
Try changing your syncrepl mode to refreshOnly.<br><br><div class="gmail_quote">On Tue, Jul 7, 2009 at 7:32 AM, arnout <span dir="ltr">&lt;<a href="mailto:arnout@kuhn.pse.umass.edu">arnout@kuhn.pse.umass.edu</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Package: slapd<br>

Version: 2.4.11-1<br>

Severity: normal<br>

<br>

<br>

I have a CentOS server with LDAP 2.3.43-3.el5 setup as provider and a debian<br>

server as consumer. Afer starting the consumer ldap server things work for<br>

about a day and then changes on the provider server are not propagated anymore.<br>

Also, /etc/init.d/slapd stop will not work and the message &quot;slapd shutdown:<br>

waiting for 1 threads to terminate&quot; will show up in the log files.<br>

<br>

The configuration on the provider is:<br>

<br>

#<br>

# See slapd.conf(5) for details on configuration options.<br>

# This file should NOT be world readable.<br>

#<br>

include         /etc/openldap/schema/core.schema<br>

include         /etc/openldap/schema/cosine.schema<br>

include         /etc/openldap/schema/inetorgperson.schema<br>

include         /etc/openldap/schema/nis.schema<br>

include         /etc/openldap/schema/krb5-kdc.schema<br>

include         /etc/openldap/schema/openldap.schema<br>

include         /etc/openldap/schema/redhat/autofs.schema<br>

<br>

pidfile         /var/run/openldap/slapd.pid<br>

argsfile        /var/run/openldap/slapd.args<br>

<br>

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem<br>

TLSCertificateFile /etc/openldap/slapd.pem<br>

TLSCertificateKeyFile /etc/openldap/slapd.key<br>

<br>

modulepath      /usr/lib64/openldap<br>

<br>

disallow bind_anon<br>

disallow bind_simple<br>

<br>

sasl-secprops noanonymous,noplain,noactive<br>

<br>

sasl-regexp &quot;^uid=([^,]+),cn=GSSAPI,cn=auth&quot; &quot;uid=$1,ou=people,dc=example,dc=com&quot;<br>

<br>

sasl-realm      <a href="http://example.com" target="_blank">example.com</a><br>

sasl-host       <a href="http://provider.example.com" target="_blank">provider.example.com</a><br>

<br>

access to<br>

    attrs=loginShell<br>

    by dn.regex=&quot;uid=.*/admin,cn=<a href="http://example.com" target="_blank">example.com</a>,cn=gssapi,cn=auth&quot; write<br>

    by self write<br>

    by * read<br>

    by dn=&quot;uid=host/<a href="http://consumer.example.com" target="_blank">consumer.example.com</a>,cn=<a href="http://example.com" target="_blank">example.com</a>,cn=gssapi,cn=auth&quot; read<br>

access to *<br>

    by dn.regex=&quot;uid=.*/admin,cn=<a href="http://example.com" target="_blank">example.com</a>,cn=gssapi,cn=auth&quot; write<br>

    by * read<br>

    by dn=&quot;uid=host/<a href="http://consumer.example.com" target="_blank">consumer.example.com</a>,cn=<a href="http://example.com" target="_blank">example.com</a>,cn=gssapi,cn=auth&quot; read<br>

<br>

sizelimit 5000<br>

<br>

threads 8<br>

<br>

idletimeout 3600<br>

<br>

loglevel sync<br>

<br>

database        bdb<br>

suffix          &quot;dc=example,dc=com&quot;<br>

<br>

cachesize 10000<br>

<br>

checkpoint 256 15<br>

<br>

directory       /var/lib/ldap<br>

<br>

index   objectClass,uid,uidNumber,gidNumber     eq<br>

index   cn,mail,surname,givenname                       eq,subinitial<br>

<br>

overlay syncprov<br>

syncprov-checkpoint 1000 60<br>

<br>

and on the debian consumer:<br>

<br>

<br>

#<br>

# See slapd.conf(5) for details on configuration options.<br>

# This file should NOT be world readable.<br>

#<br>

include         /etc/ldap/schema/core.schema<br>

include         /etc/ldap/schema/cosine.schema<br>

include         /etc/ldap/schema/inetorgperson.schema<br>

include         /etc/ldap/schema/nis.schema<br>

include         /etc/ldap/schema/krb5-kdc.schema<br>

include         /etc/ldap/schema/openldap.schema<br>

include         /etc/ldap/schema/redhat/autofs.schema<br>

<br>

pidfile         /var/run/slapd/slapd.pid<br>

<br>

argsfile        /var/run/slapd/slapd.args<br>

<br>

loglevel 256<br>

<br>

moduleload  back_bdb<br>

<br>

TLSCACertificateFile /etc/ldap/cacerts/cacert.pem<br>

TLSCertificateFile /etc/ldap/slapd.pem<br>

TLSCertificateKeyFile /etc/ldap/slapd.key<br>

<br>

moduleload back_bdb<br>

<br>

disallow bind_anon<br>

disallow bind_simple<br>

<br>

sasl-secprops noanonymous,noplain,noactive<br>

<br>

sasl-regexp &quot;^uid=([^,]+),cn=GSSAPI,cn=auth&quot; &quot;uid=$1,ou=people,dc=example,dc=com&quot;<br>

<br>

sasl-realm      <a href="http://example.com" target="_blank">example.com</a><br>

sasl-host       <a href="http://consumer.example.com" target="_blank">consumer.example.com</a><br>

<br>

access to<br>

    attrs=loginShell<br>

    by self write<br>

    by * read<br>

access to *<br>

    by * read<br>

<br>

sizelimit 5000<br>

<br>

idletimeout 3600<br>

<br>

database        bdb<br>

suffix          &quot;dc=example,dc=com&quot;<br>

rootdn          &quot;cn=manager,dc=example,dc=com&quot;<br>

<br>

cachesize 10000<br>

<br>

checkpoint      512 30<br>

<br>

directory       /var/lib/ldap<br>

<br>

index   objectClass,uid,uidNumber,gidNumber     eq<br>

index   cn,mail,surname,givenname                       eq,subinitial<br>

<br>

syncrepl rid=001 \<br>

provider=ldaps://<a href="http://provider.example.com:636" target="_blank">provider.example.com:636</a> \<br>

type=refreshAndPersist \<br>

searchbase=&quot;dc=example,dc=com&quot; \<br>

attrs=* \<br>

schemachecking=off \<br>

bindmethod=sasl \<br>

saslmech=GSSAPI \<br>

binddn=&quot;uid=host/<a href="http://consumer.example.com" target="_blank">consumer.example.com</a>,dc=example,dc=com&quot;<br>

<br>

<br>

-- System Information:<br>

Debian Release: 5.0.2<br>

  APT prefers stable<br>

  APT policy: (500, &#39;stable&#39;)<br>

Architecture: amd64 (x86_64)<br>

<br>

Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores)<br>

Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)<br>

Shell: /bin/sh linked to /bin/bash<br>

<br>

Versions of packages slapd depends on:<br>

ii  adduser           3.110                  add and remove users and groups<br>

ii  coreutils         6.10-6                 The GNU core utilities<br>

ii  debconf [debconf- 1.5.24                 Debian configuration management sy<br>

ii  libc6             2.7-18                 GNU C Library: Shared libraries<br>

ii  libdb4.2          4.2.52+dfsg-5          Berkeley v4.2 Database Libraries [<br>

ii  libgnutls26       2.4.2-6+lenny1         the GNU TLS library - runtime libr<br>

ii  libldap-2.4-2     2.4.11-1               OpenLDAP libraries<br>

ii  libltdl3          1.5.26-4               A system independent dlopen wrappe<br>

ii  libperl5.10       5.10.0-19              Shared Perl library<br>

ii  libsasl2-2        2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra<br>

ii  libslp1           1.2.1-7.5              OpenSLP libraries<br>

ii  libwrap0          7.6.q-16               Wietse Venema&#39;s TCP wrappers libra<br>

ii  perl [libmime-bas 5.10.0-19              Larry Wall&#39;s Practical Extraction<br>

ii  psmisc            22.6-1                 Utilities that use the proc filesy<br>

ii  unixodbc          2.2.11-16              ODBC tools libraries<br>

<br>

Versions of packages slapd recommends:<br>

ii  libsasl2-modules  2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat<br>

<br>

Versions of packages slapd suggests:<br>

ii  ldap-utils                    2.4.11-1   OpenLDAP utilities<br>

<br>

-- debconf information:<br>

  slapd/password_mismatch:<br>

  slapd/tlsciphersuite:<br>

  slapd/invalid_config: true<br>

  shared/organization: <a href="http://example.com" target="_blank">example.com</a><br>

  slapd/upgrade_slapcat_failure:<br>

  slapd/slurpd_obsolete:<br>

  slapd/backend: HDB<br>

  slapd/dump_database: when needed<br>

  slapd/allow_ldap_v2: false<br>

  slapd/no_configuration: false<br>

  slapd/move_old_database: true<br>

  slapd/suffix_change: false<br>

  slapd/dump_database_destdir: /var/backups/slapd-VERSION<br>

  slapd/purge_database: false<br>

  slapd/domain: <a href="http://example.com" target="_blank">example.com</a><br>

<br>

<br>

<br>

_______________________________________________<br>

Pkg-openldap-devel mailing list<br>

<a href="mailto:Pkg-openldap-devel@lists.alioth.debian.org">Pkg-openldap-devel@lists.alioth.debian.org</a><br>

<a href="http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel" target="_blank">http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel</a><br>

<br>

</blockquote></div><br>