Re: Multi master replication
Hi Benjamin, I have copied the dit from one system to another using slapcat and slapadd, because of the change in contextCSN. I have not copied the database files. Rgds, Aravind M D Hi Aravind, did you copy over your /var/lib/ldap/* db-files from one node to the other? Just a guess into the blue. More information are neccessary. Bye. On Wed, Apr 28, 2010 at 11:12, Aravind Divakaran aravind.divaka...@yukthi.com wrote: Hi All, I have configured two servers with multi master replication. Below is my configuration for synrepl on both servers. Server One serverID 001 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.100 type=refreshAndPersist retry=5 5 300 + searchbase=dc=example,dc=com attrs=*,+ bindmethod=simple binddn=cn=syncuser,dc=example,dc=com credentials=password mirrormode TRUE Server Two -- serverID 002 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.25 type=refreshAndPersist retry=5 5 300 + searchbase=dc=example,dc=com attrs=*,+ bindmethod=simple binddn=cn=syncuser,dc=example,dc=com credentials=password mirrormode TRUE Today one of user said that he was not able to login. So i checked in the servers in one server i was able to login but on another server i was not able to login with the same password. I have checked the contextCSN on both server they are equal. In the log it is showing this syncrepl_entry: rid=000 entry unchanged, ignored (uid=user,ou=People,dc=example,dc=com) Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 be_add uid=user,ou=People,dc=example,dc=com (68) Apr 28 12:14:17 mails slapd[16595]: dn_callback : entries have identical CSN uid=user,ou=People,dc=example,dc=com 20100422132507.789242Z#00#002#00 Can anyone help me why above message is showing in the log files and why the user is not able to login. Rgds, Aravind M D -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
_ldap.so: undefined symbol: gnutls_alert_send
Hi. I've got this error with a Zope/Plone site : Traceback (most recent call last): File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 56, in ? run() File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 21, in run starter.prepare() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 102, in prepare self.startZope() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 278, in startZope Zope2.startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/__init__.py, line 47, in startup _startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/App/startup.py, line 45, in startup OFS.Application.import_products() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 686, in import_products import_product(product_dir, product_name, raise_exc=debug_mode) File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 709, in import_product product=__import__(pname, global_dict, global_dict, silly) File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/__init__.py, line 22, in ? from Products.LDAPMultiPlugins.LDAPMultiPlugin import addLDAPMultiPluginForm File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/LDAPMultiPlugin.py, line 29, in ? from Products.LDAPUserFolder import manage_addLDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/__init__.py, line 20, in ? from Products.LDAPUserFolder.LDAPUserFolder import LDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPUserFolder.py, line 47, in ? from Products.LDAPUserFolder.LDAPDelegate import filter_format File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPDelegate.py, line 19, in ? import ldap File /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/ldap/__init__.py, line 22, in ? from _ldap import * ImportError: /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so: undefined symbol: gnutls_alert_send I have install gnutls1.3, recompiled openldap, python-ldap, and so on, but nothing works. Anyone could help me ? Thanks. -- *Jean-Sébastien Mansart *- Développeur Web Email : jean-sebastien.mans...@bayard-service.com mailto:jean-sebastien.mans...@bayard-service.com Tel : 04 79 26 28 29 *Bayard Service Edition * Savoie Technolac - House Boat BP308 - 73377 Le Bourget du Lac Cedex www.bayardserviceweb.com http://www.bayardserviceweb.com
Re: _ldap.so: undefined symbol: gnutls_alert_send
Jean-Sébastien Mansart wrote: Hi. I've got this error with a Zope/Plone site : Nothing in this trace is a part of OpenLDAP software. Nothing in OpenLDAP calls gnutls_alert_send(). Sounds like you need to contact the actual authors of the code you're working with. Traceback (most recent call last): File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 56, in ? run() File /zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py, line 21, in run starter.prepare() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 102, in prepare self.startZope() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py, line 278, in startZope Zope2.startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/__init__.py, line 47, in startup _startup() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/App/startup.py, line 45, in startup OFS.Application.import_products() File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 686, in import_products import_product(product_dir, product_name, raise_exc=debug_mode) File /home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py, line 709, in import_product product=__import__(pname, global_dict, global_dict, silly) File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/__init__.py, line 22, in ? from Products.LDAPMultiPlugins.LDAPMultiPlugin import addLDAPMultiPluginForm File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/LDAPMultiPlugin.py, line 29, in ? from Products.LDAPUserFolder import manage_addLDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/__init__.py, line 20, in ? from Products.LDAPUserFolder.LDAPUserFolder import LDAPUserFolder File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPUserFolder.py, line 47, in ? from Products.LDAPUserFolder.LDAPDelegate import filter_format File /home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPDelegate.py, line 19, in ? import ldap File /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/ldap/__init__.py, line 22, in ? from _ldap import * ImportError: /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so: undefined symbol: gnutls_alert_send I have install gnutls1.3, recompiled openldap, python-ldap, and so on, but nothing works. Anyone could help me ? Thanks. -- *Jean-Sébastien Mansart *- Développeur Web Email : jean-sebastien.mans...@bayard-service.com mailto:jean-sebastien.mans...@bayard-service.com Tel : 04 79 26 28 29 *Bayard Service Edition * Savoie Technolac - House Boat BP308 - 73377 Le Bourget du Lac Cedex www.bayardserviceweb.com http://www.bayardserviceweb.com -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: _ldap.so: undefined symbol: gnutls_alert_send
Howard Chu wrote: Jean-Sébastien Mansart wrote: I've got this error with a Zope/Plone site : Traceback (most recent call last): [..] undefined symbol: gnutls_alert_send Nothing in this trace is a part of OpenLDAP software. Nothing in OpenLDAP calls gnutls_alert_send(). Sounds like you need to contact the actual authors of the code you're working with. Well, it seems he uses the Debian builds of python-ldap and OpenLDAP which are likely linked against gnu-tls. python-ldap definitely also does not call gnutls_alert_send(). So I guess there's something within GNU-TLS and some library is missing. This might give a hint: ldd /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so But support for this can only be given by the Debian package maintainer(s) or the maintainer of the python-ldap .egg distribution file which is used. This might be linked differently. In both cases they likely lurk on the python-ldap-dev mailing list. You're welcome to repost your question there. Ciao, Michael.
ppolicy master/slave issue
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my goals
General use:
Slave handles all reads locally.
Writes get forwarded to the master by the slave.
Password policy:
When password failures happen on clients using slave ldap servers, the
failures, etc, get passed to the master to get replicated to the slaves.
I understand this would be done using the ppolicy option:
ppolicy_forward_updates
Authentication:
Actually authenticate (more later).
To the problem:
---
When I leave the section in the chain bit of SLAVE slapd.conf below marked by
lines intact (which bind as root):
* ppolicy_forward_updates seems to work great - the master shows matching
pwdFailureTime attributes.
* Regardless of password entered, you get a shell. User/bad password = get a
shell! This being a problem should be obvious.
I suspect that's due to the chain overlay section...
If I comment out the lines in the SLAVE slapd.conf:
* authentication actually requires authentication (bad password = no
authentication)
* ppolicy_forward_updates don't work (no updates to master)
It's possible that from my description some may already know my issue -
however, just to be sure, I've pasted below 'bare' versions of the:
* a master slapd.conf (sans schema includes)
* a slave slapd.conf (sans schema includes)
* /etc/ldap.conf (using slave)
* /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are
NOT the same)
* /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all
types).
Thanks for any help (and, likely, pointing out any 'stupids' below),
- chris
PS: Feel free to critique - you won't hurt my feelings.
MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over)
--
serverID1
loglevel0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile/usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
databasebdb
suffix dc=unix,dc=aptimus,dc=net
rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net
rootpw secret
directory /usr/local/var/openldap-data/aptimus
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
index rack eq
index entryUUID eq
index uniqueMember eq
index entryCSN eq
index site eq
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10
syncrepl rid=2
provider=ldaps://ldapmaster2.corp.aptimus.net
type=refreshAndPersist
interval=00:00:10:00
searchbase=dc=unix,dc=aptimus,dc=net
bindmethod=simple
binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net
credentials=secret
retry=15 20 60 +
mirrormode on
database monitor
SLAVE slapd.conf:
-
serverID13
loglevel0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile/usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
overlay chain
chain-uri ldaps://ldap-vip.corp.aptimus.net/
chain-rebind-as-userTRUE
v
chain-idassert-bind bindmethod=simple
binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net
credentials=Ten%20two
mode=self
^
chain-tls ldaps
chain-return-error TRUE
databasebdb
suffix dc=unix,dc=aptimus,dc=net
rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net
rootpw secret
directory /usr/local/var/openldap-data/aptimus
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
index rack eq
index entryUUID eq
index uniqueMember eq
index entryCSN eq
index site eq
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
ppolicy_forward_updates
syncrepl rid=1
provider=ldaps://ldap-vip.corp.aptimus.net
RE: ppolicy master/slave issue
Ignore the passwd in the slave slapd.conf file - consider it 'secret'.
FWIW: that's not the password currently being used either. Still, embarrassing.
- chris
-Original Message-
From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Thursday, April 29, 2010 2:55 PM
To: openldap-technical@openldap.org
Subject: ppolicy master/slave issue
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my goals
General use:
Slave handles all reads locally.
Writes get forwarded to the master by the slave.
Password policy:
When password failures happen on clients using slave ldap servers, the
failures, etc, get passed to the master to get replicated to the slaves.
I understand this would be done using the ppolicy option:
ppolicy_forward_updates
Authentication:
Actually authenticate (more later).
To the problem:
---
When I leave the section in the chain bit of SLAVE slapd.conf below marked by
lines intact (which bind as root):
* ppolicy_forward_updates seems to work great - the master shows matching
pwdFailureTime attributes.
* Regardless of password entered, you get a shell. User/bad password = get a
shell! This being a problem should be obvious.
I suspect that's due to the chain overlay section...
If I comment out the lines in the SLAVE slapd.conf:
* authentication actually requires authentication (bad password = no
authentication)
* ppolicy_forward_updates don't work (no updates to master)
It's possible that from my description some may already know my issue -
however, just to be sure, I've pasted below 'bare' versions of the:
* a master slapd.conf (sans schema includes)
* a slave slapd.conf (sans schema includes)
* /etc/ldap.conf (using slave)
* /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are
NOT the same)
* /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all
types).
Thanks for any help (and, likely, pointing out any 'stupids' below),
- chris
PS: Feel free to critique - you won't hurt my feelings.
MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over)
--
serverID1
loglevel0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile/usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
databasebdb
suffix dc=unix,dc=aptimus,dc=net
rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net
rootpw secret
directory /usr/local/var/openldap-data/aptimus
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
index rack eq
index entryUUID eq
index uniqueMember eq
index entryCSN eq
index site eq
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10
syncrepl rid=2
provider=ldaps://ldapmaster2.corp.aptimus.net
type=refreshAndPersist
interval=00:00:10:00
searchbase=dc=unix,dc=aptimus,dc=net
bindmethod=simple
binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net
credentials=secret
retry=15 20 60 +
mirrormode on
database monitor
SLAVE slapd.conf:
-
serverID13
loglevel0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile/usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile/etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
overlay chain
chain-uri ldaps://ldap-vip.corp.aptimus.net/
chain-rebind-as-userTRUE
v
chain-idassert-bind bindmethod=simple
binddn=uid=root,ou=people,dc=unix,dc=aptimus,dc=net
credentials=Ten%20two
mode=self
^
chain-tls ldaps
chain-return-error TRUE
databasebdb
suffix dc=unix,dc=aptimus,dc=net
rootdn uid=root,ou=people,dc=unix,dc=aptimus,dc=net
rootpw
