Re: Multi master replication
Hi Benjamin, I have copied the dit from one system to another using slapcat and slapadd, because of the change in contextCSN. I have not copied the database files. Rgds, Aravind M D Hi Aravind, did you copy over your /var/lib/ldap/* db-files from one node to the other? Just a guess into the blue. More information are neccessary. Bye. On Wed, Apr 28, 2010 at 11:12, Aravind Divakaran aravind.divaka...@yukthi.com wrote: Hi All, I have configured two servers with multi master replication. Below is my configuration for synrepl on both servers. Server One serverID 001 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.100 type=refreshAndPersist retry=5 5 300 + searchbase=dc=example,dc=com attrs=*,+ bindmethod=simple binddn=cn=syncuser,dc=example,dc=com credentials=password mirrormode TRUE Server Two -- serverID 002 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.25 type=refreshAndPersist retry=5 5 300 + searchbase=dc=example,dc=com attrs=*,+ bindmethod=simple binddn=cn=syncuser,dc=example,dc=com credentials=password mirrormode TRUE Today one of user said that he was not able to login. So i checked in the servers in one server i was able to login but on another server i was not able to login with the same password. I have checked the contextCSN on both server they are equal. In the log it is showing this syncrepl_entry: rid=000 entry unchanged, ignored (uid=user,ou=People,dc=example,dc=com) Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 be_add uid=user,ou=People,dc=example,dc=com (68) Apr 28 12:14:17 mails slapd[16595]: dn_callback : entries have identical CSN uid=user,ou=People,dc=example,dc=com 20100422132507.789242Z#00#002#00 Can anyone help me why above message is showing in the log files and why the user is not able to login. Rgds, Aravind M D -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
_ldap.so: undefined symbol: gnutls_alert_send
Hi. I've got this error with a Zope/Plone site : Traceback (most recent call last): File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 56, in ? run() File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 21, in run starter.prepare() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 102, in prepare self.startZope() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 278, in startZope Zope2.startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/__init__.py, line 47, in startup _startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/App/startup.py, line 45, in startup OFS.Application.import_products() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 686, in import_products import_product(product_dir, product_name, raise_exc=debug_mode) File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 709, in import_product product=__import__(pname, global_dict, global_dict, silly) File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/__init__.py, line 22, in ? from Products.LDAPMultiPlugins.LDAPMultiPlugin import addLDAPMultiPluginForm File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/LDAPMultiPlugin.py, line 29, in ? from Products.LDAPUserFolder import manage_addLDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/__init__.py, line 20, in ? from Products.LDAPUserFolder.LDAPUserFolder import LDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPUserFolder.py, line 47, in ? from Products.LDAPUserFolder.LDAPDelegate import filter_format File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPDelegate.py, line 19, in ? import ldap File /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/ldap/__init__.py, line 22, in ? from _ldap import * ImportError: /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so: undefined symbol: gnutls_alert_send I have install gnutls1.3, recompiled openldap, python-ldap, and so on, but nothing works. Anyone could help me ? Thanks. -- *Jean-Sébastien Mansart *- Développeur Web Email : jean-sebastien.mans...@bayard-service.com mailto:jean-sebastien.mans...@bayard-service.com Tel : 04 79 26 28 29 *Bayard Service Edition * Savoie Technolac - House Boat BP308 - 73377 Le Bourget du Lac Cedex www.bayardserviceweb.com http://www.bayardserviceweb.com
Re: _ldap.so: undefined symbol: gnutls_alert_send
Jean-Sébastien Mansart wrote: Hi. I've got this error with a Zope/Plone site : Nothing in this trace is a part of OpenLDAP software. Nothing in OpenLDAP calls gnutls_alert_send(). Sounds like you need to contact the actual authors of the code you're working with. Traceback (most recent call last): File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 56, in ? run() File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 21, in run starter.prepare() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 102, in prepare self.startZope() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 278, in startZope Zope2.startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/__init__.py, line 47, in startup _startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/App/startup.py, line 45, in startup OFS.Application.import_products() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 686, in import_products import_product(product_dir, product_name, raise_exc=debug_mode) File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 709, in import_product product=__import__(pname, global_dict, global_dict, silly) File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/__init__.py, line 22, in ? from Products.LDAPMultiPlugins.LDAPMultiPlugin import addLDAPMultiPluginForm File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/LDAPMultiPlugin.py, line 29, in ? from Products.LDAPUserFolder import manage_addLDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/__init__.py, line 20, in ? from Products.LDAPUserFolder.LDAPUserFolder import LDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPUserFolder.py, line 47, in ? from Products.LDAPUserFolder.LDAPDelegate import filter_format File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPDelegate.py, line 19, in ? import ldap File /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/ldap/__init__.py, line 22, in ? from _ldap import * ImportError: /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so: undefined symbol: gnutls_alert_send I have install gnutls1.3, recompiled openldap, python-ldap, and so on, but nothing works. Anyone could help me ? Thanks. -- *Jean-Sébastien Mansart *- Développeur Web Email : jean-sebastien.mans...@bayard-service.com mailto:jean-sebastien.mans...@bayard-service.com Tel : 04 79 26 28 29 *Bayard Service Edition * Savoie Technolac - House Boat BP308 - 73377 Le Bourget du Lac Cedex www.bayardserviceweb.com http://www.bayardserviceweb.com -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: _ldap.so: undefined symbol: gnutls_alert_send
Howard Chu wrote: Jean-Sébastien Mansart wrote: I've got this error with a Zope/Plone site : Traceback (most recent call last): [..] undefined symbol: gnutls_alert_send Nothing in this trace is a part of OpenLDAP software. Nothing in OpenLDAP calls gnutls_alert_send(). Sounds like you need to contact the actual authors of the code you're working with. Well, it seems he uses the Debian builds of python-ldap and OpenLDAP which are likely linked against gnu-tls. python-ldap definitely also does not call gnutls_alert_send(). So I guess there's something within GNU-TLS and some library is missing. This might give a hint: ldd /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so But support for this can only be given by the Debian package maintainer(s) or the maintainer of the python-ldap .egg distribution file which is used. This might be linked differently. In both cases they likely lurk on the python-ldap-dev mailing list. You're welcome to repost your question there. Ciao, Michael.
ppolicy master/slave issue
Hello again, I'm having an odd issue with ppolicy and my master/slave config. First, my goals General use: Slave handles all reads locally. Writes get forwarded to the master by the slave. Password policy: When password failures happen on clients using slave ldap servers, the failures, etc, get passed to the master to get replicated to the slaves. I understand this would be done using the ppolicy option: ppolicy_forward_updates Authentication: Actually authenticate (more later). To the problem: --- When I leave the section in the chain bit of SLAVE slapd.conf below marked by lines intact (which bind as root): * ppolicy_forward_updates seems to work great - the master shows matching pwdFailureTime attributes. * Regardless of password entered, you get a shell. User/bad password = get a shell! This being a problem should be obvious. I suspect that's due to the chain overlay section... If I comment out the lines in the SLAVE slapd.conf: * authentication actually requires authentication (bad password = no authentication) * ppolicy_forward_updates don't work (no updates to master) It's possible that from my description some may already know my issue - however, just to be sure, I've pasted below 'bare' versions of the: * a master slapd.conf (sans schema includes) * a slave slapd.conf (sans schema includes) * /etc/ldap.conf (using slave) * /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are NOT the same) * /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all types). Thanks for any help (and, likely, pointing out any 'stupids' below), - chris PS: Feel free to critique - you won't hurt my feelings. MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over) -- serverID1 loglevel0 pidfile /usr/local/var/openldap-data/run/slapd.pid argsfile/usr/local/var/openldap-data/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile/etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem TLSVerifyClient never password-hash {MD5} sizelimit size.soft=500 size.hard=unlimited timelimit time.soft=3600 time.soft=unlimited databasebdb suffix dc=unix,dc=aptimus,dc=net rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net rootpw secret directory /usr/local/var/openldap-data/aptimus include /etc/openldap/slapd.access.conf index uid,cn,gidNumber,uidNumber,memberUid eq index objectClass pres,eq index operatingSystem pres,eq index host pres,eq index rack eq index entryUUID eq index uniqueMember eq index entryCSN eq index site eq overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 10 syncrepl rid=2 provider=ldaps://ldapmaster2.corp.aptimus.net type=refreshAndPersist interval=00:00:10:00 searchbase=dc=unix,dc=aptimus,dc=net bindmethod=simple binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net credentials=secret retry=15 20 60 + mirrormode on database monitor SLAVE slapd.conf: - serverID13 loglevel0 pidfile /usr/local/var/openldap-data/run/slapd.pid argsfile/usr/local/var/openldap-data/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile/etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem TLSVerifyClient never password-hash {MD5} sizelimit size.soft=500 size.hard=unlimited timelimit time.soft=3600 time.soft=unlimited overlay chain chain-uri ldaps://ldap-vip.corp.aptimus.net/ chain-rebind-as-userTRUE v chain-idassert-bind bindmethod=simple binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net credentials=Ten%20two mode=self ^ chain-tls ldaps chain-return-error TRUE databasebdb suffix dc=unix,dc=aptimus,dc=net rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net rootpw secret directory /usr/local/var/openldap-data/aptimus include /etc/openldap/slapd.access.conf index uid,cn,gidNumber,uidNumber,memberUid eq index objectClass pres,eq index operatingSystem pres,eq index host pres,eq index rack eq index entryUUID eq index uniqueMember eq index entryCSN eq index site eq overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout ppolicy_forward_updates syncrepl rid=1 provider=ldaps://ldap-vip.corp.aptimus.net
RE: ppolicy master/slave issue
Ignore the passwd in the slave slapd.conf file - consider it 'secret'. FWIW: that's not the password currently being used either. Still, embarrassing. - chris -Original Message- From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On Behalf Of Chris Jacobs Sent: Thursday, April 29, 2010 2:55 PM To: openldap-technical@openldap.org Subject: ppolicy master/slave issue Hello again, I'm having an odd issue with ppolicy and my master/slave config. First, my goals General use: Slave handles all reads locally. Writes get forwarded to the master by the slave. Password policy: When password failures happen on clients using slave ldap servers, the failures, etc, get passed to the master to get replicated to the slaves. I understand this would be done using the ppolicy option: ppolicy_forward_updates Authentication: Actually authenticate (more later). To the problem: --- When I leave the section in the chain bit of SLAVE slapd.conf below marked by lines intact (which bind as root): * ppolicy_forward_updates seems to work great - the master shows matching pwdFailureTime attributes. * Regardless of password entered, you get a shell. User/bad password = get a shell! This being a problem should be obvious. I suspect that's due to the chain overlay section... If I comment out the lines in the SLAVE slapd.conf: * authentication actually requires authentication (bad password = no authentication) * ppolicy_forward_updates don't work (no updates to master) It's possible that from my description some may already know my issue - however, just to be sure, I've pasted below 'bare' versions of the: * a master slapd.conf (sans schema includes) * a slave slapd.conf (sans schema includes) * /etc/ldap.conf (using slave) * /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are NOT the same) * /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all types). Thanks for any help (and, likely, pointing out any 'stupids' below), - chris PS: Feel free to critique - you won't hurt my feelings. MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over) -- serverID1 loglevel0 pidfile /usr/local/var/openldap-data/run/slapd.pid argsfile/usr/local/var/openldap-data/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile/etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem TLSVerifyClient never password-hash {MD5} sizelimit size.soft=500 size.hard=unlimited timelimit time.soft=3600 time.soft=unlimited databasebdb suffix dc=unix,dc=aptimus,dc=net rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net rootpw secret directory /usr/local/var/openldap-data/aptimus include /etc/openldap/slapd.access.conf index uid,cn,gidNumber,uidNumber,memberUid eq index objectClass pres,eq index operatingSystem pres,eq index host pres,eq index rack eq index entryUUID eq index uniqueMember eq index entryCSN eq index site eq overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 10 syncrepl rid=2 provider=ldaps://ldapmaster2.corp.aptimus.net type=refreshAndPersist interval=00:00:10:00 searchbase=dc=unix,dc=aptimus,dc=net bindmethod=simple binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net credentials=secret retry=15 20 60 + mirrormode on database monitor SLAVE slapd.conf: - serverID13 loglevel0 pidfile /usr/local/var/openldap-data/run/slapd.pid argsfile/usr/local/var/openldap-data/run/slapd.args TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile/etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/servercrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem TLSVerifyClient never password-hash {MD5} sizelimit size.soft=500 size.hard=unlimited timelimit time.soft=3600 time.soft=unlimited overlay chain chain-uri ldaps://ldap-vip.corp.aptimus.net/ chain-rebind-as-userTRUE v chain-idassert-bind bindmethod=simple binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net credentials=Ten%20two mode=self ^ chain-tls ldaps chain-return-error TRUE databasebdb suffix dc=unix,dc=aptimus,dc=net rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net rootpw