[SOLVED] Slave slapd / LDAP: ldap_bind: Invalid credentials (49)

lefty.crupps · 08-29-2011, 02:04 PM

I've set up slapd (2.4.23-7.2) on two Debian 6.0.2 servers.

I've set them to use /etc/ldap/slapd.conf file (not /etc/ldap/slapd.d/ directory)

I've set them both up with the same database, from a dump and import.

They're both listening on "ldap:/// ldapi:/// ldaps:///" successfully.

I've set them up to successfully replicate LDAP entries from the Provider (Master) and the Consumer (Slave) servers.

From any machine in our office (including the slave), I can query the Master successfully:

Code:

shell#  /usr/bin/ldapsearch -x -D "uid=authuser,dc=ourdomain,dc=net" -w 'secret' -H ldaps://master.fqdn.com/
(lots of expected output)

But from any machine (including the slave), doing this same thing fails against the slave (errors further below from this failed attempt):

Code:

shell#  /usr/bin/ldapsearch -x -D "uid=authuser,dc=ourdomain,dc=net" -w 'secret' -H ldaps://slave.fqdn.com/
ldap_bind: Invalid credentials (49)

I don't know what is wrong, the ACLs are identical; here is the slave slapd.conf:

Code:

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        128 256 32768
modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      syncprov.la
sizelimit 1000
tool-threads 1

backend         bdb
database        bdb
suffix          "dc=ourdomain,dc=net"
rootdn          "cn=root,dc=ourdomain,dc=net"
rootpw          {SSHA}tLys7G2CCeZ/9H7E2xiGsQzl4VY6cOBm

directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0

dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

index   objectClass             eq
index   cn                      pres,sub,eq
index   sn                      pres,sub,eq
index   uid                     pres,sub,eq
index   displayName             pres,sub,eq
index   default                 sub
index   uidNumber               eq
index   gidNumber               eq
index   mail,givenName          eq,subinitial
index   dc                      eq


lastmod         on

syncrepl rid=001
  provider=ldap://master.ourdomain.net
  type=refreshAndPersist
  retry="5 5 300 +"
  searchbase="dc=ourdomain,dc=net"
  attrs="*,+"
  bindmethod=simple
  binddn="cn=root,dc=ourdomain,dc=net"
  credentials=secret2

access to *
 by dn.base="cn=root,dc=ourdomain,dc=net" read
 by * break

access to * filter=(businessCategory=disabled)
 by dn="uid=authuser,dc=ourdomain,dc=net" none
 by dn="uid=authadmin,dc=ourdomain,dc=net" write

access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
 by dn="cn=root,dc=ourdomain,dc=net" write
 by dn="uid=authuser,dc=ourdomain,dc=net" write
 by dn="uid=authadmin,dc=ourdomain,dc=net" write
 by anonymous auth
 by self write
 by * none

access to dn.base="" by * read

access to *
 by dn="cn=root,dc=ourdomain,dc=net" write
 by dn="uid=authuser,dc=ourdomain,dc=net" read
 by dn="uid=authadmin,dc=ourdomain,dc=net" write
 by * read



TLSCACertificateFile /etc/ldap/cacert.pem
TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem

database config
rootpw          {SSHA}tLys7G2CCeZ/9H7E2xiGsQzl2gfgt

Errors on the Slave from loglevel 128 256 32768

Code:

==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 ACCEPT from IP=10.10.10.220:55086 (IP=0.0.0.0:636)

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 ACCEPT from IP=10.10.10.220:55086 (IP=0.0.0.0:636)

==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 TLS established tls_ssf=128 ssf=128

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 TLS established tls_ssf=128 ssf=128

==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 BIND dn="uid=authuser,dc=ourdomain,dc=net" method=128
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 RESULT tag=97 err=49 text=

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 BIND dn="uid=authuser,dc=ourdomain,dc=net" method=128
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 op=0 RESULT tag=97 err=49 text=

==> /var/log/syslog <==

==> /var/log/debug <==

==> /var/log/syslog <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 closed (connection lost)

==> /var/log/debug <==
Aug 29 13:54:21 ldap-test-slave slapd[28202]: conn=1005 fd=19 closed (connection lost)

lefty.crupps · 08-29-2011, 03:12 PM

I was able to resolve this from help on irc.freenode.net #openldap ; I had comments in my replication lines:

Code:

syncrepl rid=001
  provider=ldap://master.ourdomain.net
  type=refreshAndPersist
  retry="5 5 300 +"
  searchbase="dc=ourdomain,dc=net"
  attrs="*,+"
  bindmethod=simple
  binddn="cn=root,dc=ourdomain,dc=net"
  credentials=secret2

which I had taken out when I posted here. Apparently, those lines cause that stanza to 'be completed' so the additional info wasn't being used to correctly replicate my data. After taking out those #commented lines, I stopped the slapd server, removed its DB, and restarted the server and it pulled everything in correctly.

This was useful to track down the failure; on the Master it has a password field but on the Slave it did not have a Password:

Code:

shell#  /usr/bin/ldapsearch -x -D "cn=root,dc=ourdomain,dc=net"  -W "(uid=authuser)"

Big thanks to JoBbZ for the assistance on #openldap