Hello. I guess this must be a FAQ, but I tried searching for a whole day and didn't came up with any answer.
I've got two FreeBSD servers running openldap 2.3.32 in a master/slave configuration. I'm using slurpd to keep them in sync: I tried this with the rootdn as the slurp binddn and from a network perspective it works. Now, I obviously don't want to use rootdn for this, so I created a new user and I'm using simple authentication (on an SSL layer).
I get problems with access control, however, that prevent it from working.
What I did:
I created this user:
dn: uid=slurpd,ou=users,dc=xxxxxxxx,dc=xx cn: slurpd objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top uid: slurpd uidNumber: 1033 gidNumber: 389 userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX loginShell: /sbin/nologin homeDirectory: /nonexistent
On the slave I edited slapd.conf as follows:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/local/etc/samba.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
TLSCertificateFile /usr/local/local/etc/openssl/openldap_newcert.pem TLSCertificateKeyFile /usr/local/local/etc/openssl/openldap_newcertkey.pem TLSCACertificateFile /usr/local/local/etc/openssl/netfence_ca.pem
database bdb suffix "dc=xxxxxxxx,dc=xx" rootdn "cn=root,dc=xxxxxxxx,dc=xx" rootpw xxxxxxxx directory /var/db/openldap-data index objectClass eq index uid pres,eq index rid eq index cn eq
updatedn "uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" updateref "ldaps://master.xxxxxxxxx.xx"
The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
What I get is:
slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx' -b 'dc=xxxxxxxxx,dc=xx' -d 255 ldap_create ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: -1 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x00517000 ptr=0x00517000 end=0x00517039 len=57 0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid= 0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d 0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxxx,dc=xx 0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx ber_scanf fmt ({i) ber: ber_dump: buf=0x00517000 ptr=0x00517005 end=0x00517039 len=52 0000: 60 32 02 01 03 04 24 75 69 64 3d 73 6c 75 72 70 `2....$uid=slurp 0010: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d XX XX XX ,ou=users,dc=xxx 0020: XX XX XX XX XX 2c 64 63 3d XX XX 80 07 XX XX XX xxxxx,dc=xx..xxx 0030: XX XX XX XX xxxx ber_flush: 57 bytes to sd 3 0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid= 0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d 0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxxx,dc=xx 0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx ldap_write: want=57, written=57 0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid= 0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d 0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxx,dc=xx 0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx ldap_result ld 0x515400 msgid 1 ldap_chkResponseList ld 0x515400 msgid 1 all 1 ldap_chkResponseList returns ld 0x515400 NULL wait4msg ld 0x515400 msgid 1 (infinite timeout) wait4msg continue ld 0x515400 msgid 1 all 1 ** ld 0x515400 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 19 23:10:47 2007
** ld 0x515400 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x515400 Response Queue: Empty ldap_chkResponseList ld 0x515400 msgid 1 all 1 ldap_chkResponseList returns ld 0x515400 NULL ldap_int_select read1msg: ld 0x515400 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 31 04 00 04 00 .1.... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x00514210 ptr=0x00514210 end=0x0051421c len=12 0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1.... read1msg: ld 0x515400 msgid 1 message type bind ber_scanf fmt ({eaa) ber: ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... read1msg: ld 0x515400 0 new referrals read1msg: mark request completed, ld 0x515400 msgid 1 request done: ld 0x515400 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... ber_scanf fmt (}) ber: ber_dump: buf=0x00514210 ptr=0x0051421c end=0x0051421c len=0
ldap_msgfree ldap_err2string ldap_bind: Invalid credentials (49)
Obviously the same command works if used with rootdn.
What am I doing wrong?
bye & Thanks av.