This drove me close to insanity, but I got there eventually!

I found an old discussion on the Synology forum http://forum.synology.com/enu/viewtopic.php?f=183&t=55020 and was optimistic it’d be pretty simple. The thread talks about compiling a later version of OpenLDAP from source, but the version included (in DSM5.0) is later than that discussed;

file-20> slapd -VV
@(#) $OpenLDAP: slapd 2.4.34 (Feb 27 2014 03:17:07) $
root@build3:/source/openldap-2.4.x/servers/slapd

I tried configuring my provider and consumer using the example and referring to http://www.openldap.org/doc/admin23/syncrepl.html but wasn’t getting anywhere (after changing slapd.conf I would disable and re-enable the LDAP server through the web ui). I was getting an error “Permission denied. Please contact the server administrator.” and an entry in /var/log/messages;

file-20> tail /var/log/messages
Aug 14 21:51:59 file-20 ldap.cgi: ldap_server_default_add.c:146 add [admin] to [cn=Directory Operators,cn=groups,dc=example,dc=com] failed, ldap_insufficient_access (53)

Oddly the slapd process continues to run but no replication is taking place. I believed the error might be because the admin account is locked in some way and wont allow any modification. I tried adding a filter;

filter="(!cn=admin)"

This prevented the error message popping up and the error in /var/log/messages but still no replication was taking place.

I imagine it would have been a trivial task on a standard Linux distribution but it seems OpenLDAP has been compiled in a manner which does not allow debug;

file-20> slapd -d 1
must compile with LDAP_DEBUG for debugging

So there’s no real feedback as to what is (or isn’t) working.

After blindly fumbling around for hours I decided to try and compile myself so I could debug. This itself was a mammoth chore!

I wanted to stick with the same version currently running on DSM5.0 so started with the source for 2.4.34 from http://www.openldap.org/software/download/OpenLDAP/openldap-release/

In order to cross compile I followed the Synology 3rd-Party Package Developers guide; http://www.synology.com/en-uk/support/third_party_app_int. I had a spare ubuntu machine I could use for compiling… I needed the DSM5.0 toolchain from http://sourceforge.net/projects/dsgpl/files/DSM%205.0%20Tool%20Chains/ as i’m using the DS214 which apparently has a marvell amanda xp processor. And extracted the archive;

tar zxpf gcc464_glibc215_hard_armada-GPL.tgz –C /usr/local/

Then Berkeley DB 5.1.25 from http://pkgs.fedoraproject.org/repo/pkgs/libdb/db-5.1.25.tar.gz/06656429bfc1abb6c0498eaeff70cd04/

tar xvfdb-5.1.25.tar.gz
cd db-5.1.25
cd build_unix
export CC=/usr/local/arm-marvell-linux-gnueabi/bin/arm-marvell-linux-gnueabi-gcc
export LD=/usr/local/arm-marvell-linux-gnueabi/bin/arm-marvell-linux-gnueabi-ld
export RANLIB=/usr/local/arm-marvell-linux-gnueabi/bin/arm-marvell-linux-gnueabi-ranlib
export CFLAGS="-I/usr/local/arm-marvell-linux-gnueabi/arm-marvell-linux-gnueabi/libc/include -mhard-float -mfpu=vfpv3-d16"
export LDFLAGS="-L/usr/local/arm-marvell-linux-gnueabi/arm-marvell-linux-gnueabi/libc/lib"
../dist/configure --host=armle-unknown-linux --target=armle-unknown-linux --build=i686-pc-linux --prefix=/usr/local 

I also had to install;

sudo apt-get install lib32z1

Now I was able to configure OpenLDAP;

export LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.5.1/lib -R/usr/local/lib -R/usr/local/BerkeleyDB.5.1/lib"
export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.5.1/lib
export LD_RUN_PATH=/usr/local/BerkeleyDB.5.1/lib
export CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include"
./configure --host=armle-unknown-linux --target=armle-unknown-linux --build=i686-pc-linux --prefix=/usr/local --with-yielding-select=no --enable-crypt

But when I tried to;

make depend
make

I received an error; cross compile openldap error: undefined reference to `lutil_memcmp’ – http://zhuqy.wordpress.com/2010/04/22/cross-compile-openldap-error-undefined-reference-to-lutil_memcmp/ put me straight- I just had to comment out a line from include/portable.h;

//#define NEED_MEMCMP_REPLACEMENT 1

make was now successful and I moved my newly compiled slapd to the synology diskstation, chown’d & chmod’d it,  and tested debug… we see an instant result;

file-20> chown root:root slapd.me
file-20> chmod 755 slapd.me
file-20> slapd.me -d 1
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /usr/local/etc/openldap/ldap.conf
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc

Now I disabled the directory server in the web ui and instead ran my new version from the commandline with debug 1;

./slapd.me -d 1 -f /usr/syno/etc/openldap/slapd.conf

It failed with an error referring to;

password-hash {CRYPT}

Turns out I had to recompile slapd with –enable-crypt. I copied the newly compiled slapd over, ran again with -d 1 and now I could see it failing with error relating to an invalid filter;

filter="(!cn=admin)"

So I removed this… Try again, now;

ldap_sasl_bind_s failed

I think that sent me in the wrong direction (I thought it was an ssl/tls/authentication issue) and I spent hours messing with certificates, unsupported tls configuration parameters etc but got nowhere. Eventually I determined this error essentially means “can’t connect”. Eventually I tried without ssl and as if by magic everything sprung to life!

Here are the lines I added to the default slapd.conf on the provider;

index entryCSN eq
index entryUUID eq

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10

And the consumer;

index entryCSN eq
index entryUUID eq

syncrepl rid=20
 provider=ldap://192.168.10.250
 type=refreshAndPersist
 interval=00:00:10:00
 searchbase="dc=example,dc=com"
 bindmethod=simple
 binddn="uid=admin,cn=users,dc=example,dc=com"
 credentials=password
 scope=sub
 retry="60 +"

If you want to download my compiled version of slapd you can find it here; https://www.dropbox.com/s/sfb06uo0leqxqq9/slapd

I hope this will help you!

Advertisements