Member
Registered: Sep 2007
Location: Chandler, AZ
Posts: 227
Rep:
|
OpenLDAP 2.3.27 syncrepl authentication problem
I have two servers running CentOS 5.2 and openldap-2.3.27-8.el5_2.4
10.99.16.11 is the master/producer, and can be used as an authentication server. It's slapd.conf is:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/DUAConfigProfile.schema
include /etc/openldap/schema/solaris.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by * read
loglevel -1
database bdb
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"
rootpw {SSHA}Iex0F3m24GcxJMup71DpGMlGMgZDta9o
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
10.99.16.7 is the slave/consumer. It's slapd.conf is:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/DUAConfigProfile.schema
include /etc/openldap/schema/solaris.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by dn.base="cn=syncuser,dc=mydomain,dc=com" write
by * read
loglevel -1
database bdb
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
syncrepl rid=123
provider=ldap://10.99.16.11:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=mydomain,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=syncuser,dc=mydomain,dc=com"
credentials=aa11
updateref ldap://10.99.16.11
When I start ldap on .7, I get:
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd starting
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: added 4r
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: added 7r
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: select:
listen=7active_threads=0 tvp=zero
Jul 30 09:30:12 unix-services2 slapd[8391]: =>do_syncrepl
Jul 30 09:30:12 unix-services2 slapd[8391]: do_syncrep1: ldap_sasl_bind_s failed (49)
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: shutdown requested
and initiated.
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: closing 7
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd shutdown: waiting for
0 threads to terminate
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd shutdown: initiated
Jul 30 09:30:12 unix-services2 slapd[8391]: ====> bdb_cache_release_all
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd destroy: freeing system resources.
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd stopped.
.11 says:
Jul 30 08:55:18 test1 slapd[4919]: daemon: read active on 13
Jul 30 08:55:18 test1 slapd[4919]: connection_get(13)
Jul 30 08:55:18 test1 slapd[4919]: connection_get(13): got connid=0
Jul 30 08:55:18 test1 slapd[4919]: connection_read(13): checking for
input on id=0
Jul 30 08:55:18 test1 slapd[4919]: ber_get_next on fd 13 failed errno=11
(Resource temporarily unavailable)
Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=7
active_threads=0 tvp=NULL
Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jul 30 08:55:18 test1 slapd[4919]: do_bind
Jul 30 08:55:18 test1 slapd[4919]: >>> dnPrettyNormal:
<cn=syncuser,dc=mydomain,dc=com>
Jul 30 08:55:18 test1 slapd[4919]: <<< dnPrettyNormal:
<cn=syncuser,dc=mydomain,dc=com>,
<cn=syncuser,dc=mydomain,dc=com>
Jul 30 08:55:18 test1 slapd[4919]: do_bind: version=3
dn="cn=syncuser,dc=mydomain,dc=com" method=128
Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 BIND
dn="cn=syncuser,dc=mydomain,dc=com" method=128
Jul 30 08:55:18 test1 slapd[4919]: ==> bdb_bind: dn:
cn=syncuser,dc=mydomain,dc=com
Jul 30 08:55:18 test1 slapd[4919]:
bdb_dn2entry("cn=syncuser,dc=mydomain,dc=com")
Jul 30 08:55:18 test1 slapd[4919]: =>
bdb_dn2id("cn=syncuser,dc=mydomain,dc=com")
Jul 30 08:55:18 test1 slapd[4919]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30989)
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: conn=0 op=0 p=3
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: err=49 matched=""
text=""
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_response: msgid=1 tag=97
err=49
Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 RESULT tag=97 err=49
text=
However, I can log in to a client that is using .11 as "syncuser" with "aa11" as the password. So this isn't a cut-and-dried authentication failure. Maybe an ACL issue, or ??? But it's got me stumped.
|