Thanks Rich, > You should make sure the openldap-debuginfo
On track : I rolled back to simple bindmethod at this stage and have created a dedicated proxyuser for replication. Once I can get this package (internal procedures...), I'll check and come back on that issue. Thanks, --- Olivier On Fri, Aug 12, 2011 at 4:14 PM, Rich Megginson <[email protected]> wrote: > On 08/12/2011 07:17 AM, Olivier wrote: >> >> My N-WAY replication works properly with a >> "bindmethod=simple". >> >> However, I don't like keeping a password in clear in >> a configuration file, then I tryed this : >> >> On server "ldap-master1.example.fr" : >> >> TLSVerifyClient allow >> >> syncrepl rid=101 >> provider=ldap://ldap-master2.example.fr:389 >> searchbase="dc=example,dc=fr" >> schemachecking=on >> type=refreshOnly >> interval=00:00:01:00 >> retry="10 +" >> bindmethod=sasl >> saslmech=EXTERNAL >> starttls=critical >> tls_cert=/etc/openldap/cacerts/master1/server.crt >> tls_key=/etc/openldap/cacerts/master1/server.key >> tls_cacert=/etc/openldap/cacerts/CA.crt >> tls_reqcert=demand >> >> On server "ldap-master2.example.fr" : >> >> TLSVerifyClient allow >> >> syncrepl rid=201 >> provider=ldap://ldap-master1.example.fr:389 >> searchbase="dc=example,dc=fr" >> schemachecking=on >> type=refreshOnly >> interval=00:00:01:00 >> retry="10 +" >> bindmethod=sasl >> saslmech=EXTERNAL >> starttls=critical >> tls_cert=/etc/openldap/cacerts/master2/server.crt >> tls_key=/etc/openldap/cacerts/master2/server.key >> tls_cacert=/etc/openldap/cacerts/CA.crt >> >> I get a segmentation fault : >> >> ldap-master1 #$ /usr/sbin/slapd -h ldap:/// -u ldap -d256 >> >> @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ >> >> [email protected]:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd >> bdb_monitor_db_open: monitoring disabled; configure monitor database to >> enable >> <= bdb_inequality_candidates: (entryCSN) not indexed >> slapd starting >> slap_client_connect: URI=ldap://ldap-master2.example.fr:389 Error, >> ldap_start_tls failed (-1) >> do_syncrepl: rid=101 rc -1 retrying >> conn=1000 fd=12 ACCEPT from IP=10.1.92.25:47353 (IP=0.0.0.0:389) >> conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 >> conn=1000 op=0 STARTTLS >> conn=1000 op=0 RESULT oid= err=0 text= >> conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 >> conn=1000 op=1 BIND dn="" method=163 >> conn=1000 op=1 BIND >> >> authcid="[email protected],cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" >> >> authzid="[email protected],cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" >> conn=1000 op=1 BIND >> >> dn="[email protected],cn=ldap-master2.example.fr,ou=ldap,o=example,l=somewhere,st=france,c=fr" >> mech=EXTERNAL sasl_ssf=0 ssf=256 >> conn=1000 op=1 RESULT tag=97 err=0 text= >> conn=1000 op=2 SRCH base="dc=example,dc=fr" scope=2 deref=0 >> filter="(objectClass=*)" >> conn=1000 op=2 SRCH attr=* + >> conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= >> conn=1000 op=3 UNBIND >> conn=1000 fd=12 closed >> Erreur de segmentation >> >> The segfault happened when the second server tried to sync with the first >> one : >> >> [root@ldap-master2 cacerts]# /usr/sbin/slapd -h ldap:/// -u ldap -d256 >> @(#) $OpenLDAP: slapd 2.4.23 (Apr 12 2011 19:26:36) $ >> >> [email protected]:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd >> bdb_monitor_db_open: monitoring disabled; configure monitor database to >> enable >> slapd starting >> conn=1000 fd=12 ACCEPT from IP=10.1.92.24:55208 (IP=0.0.0.0:389) >> conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037 >> conn=1000 op=0 STARTTLS >> conn=1000 op=0 RESULT oid= err=0 text= >> TLS: error: accept - force handshake failure: errno 2 - moznss error -5938 >> TLS: can't accept: TLS error -5938:Encountered end of file. >> conn=1000 fd=12 closed (TLS negotiation failure) >> ^C >> daemon: shutdown requested and initiated. >> slapd shutdown: waiting for 0 operations/tasks to finish >> slapd stopped. >> >> Any idea ? > > Can you get a core file and a stack trace from the server that gets the seg > fault? > I'm assuming from the build that you are running on Fedora 14 or later, or > RHEL6.1. You should make sure the openldap-debuginfo package is installed > (e.g. debuginfo-install openldap) and install abrt. This will collect the > core files in /var/spool/abrt >> >> NOTE : if I start the daemon on ldap-master2, that's ldap-master2 that >> produce the seg fault. >> >> --- >> Olivier >> > >
