Discussion:
Overlay Chain Extended Passmod Problem
Ralf Zimmermann
2010-03-01 12:06:23 UTC
Permalink
Hi all,

last week I wrote to the list because I have a problem with overlay chain.
Today I traced the problem. The configuration and the host are the same.
OpenLDAP syncrepl runs fine over the weekend. But if I want to change a
password nothing happens. I can't see any packet with tcpdump from the slave to
the master. I traced slapd with loglevel=65535. The slave is openldap 2.4.21.

# Here the trace with no successfull passmod operation:
-----------------------------------------------------
conn=1126 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
=> bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
=> bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
bdb_entry_get: rc=0
==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
)

# Here the trace after I restart slapd with exactly the same config
# and working passmod oepration:
------------------------------------------------------------------
conn=1000 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
=> bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
=> hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x5
entry_decode: ""
<= entry_decode()
=> bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
=> hdb_dn2id("ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x9
=> hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0xa
entry_decode: ""
<= entry_decode()
=> bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
bdb_entry_get: rc=0
==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")

When the passmod operation is successfull there are hdb_dn2id entries in the
trace. When the passmod operation ist not successfull the entries doesn't
exist. What happens, that I must restart the slapd? The configuration is the
same and all other things works fine. Only the write operations to the master
hangs. If I make a passmod without TLS everything works fine and I can change
the password after I restarted the slapd on the slave. Then I can change the
passwords the wholy day. Tomorrow I'll must restart slapd on the slave because
the passmod operation is not successfull.

Any ideas?

regards
Ralf Zimmermann

--

.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen

Tel.: +49 271 68193 13
Fax.: +49 271 68193 29

Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
m***@aero.polimi.it
2010-04-10 05:45:28 UTC
Permalink
Post by Ralf Zimmermann
Hi all,
last week I wrote to the list because I have a problem with overlay chain.
Today I traced the problem. The configuration and the host are the
same.
OpenLDAP syncrepl runs fine over the weekend. But if I want to change a
password nothing happens. I can't see any packet with tcpdump from the slave to
the master. I traced slapd with loglevel=65535. The slave is openldap 2.4.21.
-----------------------------------------------------
conn=1126 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
=> bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
=> bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
bdb_entry_get: rc=0
==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
)
# Here the trace after I restart slapd with exactly the same config
------------------------------------------------------------------
conn=1000 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
=> bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
=> hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x5
entry_decode: ""
<= entry_decode()
=> bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
=> hdb_dn2id("ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x9
=> hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0xa
entry_decode: ""
<= entry_decode()
=> bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
bdb_entry_get: rc=0
==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
When the passmod operation is successfull there are hdb_dn2id entries
in the
trace. When the passmod operation ist not successfull the entries
doesn't
exist. What happens, that I must restart the slapd? The configuration is the
same and all other things works fine. Only the write operations to the master
hangs. If I make a passmod without TLS everything works fine and I can change
the password after I restarted the slapd on the slave. Then I can change the
passwords the wholy day. Tomorrow I'll must restart slapd on the slave because
the passmod operation is not successfull.
Any ideas?
You don't clearly state what your configuration is, so I can only guess.
I presume you're using the ppolicy overlay. I set up a syncrepl
producer/consumer with slapo-chain on the consumer and slapo-ppolicy on
both servers, and I'm hitting the consumer with passmod requests that are
chained to the producer, using TLS both client to consumer and in
chaining. It seems to be working just fine, I had no failures after
hundreds of operations. Would you mind sharing your configuration and an
example passmod, in order to reproduce the issue? More details, e.g.
about what TLS support you're using, and software versions would be
helpful.

p.
Ralf Zimmermann
2010-04-13 09:05:23 UTC
Permalink
This post might be inappropriate. Click to display it.
Loading...