On 08/12/2011 07:17 AM, Olivier wrote:
My N-WAY replication works properly with a
"bindmethod=simple".
However, I don't like keeping a password in clear in
a configuration file, then I tryed this :
On server "ldap-master1.example.fr" :
TLSVerifyClient allow
syncrepl rid=101
provider=ldap://ldap-master2.example.fr:389
searchbase="dc=example,dc=fr"
schemachecking=on
type=refreshOnly
interval=00:00:01:00
retry="10 +"
bindmethod=sasl
saslmech=EXTERNAL
starttls=critical
tls_cert=/etc/openldap/cacerts/master1/server.crt
tls_key=/etc/openldap/cacerts/master1/server.key
tls_cacert=/etc/openldap/cacerts/CA.crt
tls_reqcert=demand
On server "ldap-master2.example.fr" :
TLSVerifyClient allow
syncrepl rid=201
provider=ldap://ldap-master1.example.fr:389
searchbase="dc=example,dc=fr"
schemachecking=on
type=refreshOnly
interval=00:00:01:00
retry="10 +"
bindmethod=sasl
saslmech=EXTERNAL
starttls=critical
tls_cert=/etc/openldap/cacerts/master2/server.crt
tls_key=/etc/openldap/cacerts/master2/server.key
tls_cacert=/etc/openldap/cacerts/CA.crt
I get a segmentation fault :
ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
[email protected]:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
<= bdb_inequality_candidates: (entryCSN) not indexed
slapd starting
slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error,
ldap_start_tls failed (-1)
do_syncrepl: rid=101 rc -1 retrying
conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
conn=1000 fd=12 TLS established tls_ssf=256 ssf=256
conn=1000 op=1 BIND dn="" method=163
conn=1000 op=1 BIND
authcid="[email protected],cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
authzid="[email protected],cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
conn=1000 op=1 BIND
dn="[email protected],cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr"
mech=EXTERNAL sasl_ssf=0 ssf=256
conn=1000 op=1 RESULT tag=97 err=0 text=
conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0
filter="(objectClass=*)"
conn=1000 op=2 SRCH attr=* +
conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1000 op=3 UNBIND
conn=1000 fd=12 closed
Erreur de segmentation
The segfault happened when the second server tried to sync with the first one :
[root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256
@(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $
[email protected]:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
slapd starting
conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389)
conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
conn=1000 op=0 STARTTLS
conn=1000 op=0 RESULT oid= err=0 text=
TLS: error: accept - force handshake failure: errno 2 - moznss error -5938
TLS: can't accept: TLS error -5938:Encountered end of file.
conn=1000 fd=12 closed (TLS negotiation failure)
^C
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.
Any idea ?
Can you get a core file and a stack trace from the server that gets the
seg fault?
I'm assuming from the build that you are running on Fedora 14 or later,
or RHEL6.1. You should make sure the openldap-debuginfo package is
installed (e.g. debuginfo-install openldap) and install abrt. This will
collect the core files in /var/spool/abrt
NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that
produce the seg fault.
---
Olivier
