Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: LDAP / Replication on 5.x -> 6.x Upgrade

  1. #1
    gareth is offline Active Member
    Join Date
    Jul 2006
    Posts
    34
    Rep Power
    8

    Default LDAP / Replication on 5.x -> 6.x Upgrade

    Help!

    After upgrading a working master/slave setup, the slave is now failing to connect to the server with the following messages;

    Code:
    slap_client_connect: URI=ldap://zm.xxxxxxx.com:3890 Error, ldap_start_tls failed (-11) 
    do_syncrepl: rid=100 rc -11 retrying
    Can anyone tell me what's causing this or maybe point me at a method for debugging /finding out what the problem is.

    Things I'm confident of;
    a. machine names / certificates match
    b. port 3890 is open and working
    c. ldap traffic is negotiating the link

    ??

  2. #2
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,192
    Rep Power
    9

    Default

    It sounds like the replica can't validate the cert beign provided by the master. As the zimbra user on the replica system, can you ldapsearch the master when using startTLS?
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    gareth is offline Active Member
    Join Date
    Jul 2006
    Posts
    34
    Rep Power
    8

    Default Re; ldapsearch

    Erm, if you can give me a specific command to run, I can confirm yes / no .. subject to that, if I type;

    ldapsearch -h -p -x

    On the master, it does give me a complete listing.

    On the other hand, the same on the client (using the client's local address/port) gives me an empty listing, even after I populate the client LDAP database by hand ..

    Note however; on the client with LDAP populated bu hand, posix searches (libnss_ldap.conf driven) all work fine .. ls -la /home happily lists user names against each home folder ...

  4. #4
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,192
    Rep Power
    9

    Default

    On the replica, as the zimbra user, run
    Code:
    zmlocalconfig -s zimbra_ldap_password
    note the value

    Then run:
    Code:
    ldapsearch -ZZ -x -H ldap://zm....master...host..:3890/ -D "uid=zimbra,cn=admins,cn=zimbra" -b "" -s base -W +
    It will then prompt you for the password you got from zmlocalconfig above. If the operation succeeds, then the replica can make a startTLS connection to the master. If it doesn't, it can't, and something is wrong in the cert setup between the master and replica.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    gareth is offline Active Member
    Join Date
    Jul 2006
    Posts
    34
    Rep Power
    8

    Default It seems to work?

    But I'm not sure if the results are what one might expect (?) and what it means that it works ... ???

    This is the output it gives;

    # extended LDIF
    #
    # LDAPv3
    # base <> with scope baseObject
    # filter: (objectclass=*)
    # requesting: +
    #

    #
    dn:
    structuralObjectClass: OpenLDAProotDSE
    configContext: cn=config
    monitorContext: cn=Monitor
    namingContexts: cn=accesslog
    namingContexts:
    supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
    supportedControl: 2.16.840.1.113730.3.4.18
    supportedControl: 2.16.840.1.113730.3.4.2
    supportedControl: 1.3.6.1.4.1.4203.1.10.1
    supportedControl: 1.2.840.113556.1.4.319
    supportedControl: 1.2.826.0.1.3344810.2.3
    supportedControl: 1.3.6.1.1.13.2
    supportedControl: 1.3.6.1.1.13.1
    supportedControl: 1.3.6.1.1.12
    supportedExtension: 1.3.6.1.4.1.1466.20037
    supportedExtension: 1.3.6.1.4.1.4203.1.11.1
    supportedExtension: 1.3.6.1.4.1.4203.1.11.3
    supportedExtension: 1.3.6.1.1.8
    supportedFeatures: 1.3.6.1.1.14
    supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
    supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
    supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
    supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
    supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
    supportedLDAPVersion: 3
    supportedSASLMechanisms: GSSAPI
    supportedSASLMechanisms: PLAIN
    supportedSASLMechanisms: CRAM-MD5
    supportedSASLMechanisms: LOGIN
    supportedSASLMechanisms: DIGEST-MD5
    supportedSASLMechanisms: OTP
    entryDN:
    subschemaSubentry: cn=Subschema
    auditContext: cn=accesslog
    contextCSN: 20091110191651.932455Z#000000#000#000000

    # search result
    search: 3
    result: 0 Success

    # numResponses: 2
    # numEntries: 1

  6. #6
    quanah is online now Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,192
    Rep Power
    9

    Default

    Hm, since you were using -ZZ on the replica, it'd mean it was able to do a startTLS to the master. Let me see if I can track down what specifically error -11 indicates.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    gareth is offline Active Member
    Join Date
    Jul 2006
    Posts
    34
    Rep Power
    8

    Default Re; Upgrade problems ..

    Many thanks .. at the moment I have to resort to copying data between servers and re-populating the slave from LDIF every time we update the master.

    (had to run the update, we were suffering from a bug whereby calendar entries [potentially 'corrupt'] were screwing the entire system on an hourly basis. 6.x seems to fix this ..)

    Incidentally the POSIX tools were broken on our 5.x and we had to use the SMLPDAP tools to manipulate groups etc .. again this seems fixed on 6.x.
    (once we managed to get the zimlet installed )

  8. #8
    lweeks is offline Partner (VAR/HSP)
    Join Date
    Aug 2008
    Posts
    10
    Rep Power
    6

    Default

    Were/are you using self-signed SSL certificates? We ran into this same issue when upgrading some test VMs using self-signed certs. The issue wound up being that the LDAP servers must share a common certificate authority for TLS to work. Copying the same CA certs/keys to the hosts and regenerating certs solved the issue.

    I've filed a bug asking that this information be added to the release notes, as this surely was not the same behavior in ZCS 5:

    https://bugzilla.zimbra.com/show_bug.cgi?id=45048

    Larry

  9. #9
    gareth is offline Active Member
    Join Date
    Jul 2006
    Posts
    34
    Rep Power
    8

    Default

    Hi, I took this up with quanah offline and between us I think we identified 3 critical bugs, typically associated with upgrading, specifically in the context of LDAP/master/slave setups. I was given some patches and eventually got it working, took many days of time.

    Apparently the fixes would not be in the next release, but would be in the next but one release .. not really been tracking it since then. I've no intention of upgrading that setup again - even now all the logging is broken to the extent the online console says everything is down -even tho' it's working fine.

    I reckon those 'bugs' probably cost me two man weeks of work to circumvent / fix, and the upgrade was required due to another critical bug in the calendaring system that wasn't back-patched.

    Bit of a mess really ...

  10. #10
    lweeks is offline Partner (VAR/HSP)
    Join Date
    Aug 2008
    Posts
    10
    Rep Power
    6

    Default

    Hi,

    It didn't make sense to me that they had to share a CA -- what they really need is knowledge of the CA of the master. slapd looks in /opt/zimbra/conf/ca for that. To make replication work, each replica needs to have the CA for the certificate used by the master in that directory, with a hash linked to it. That resolves the issue.

    Larry

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. LDAP Replication Experiences
    By technikolor in forum Administrators
    Replies: 4
    Last Post: 11-12-2008, 12:52 AM
  2. Replies: 2
    Last Post: 02-11-2008, 01:50 PM
  3. LDAP Replicas 4.5.x > 5.0.x
    By mmorse in forum Announcements
    Replies: 0
    Last Post: 01-28-2008, 04:05 PM
  4. Replies: 2
    Last Post: 01-17-2008, 09:45 PM
  5. Upgrade: 4.5.5 -> 4.5.6 failed, LDAP/slapd issues
    By Daimyo in forum Installation
    Replies: 7
    Last Post: 08-04-2007, 09:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •