[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Overlay Chain Extended Passmod Problem



> Hi all,
>
> last week  I wrote to  the list  because I have  a problem with  overlay
> chain.
> Today  I traced  the problem.  The  configuration and  the host  are the
> same.
> OpenLDAP  syncrepl runs  fine over  the  weekend. But  if  I want  to
> change  a
> password nothing happens. I can't see any packet with tcpdump from the
> slave to
> the master. I traced slapd with loglevel=65535. The slave is openldap
> 2.4.21.
>
> # Here the trace with no successfull passmod operation:
> -----------------------------------------------------
> conn=1126 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
> do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
> => bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
> => bdb_entry_get: oc: "(null)", at: "(null)"
> bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
> => bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
> bdb_entry_get: rc=0
> => bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
> => bdb_entry_get: oc: "(null)", at: "(null)"
> bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
> bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
> bdb_entry_get: rc=0
> ==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
> bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
> )
>
> # Here the trace after I restart slapd with exactly the same config
> # and working passmod oepration:
> ------------------------------------------------------------------
> conn=1000 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
> do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
> => bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
> => bdb_entry_get: oc: "(null)", at: "(null)"
> bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
> => hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de")
> <= hdb_dn2id: got id=0x5
> entry_decode: ""
> <= entry_decode()
> => bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
> bdb_entry_get: rc=0
> => bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
> => bdb_entry_get: oc: "(null)", at: "(null)"
> bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
> => hdb_dn2id("ou=policies,dc=camelot,dc=de")
> <= hdb_dn2id: got id=0x9
> => hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de")
> <= hdb_dn2id: got id=0xa
> entry_decode: ""
> <= entry_decode()
> => bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
> bdb_entry_get: rc=0
> ==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
> bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
>
> When the  passmod operation is successfull  there are hdb_dn2id entries
> in the
> trace.  When the  passmod operation  ist  not successfull  the entries
> doesn't
> exist. What  happens, that I must  restart the slapd? The  configuration
> is the
> same and all other  things works fine. Only the write  operations to the
> master
> hangs. If I make  a passmod without TLS everything works fine  and I can
> change
> the password after  I restarted the slapd  on the slave. Then I  can
> change the
> passwords the wholy day. Tomorrow I'll  must restart slapd on the slave
> because
> the passmod operation is not successfull.
>
> Any ideas?

You don't clearly state what your configuration is, so I can only guess. 
I presume you're using the ppolicy overlay.  I set up a syncrepl
producer/consumer with slapo-chain on the consumer and slapo-ppolicy on
both servers, and I'm hitting the consumer with passmod requests that are
chained to the producer, using TLS both client to consumer and in
chaining.  It seems to be working just fine, I had no failures after
hundreds of operations.  Would you mind sharing your configuration and an
example passmod, in order to reproduce the issue?  More details, e.g.
about what TLS support you're using, and software versions would be
helpful.

p.