Hallo!
I'm trying to set up a replication with syncrepl and saslmech external and it wont succeed. I was reading a lot but I really don't see where the problem is now and don't know how to continue. So I really would appreciate if somebody could point me to the probable error. Please let me know if you need more infos.
slapd is 2.3.31 master = erde.aag slave = mond.aag
both compiled with:
./configure \ '--prefix=/usr/local/ldap' \ '--mandir=/usr/local/ldap/man' \ '--libexecdir=/usr/local/ldap/sbin' \ '--sysconfdir=/etc' \ '--with-configdir=/etc/ldap' \ '--with-subdir=ldap' \ '--enable-spasswd' \ '--enable-modules' \ '--enable-hdb' \ '--enable-overlays' \ '--enable-slurpd' \ (- will put this out when syncrepl works) '--with-cyrus-sasl' \ '--with-tls'
Here the concerning parts of the slapd.conf: ***************************************************************** master: ... overlay syncprov syncprov-checkpoint 100 600 syncprov-sessionlog 100 ... authz-regexp "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one? (cn=repl)"
limits dn.exact="cn=repl,dc=aag" size=unlimited time=unlimited
access to * by dn.exact="cn=repl,dc=aag" read by * none break ... TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/erde.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/erde.aag_key.pem TLSVerifyClient demand
***************************************************************** slave:
... overlay syncprov syncrepl rid=001 provider=ldap://erde.aag:389 searchbase="dc=aag" type=refreshOnly filter="objectClass=*" attrs="*,+" schemachecking=off scope=sub interval=00:00:01:00 updatedn "cn=repl,dc=aag" updateref="ldap://erde.aag:389" bindmethod=sasl saslmech=EXTERNAL
authz-regexp "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one? (cn=repl)"
access to * by dn="cn=repl,dc=aag" write by * read break
TLSCACertificateFile /etc/ldap/certs/cacert.pem TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/mond.aag_cert.pem TLSCertificateKeyFile /etc/ldap/certs/mond.aag_key.pem TLSVerifyClient demand **********
syncrepl with bindmethod simple works fine with user repl.
***************************************************************** manual connection from the slave as client with the same certs I will use for syncrepl works:
ldapsearch -Y external -ZZ cn=repl -h erde.aag -LLL SASL/EXTERNAL authentication started SASL username: emailAddress=edv@goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH SASL SSF: 0 dn: cn=repl,dc=aag objectClass: simpleSecurityObject objectClass: organizationalRole cn: repl description: LDAP replicator
*****************************************************************
When I start the slave for the firt replication with sasl external:
snip... =>do_syncrepl rid 001 ldap_create ldap_url_parse_ext(ldap://erde.aag:389) ldap_sasl_interactive_bind_s: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP erde.aag:389 ldap_new_socket: 13 ldap_prepare_socket: 13 ldap_connect_to_host: Trying 192.168.100.72:389 ldap_connect_timeout: fd: 13 tm: -1 async: 0 ldap_int_sasl_open: host=192.168.100.72 do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (-6)
and on the master:
daemon: activity on 1 descriptor daemon: activity on:
slap_listener(ldap:///)daemon: listen=8, new connection on 12
daemon: added 12r (active) listener=(nil) conn=21 fd=12 ACCEPT from IP=192.168.100.73:60625 (IP=0.0.0.0:389) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 connection_get(12) connection_get(12): got connid=21 connection_read(12): checking for input on id=21 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 01 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x082abc08 ptr=0x082abc08 end=0x082abc0d len=5 0000: 02 01 01 42 00 ...B. ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success) connection_read(12): input error=-2 id=21, closing. connection_closing: readying conn=21 sd=12 for close connection_close: deferring conn=21 sd=12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL do_unbind conn=21 op=0 UNBIND connection_resched: attempting closing conn=21 sd=12 connection_close: conn=21 sd=12 daemon: removing 12 conn=21 fd=12 closed ()
thank you very much angela