.3 master
Next by Date: Re: syncrepl 2.4 issue from 2.3 master
Index(es):
- Chronological
- Thread