I've recently updated both my openldap servers to 2.4.39 version and
everything seems to be working EXCEPT the mirror synchronization which
was the issue I had previously with 2.4.23
Running on CentOS 6.5
Setup -
Server1(provider): ldap-east.xxxxx.net
Server2(consumer): ldap-west.xxxxx.net
Not using self signed certs. Instead have a SAN(Subject Alternative
Name)cert from DigiCert with 4 hostnames:
ldap.xxxxx.net
ldap-1.xxxxx.net
ldap-2.xxxxx.net
ldap-alt.xxxxx.net
I'm using slapd.conf vs cn=config.
The details:
[root@ldap-east certs]# slapd -d sync
541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $
[email protected]:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
541b16ed /etc/openldap/slapd.conf: line 165: warning, destination
attributeType 'sAMAccountName' is not defined in schema
541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted
unlimited privileges.
541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor
database to enable
541b16ed slapd starting
TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt'
could not be found in the database - error -12285:Unable to find the
certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully
loaded from PEM file.
TLS: no unlocked certificate for certificate
'CN=ldap.xxxxx.net,O="xxxxxx, INC.",L=Alviso,ST=California,C=US'.
541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
*** I wonder if there is something about SAN certs where ldap is having
issues ?
*** Since it is a signed CA cert in a mirror sync setup do I need to set
it up in the local CA(using certutil) and add it? (didn't have to for
non-sync use)
*** Unclear of 'not found in database' - which one? I've tried adding
it using certutil in various permutations of setting adding the cert to
the local CA database with all the various SAN names as different nick
names
*** I've also setup symlinks in /etc/openldap/certs pointing from the
hashes -> certs - but all of these with the exact same output as above.
From the debug log:
Sep 18 13:39:30 ldap-east slapd[18966]: @(#) $OpenLDAP: slapd 2.4.39
(Sep 16 2014 19:42:16)
$#012#[email protected]:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line
165: warning, destination attributeType 'sAMAccountName' is not defined
in schema
Sep 18 13:39:30 ldap-east slapd[18966]: PROXIED attributeDescription
"SAMACCOUNTNAME" inserted.
Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line
215: rootdn is always granted unlimited privileges.
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn=Subschema>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn=subschema>
Sep 18 13:39:30 ldap-east slapd[18966]: matching_rule_use_init
Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.840.113556.1.4.804
(integerBitOrMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency
$ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $
olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion
$ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.840.113556.1.4.803
(integerBitAndMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency
$ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $
olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion
$ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $
mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $
shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $
ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 1.3.6.1.4.1.1466.109.114.2
(caseIgnoreIA5Match):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer
$ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $
mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox
$ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $
ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile
$ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $
sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 1.3.6.1.4.1.1466.109.114.1
(caseExactIA5Match):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer
$ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $
mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox
$ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $
ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile
$ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $
sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.39
(certificateListMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.38
(certificateListExactMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.38
NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $
certificateRevocationList $ deltaRevocationList ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.35
(certificateMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.34
(certificateExactMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.34
NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate )
)
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.30
(objectIdentifierFirstComponentMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.30
NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $
supportedExtension $ supportedFeatures $ ldapSyntaxes $
supportedApplicationContext ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.29
(integerFirstComponentMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.29
NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $
entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $
olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $
olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $
olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $
olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $
olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption
$ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $
shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $
ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.28
(generalizedTimeOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.28
NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $
modifyTimestamp $ sudoNotBefore $ sudoNotAfter ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.27
(generalizedTimeMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.27
NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp
$ sudoNotBefore $ sudoNotAfter ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.24
(protocolInformationMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.23
(uniqueMemberMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.23
NAME 'uniqueMemberMatch' APPLIES uniqueMember )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.22
(presentationAddressMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.20
(telephoneNumberMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.20
NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $
mobile $ pager ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.18
(octetStringOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.18
NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ olcDbCryptKey )
)
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.17
(octetStringMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.17
NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.16 (bitStringMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.16
NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.15
(integerOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.15
NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl $
uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $
olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $
olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $
olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $
olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $
olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption
$ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $
shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $
ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.14 (integerMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.14
NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $
uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $
olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $
olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $
olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $
olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $
olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $
olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $
olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption
$ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $
shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $
ipProtocolNumber $ oncRpcNumber $ sudoOrder ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.13 (booleanMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.13
NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $
olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $
olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry $ olcDbChecksum $
olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcAccessLogSuccess $
olcRwmNormalizeMapped $ olcRwmDropUnrequested $ olcSpNoPresent $
olcSpReloadHint $ olcDbRebindAsUser $ olcDbChaseReferrals $
olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $
olcDbSessionTrackingRequest $ olcDbNoRefs $ olcDbNoUndefFilter $
olcChainCacheURI $ olcChainReturnError ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.11
(caseIgnoreListMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.11
NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.9
(numericStringOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.9 NAME
'numericStringOrderingMatch' APPLIES ( x121Address $
internationaliSDNNumber ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.8
(numericStringMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.7
(caseExactSubstringsMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.7 NAME
'caseExactSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber
$ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.6
(caseExactOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName
$ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $
olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $
olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $
olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $
olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals
$ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $
olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $
olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $
olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $
olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $
olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $
olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $
olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $
olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOffi
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.5 (caseExactMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $
olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $
olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $
olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $
olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals
$ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $
olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $
olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $
olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $
olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $
olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $
olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $
olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $
olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName $
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.4
(caseIgnoreSubstringsMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.4 NAME
'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber
$ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.3
(caseIgnoreOrderingMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.3 NAME
'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName
$ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $
olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $
olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $
olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $
olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals
$ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $
olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $
olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $
olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $
olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $
olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $
olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $
olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $
olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOff
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.2 (caseIgnoreMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $
olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $
olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $
olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $
olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $
olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $
olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals
$ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $
olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $
olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $
olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $
olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $
olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $
olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $
olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $
olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $
olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $
olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $
olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $
olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $
serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $
postalCode $ postOfficeBox $ physicalDeliveryOfficeName
Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.36.79672281.1.13.3
(rdnMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.1
(distinguishedNameMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $
dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $
olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $
olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ member $ owner $ roleOccupant $
manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.0
(objectIdentifierMatch):
Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension
$ supportedFeatures $ supportedApplicationContext ) )
Sep 18 13:39:30 ldap-east slapd[18966]: slapd startup: initiated.
Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting
"cn=config"
Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open
Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: line 0:
warning: cannot assess the validity of the ACL scope within backend
naming context
Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: No explicit
ACL for back-config configured. Using hardcoded default
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=config"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"cn=module{0}"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=schema"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={0}core>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={0}core>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={0}core"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={1}cosine>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={1}cosine>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"cn={1}cosine"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize:
<cn={2}inetorgperson>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize:
<cn={2}inetorgperson>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"cn={2}inetorgperson"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={3}nis>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={3}nis>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={3}nis"
Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={4}sudo>
Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={4}sudo>
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={4}sudo"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"olcDatabase={-1}frontend"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"olcDatabase={0}config"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"olcDatabase={1}ldap"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"olcOverlay={0}rwm"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"olcDatabase={2}bdb"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"olcOverlay={0}syncprov"
Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry:
"olcOverlay={1}glue"
Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting
"ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: ldap_back_db_open:
URI=ldap://ad1.xxxxx.net
Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting
"dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: database
"dc=xxxxx,dc=net": dbenv_open(/var/lib/ldap).
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_monitor_db_open: monitoring
disabled; configure monitor database to enable
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn:
"dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)",
at: "contextCSN"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net")
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_dn2id("dc=xxxxx,dc=net")
Sep 18 13:39:30 ldap-east slapd[18966]: <= bdb_dn2id: got id=0x7
Sep 18 13:39:30 ldap-east slapd[18966]: entry_decode: "dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: <= entry_decode(dc=xxxxx,dc=net)
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry:
"dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0
Sep 18 13:39:30 ldap-east slapd[18966]: slapd starting
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 4r listener=(nil)
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 7r
listener=0x7f37cb13f7c0
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 8r
listener=0x7f37cb13f8a0
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on:
Sep 18 13:39:30 ldap-east slapd[18966]:
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrepl rid=001
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn:
"dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)",
at: "contextCSN"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net")
Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry:
"dc=xxxxx,dc=net"
Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result not in
cache (contextCSN)
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access
to "dc=xxxxx,dc=net" "contextCSN" requested
Sep 18 13:39:30 ldap-east slapd[18966]: <= root access granted
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in
cache (contextCSN)
Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in
cache (contextCSN)
Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrep2 rid=001
Sep 18 13:39:30 ldap-east slapd[18966]: do_syncrep2: rid=001
LDAP_RES_INTERMEDIATE - REFRESH_DELETE
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 13r listener=(nil)
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on:
Sep 18 13:39:30 ldap-east slapd[18966]:
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8
active_threads=0 tvp=zero
slapd.conf
[root@ldap-east openldap]# cat slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
allow bind_v2
TLSCertificateFile /etc/openldap/certs/ldap_xxxxx_net.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap_xxxxx_net.key
TLSCACertificateFile /etc/openldap/certs/CAcompany.crt
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap
moduleload accesslog.la
moduleload rwm.la
moduleload syncprov.la
disallow bind_anon
moduleload back_bdb
moduleload back_ldap
backend bdb
moduleload syncprov
database ldap
suffix "ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net"
uri ldap://ad1.xxxxx.net/
rebind-as-user
idassert-bind bindmethod=simple
binddn="cn=username,ou=users,ou=xxxxxx,dc=ad,dc=xxxxx,dc=net"
credentials="xxxxxxxxx"
mode=none
idassert-authzFrom "*"
chase-referrals yes
subordinate
overlay rwm
rwm-map attribute uid sAMAccountName
database bdb
suffix "dc=xxxxx,dc=net"
checkpoint 1024 15
rootdn "cn=Manager,dc=xxxxx,dc=net"
rootpw {SSHA}xxxxxxxxxxx
directory /var/lib/ldap
access to *
by dn.base="cn=TestSync,ou=Roles,dc=xxxxx,dc=net" write
by * break
# Generic ACL section
access to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=xxxxx,dc=net" write
by anonymous auth
by self write
by * none
# Specific ACL section to restrict userPassword to be used for
authentication only - 8-15-14
#access to to dn.children="ou=People,dc=xxxxx,dc=net" write
# attrs=userPasswrod
# by self write
# by * auth
# by dn.children="ou=Customers,ou=People,dc=xxxxx,dc=net" write
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
#LDAP Sync - Master
serverID 1
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
#LDAP Sync - Slave
syncrepl rid=001
provider=ldaps://ldap-west.xxxxx.net
bindmethod=simple
binddn="cn=TestSync,ou=Roles,dc=xxxxx,dc=net"
credentials=xxxxxxx
searchbase="dc=xxxxx,dc=net"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
loglevel -1
