[Pkg-openldap-devel] Bug#536082: slapd: LDAP setup as Syncrepl refreshandpersist consumer hangs

Tue Jul 7 13:32:17 UTC 2009

Package: slapd
Version: 2.4.11-1
Severity: normal

I have a CentOS server with LDAP 2.3.43-3.el5 setup as provider and a debian
server as consumer. Afer starting the consumer ldap server things work for
about a day and then changes on the provider server are not propagated anymore.
Also, /etc/init.d/slapd stop will not work and the message "slapd shutdown:
waiting for 1 threads to terminate" will show up in the log files.

The configuration on the provider is:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/krb5-kdc.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/redhat/autofs.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapd.pem
TLSCertificateKeyFile /etc/openldap/slapd.key

modulepath      /usr/lib64/openldap

disallow bind_anon
disallow bind_simple

sasl-secprops noanonymous,noplain,noactive

sasl-regexp "^uid=([^,]+),cn=GSSAPI,cn=auth" "uid=$1,ou=people,dc=example,dc=com"

sasl-realm      example.com
sasl-host       provider.example.com

access to
    attrs=loginShell
    by dn.regex="uid=.*/admin,cn=example.com,cn=gssapi,cn=auth" write
    by self write
    by * read
    by dn="uid=host/consumer.example.com,cn=example.com,cn=gssapi,cn=auth" read
access to *
    by dn.regex="uid=.*/admin,cn=example.com,cn=gssapi,cn=auth" write
    by * read
    by dn="uid=host/consumer.example.com,cn=example.com,cn=gssapi,cn=auth" read

sizelimit 5000

threads 8

idletimeout 3600

loglevel sync

database        bdb
suffix          "dc=example,dc=com"

cachesize 10000

checkpoint 256 15

directory       /var/lib/ldap

index   objectClass,uid,uidNumber,gidNumber     eq
index   cn,mail,surname,givenname                       eq,subinitial

overlay syncprov
syncprov-checkpoint 1000 60

and on the debian consumer:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/krb5-kdc.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/redhat/autofs.schema

pidfile         /var/run/slapd/slapd.pid

argsfile        /var/run/slapd/slapd.args

loglevel 256

moduleload  back_bdb

TLSCACertificateFile /etc/ldap/cacerts/cacert.pem
TLSCertificateFile /etc/ldap/slapd.pem
TLSCertificateKeyFile /etc/ldap/slapd.key

moduleload back_bdb

disallow bind_anon
disallow bind_simple

sasl-secprops noanonymous,noplain,noactive

sasl-regexp "^uid=([^,]+),cn=GSSAPI,cn=auth" "uid=$1,ou=people,dc=example,dc=com"

sasl-realm      example.com
sasl-host       consumer.example.com

access to
    attrs=loginShell
    by self write
    by * read
access to *
    by * read

sizelimit 5000

idletimeout 3600

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=manager,dc=example,dc=com"

cachesize 10000

checkpoint      512 30

directory       /var/lib/ldap

index   objectClass,uid,uidNumber,gidNumber     eq
index   cn,mail,surname,givenname                       eq,subinitial

syncrepl rid=001 \
provider=ldaps://provider.example.com:636 \
type=refreshAndPersist \
searchbase="dc=example,dc=com" \
attrs=* \
schemachecking=off \
bindmethod=sasl \
saslmech=GSSAPI \
binddn="uid=host/consumer.example.com,dc=example,dc=com"

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages slapd depends on:
ii  adduser           3.110                  add and remove users and groups
ii  coreutils         6.10-6                 The GNU core utilities
ii  debconf [debconf- 1.5.24                 Debian configuration management sy
ii  libc6             2.7-18                 GNU C Library: Shared libraries
ii  libdb4.2          4.2.52+dfsg-5          Berkeley v4.2 Database Libraries [
ii  libgnutls26       2.4.2-6+lenny1         the GNU TLS library - runtime libr
ii  libldap-2.4-2     2.4.11-1               OpenLDAP libraries
ii  libltdl3          1.5.26-4               A system independent dlopen wrappe
ii  libperl5.10       5.10.0-19              Shared Perl library
ii  libsasl2-2        2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
ii  libslp1           1.2.1-7.5              OpenSLP libraries
ii  libwrap0          7.6.q-16               Wietse Venema's TCP wrappers libra
ii  perl [libmime-bas 5.10.0-19              Larry Wall's Practical Extraction 
ii  psmisc            22.6-1                 Utilities that use the proc filesy
ii  unixodbc          2.2.11-16              ODBC tools libraries

Versions of packages slapd recommends:
ii  libsasl2-modules  2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat

Versions of packages slapd suggests:
ii  ldap-utils                    2.4.11-1   OpenLDAP utilities

-- debconf information:
  slapd/password_mismatch:
  slapd/tlsciphersuite:
  slapd/invalid_config: true
  shared/organization: example.com
  slapd/upgrade_slapcat_failure:
  slapd/slurpd_obsolete:
  slapd/backend: HDB
  slapd/dump_database: when needed
  slapd/allow_ldap_v2: false
  slapd/no_configuration: false
  slapd/move_old_database: true
  slapd/suffix_change: false
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/purge_database: false
  slapd/domain: example.com