Hallo!
I'm trying to set up a replication with syncrepl and saslmech external and it
wont succeed.
I was reading a lot but I really don't see where the problem is now and don't
know how to continue. So I really would appreciate if somebody could point me
to the probable error.
Please let me know if you need more infos.
slapd is 2.3.31
master = erde.aag
slave = mond.aag
both compiled with:
./configure \
'--prefix=/usr/local/ldap' \
'--mandir=/usr/local/ldap/man' \
'--libexecdir=/usr/local/ldap/sbin' \
'--sysconfdir=/etc' \
'--with-configdir=/etc/ldap' \
'--with-subdir=ldap' \
'--enable-spasswd' \
'--enable-modules' \
'--enable-hdb' \
'--enable-overlays' \
'--enable-slurpd' \ (- will put this out when syncrepl works)
'--with-cyrus-sasl' \
'--with-tls'
Here the concerning parts of the slapd.conf:
*****************************************************************
master:
...
overlay syncprov
syncprov-checkpoint 100 600
syncprov-sessionlog 100
...
authz-regexp
"C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische
Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv(a)goetheanum.ch" "ldap:///dc=aag??one?
(cn=repl)"
limits dn.exact="cn=repl,dc=aag" size=unlimited time=unlimited
access to *
by dn.exact="cn=repl,dc=aag" read
by * none break
...
TLSCACertificateFile /etc/ldap/certs/cacert.pem
TLSCACertificatePath /etc/ldap/certs
TLSCertificateFile /etc/ldap/certs/erde.aag_cert.pem
TLSCertificateKeyFile /etc/ldap/certs/erde.aag_key.pem
TLSVerifyClient demand
*****************************************************************
slave:
...
overlay syncprov
syncrepl rid=001
provider=ldap://erde.aag:389
searchbase="dc=aag"
type=refreshOnly
filter="objectClass=*"
attrs="*,+"
schemachecking=off
scope=sub
interval=00:00:01:00
updatedn "cn=repl,dc=aag"
updateref="ldap://erde.aag:389"
bindmethod=sasl
saslmech=EXTERNAL
authz-regexp
"C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische
Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv(a)goetheanum.ch" "ldap:///dc=aag??one?
(cn=repl)"
access to *
by dn="cn=repl,dc=aag" write
by * read break
TLSCACertificateFile /etc/ldap/certs/cacert.pem
TLSCACertificatePath /etc/ldap/certs
TLSCertificateFile /etc/ldap/certs/mond.aag_cert.pem
TLSCertificateKeyFile /etc/ldap/certs/mond.aag_key.pem
TLSVerifyClient demand
**********
syncrepl with bindmethod simple works fine with user repl.
*****************************************************************
manual connection from the slave as client with the same certs I will use for
syncrepl works:
ldapsearch -Y external -ZZ cn=repl -h erde.aag -LLL
SASL/EXTERNAL authentication started
SASL username:
emailAddress=edv(a)goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine
Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH
SASL SSF: 0
dn: cn=repl,dc=aag
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: repl
description: LDAP replicator
*****************************************************************
When I start the slave for the firt replication with sasl external:
snip...
=>do_syncrepl rid 001
ldap_create
ldap_url_parse_ext(ldap://erde.aag:389)
ldap_sasl_interactive_bind_s: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP erde.aag:389
ldap_new_socket: 13
ldap_prepare_socket: 13
ldap_connect_to_host: Trying 192.168.100.72:389
ldap_connect_timeout: fd: 13 tm: -1 async: 0
ldap_int_sasl_open: host=192.168.100.72
do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (-6)
and on the master:
daemon: activity on 1 descriptor
daemon: activity on:
>>> slap_listener(ldap:///)daemon: listen=8, new connection on 12
daemon: added 12r (active) listener=(nil)
conn=21 fd=12 ACCEPT from IP=192.168.100.73:60625 (IP=0.0.0.0:389)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=21
connection_read(12): checking for input on id=21
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 01 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x082abc08 ptr=0x082abc08 end=0x082abc0d len=5
0000: 02 01 01 42 00 ...B.
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=21, closing.
connection_closing: readying conn=21 sd=12 for close
connection_close: deferring conn=21 sd=12
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
do_unbind
conn=21 op=0 UNBIND
connection_resched: attempting closing conn=21 sd=12
connection_close: conn=21 sd=12
daemon: removing 12
conn=21 fd=12 closed ()
thank you very much
angela