Hi List,
I need to configure a master and slave ldap server with replication. I am running openSUSE10.2 and openldap2-2.3.27-25. Initially I was using slurpd but syncrepl was recommended to me as being more agreeable with my ldap version.
I configured my master and slave according to the instructions from the openldap web site: http://www.openldap.org/doc/admin22/syncrepl.html
Here is the slave slapd.conf:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ loglevel 256 TLSCertificateFile /etc/openldap/servercert.pem TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=mydomain,dc=com" rootdn "cn=replica,dc=mydomain,dc=com" rootpw "{ssha}mypassword" directory /var/lib/ldap/ checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres
#Entries for replication using sync-repl
syncrepl rid=123 provider=ldap://ldap1.mydomain.com type=refreshAndPersist #interval=01:00:00:00 searchbase="dc=mydomain,dc=com" filter="(objectClass=organizationalPerson)" scope=sub attrs="cn,sn,ou,telephoneNumber,title,l" schemachecking=off updatedn="cn=replica,dc=mydomain,dc=com" bindmethod=sasl #saslmech=digest-md5 binddn="cn=Administrator,dc=mydomain,dc=com" credentials="{ssha}mypassword"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
And here is my master slapd.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ loglevel 256 TLSCertificateFile /etc/openldap/servercert.pem TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Administrator,dc=mydomain,dc=com" rootpw "{ssha}mypassword" directory /var/lib/ldap/ checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres
#Entries for replication using sync-repl
sessionlog 999 999
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
OK as you can see I am using bindmethod=sasl because when I was using bindmethod=simple, I got an error code 49 LDAP_INVALID_CREDENTIALS
Now as far as I can detirmine from the log below, the connection is made so syncrepl is configured correctly but there is some sort of problem with sasl. It seems that the attribute "supportedSASLMechanisms" is not found on the master. I get the same error If I uncomment the "saslmech=digest-md5" entry.
/var/log/messages on the master: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Nov 14 18:52:28 ldap1 slapd[18695]: conn=35 fd=13 ACCEPT from IP= 192.168.2.246:9243 (IP=0.0.0.0:389) Nov 14 18:52:28 ldap1 slapd[18695]: conn=35 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Nov 14 18:52:28 ldap1 slapd[18695]: conn=35 op=0 SRCH attr=supportedSASLMechanisms Nov 14 18:52:28 ldap1 slapd[18695]: conn=35 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 14 18:52:28 ldap1 slapd[18695]: conn=35 op=1 UNBIND Nov 14 18:52:28 ldap1 slapd[18695]: conn=35 fd=13 closed +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
and on the slave: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Nov 14 16:13:47 ldap2 slapd[8305]: @(#) $OpenLDAP: slapd 2.3.27 (Nov 25 2006 17:08:16) $ abuild@eisler:/usr/src/packages/BUILD/openldap-2.3.27 /servers/slapd Nov 14 16:14:07 ldap2 slapd[8305]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server Nov 14 16:14:07 ldap2 slapd[8305]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1: Can't contact LDAP server Nov 14 16:14:07 ldap2 slapd[8305]: nss_ldap: could not search LDAP server - Server is unavailable Nov 14 16:14:07 ldap2 slapd[8312]: slapd starting Nov 14 16:14:07 ldap2 slapd[8312]: do_syncrep1: ldap_sasl_interactive_bind_s failed (16) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Am I on the right track looking for the errors in sasl, and if so, how do I set the attributes?
Thanks in advance
Lawrence
Lawrence Strydom wrote:
Hi List,
I need to configure a master and slave ldap server with replication. I am running openSUSE10.2 and openldap2-2.3.27-25. Initially I was using slurpd but syncrepl was recommended to me as being more agreeable with my ldap version.
I configured my master and slave according to the instructions from the openldap web site: http://www.openldap.org/doc/admin22/syncrepl.html
You're reading the OpenLDAP 2.2 Admin Guide but you're running OpenLDAP 2.3. You really need to use the documentation that matches the version of software you're using.
The configurations you have here are invalid.
Here is the slave slapd.conf:
And here is my master slapd.conf
Thanks Howard
I updated my config files according to the 2.3 Documentation but I still have the same problem. Slapd starts without error on both the master and the slave but when it runs syncrepl it complains about the sasl interactive bind that fails:
Here is my new master slapd.conf: ++++++++++++++++++++++++++++++++++++++++++
loglevel 256 TLSCertificateFile /etc/openldap/servercert.pem TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=tbiraq,dc=com" rootdn "cn=Administrator,dc=mydomain,dc=com" rootpw "{ssha}mypassword" directory /var/lib/ldap/ checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres
#Entries for replication using sync-repl
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
And the slave slapd.conf +++++++++++++++++++++++++++++++++++++++++++++++++++++++
loglevel 256 TLSCertificateFile /etc/openldap/servercert.pem TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem database bdb suffix "dc=tbiraq,dc=com" rootdn "cn=replica,dc=mydomain,dc=com" rootpw "{ssha}mypassword" directory /var/lib/ldap/ checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres
#Entries for replication using sync-repl
syncrepl rid=123 provider=ldap://ldap1.tbiraq.com type=refreshAndPersist #interval=01:00:00:00 searchbase="dc=mydomain,dc=com" filter="(objectClass=organizationalPerson)" scope=sub attrs="cn,sn,ou,telephoneNumber,title,l" schemachecking=off #updatedn="cn=replica,dc=mydomain,dc=com" bindmethod=sasl #saslmech=digest-md5 binddn="cn=Administrator,dc=mydomain,dc=com" credentials="{ssha}mypassword" +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is the /var/log/messages on the master: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Nov 16 05:56:50 ldap1 slapd[22629]: conn=8 fd=16 ACCEPT from IP= 192.168.2.246:14230 (IP=0.0.0.0:389) Nov 16 05:56:50 ldap1 slapd[22629]: conn=8 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Nov 16 05:56:50 ldap1 slapd[22629]: conn=8 op=0 SRCH attr=supportedSASLMechanisms Nov 16 05:56:50 ldap1 slapd[22629]: conn=8 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 16 05:56:50 ldap1 slapd[22629]: conn=8 op=1 UNBIND Nov 16 05:56:50 ldap1 slapd[22629]: conn=8 fd=16 closed
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
And /var/log/messages on the slave: +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Nov 15 14:22:29 ldap2 slapd[10667]: slapd starting Nov 15 14:22:29 ldap2 slapd[10667]: do_syncrep1: ldap_sasl_interactive_bind_s failed (16)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So even with the updated syntax, it seems that my problem has to do with sasl?
Thanks in advance
Lawrence
On 14/11/2007, Howard Chu hyc@symas.com wrote:
Lawrence Strydom wrote:
Hi List,
I need to configure a master and slave ldap server with replication.
Icrepl
am running openSUSE10.2 and openldap2-2.3.27-25. Initially I was using slurpd but syncrepl was recommended to me as being more agreeable with my ldap version.
I configured my master and slave according to the instructions from the openldap web site: http://www.openldap.org/doc/admin22/syncrepl.html
You're reading the OpenLDAP 2.2 Admin Guide but you're running OpenLDAP 2.3. You really need to use the documentation that matches the version of software you're using.
The configurations you have here are invalid.
Here is the slave slapd.conf:
And here is my master slapd.conf
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
"Lawrence Strydom" lawrences@jacquardsystems.net writes:
Thanks Howard
[...]
I updated my config files according to the 2.3 Documentation but I still have the same problem. Slapd starts without error on both the master and the slave but when it runs syncrepl it complains about the sasl interactive bind that fails:
syncrepl rid=123 provider=ldap://ldap1.tbiraq.com type=refreshAndPersist #interval=01:00:00:00 searchbase="dc=mydomain,dc=com" filter="(objectClass=organizationalPerson)" scope=sub attrs="cn,sn,ou,telephoneNumber,title,l" schemachecking=off #updatedn="cn=replica,dc=mydomain,dc=com" bindmethod=sasl #saslmech=digest-md5 binddn="cn=Administrator,dc=mydomain,dc=com" credentials="{ssha}mypassword"
man slapd.conf(5)
bindmethod is either simple or sasl, if your choice is sasl you have to provide a saslmech and authcid or autzid but not a binddn.
-Dieter
I had this problem in 2.4.6 too. Set 'bindmethod' back to 'simple' add:
TLSVerifyClient try|allow|never
to your global section.
The default TLSVerifyClient value (seems to have) changed from 'never' to 'demand' in 2.4.6.
Mark
"Lawrence Strydom" writes:
Thanks Howard
I updated my config files according to the 2.3 Documentation but I still have the same problem. Slapd starts without error on both the master and the slave but when it runs syncrepl it complains about the sasl interactive bind that fails:
syncrepl rid=123 provider=ldap://ldap1.tbiraq.com type=refreshAndPersist #interval=01:00:00:00 searchbase="dc=mydomain,dc=com" filter="(objectClass=organizationalPerson)" scope=sub attrs="cn,sn,ou,telephoneNumber,title,l" schemachecking=off #updatedn="cn=replica,dc=mydomain,dc=com" bindmethod=sasl #saslmech=digest-md5 binddn="cn=Administrator,dc=mydomain,dc=com" credentials="{ssha}mypassword"
man slapd.conf(5)
bindmethod is either simple or sasl, if your choice is sasl you have to provide a saslmech and authcid or autzid but not a binddn.
-Dieter
openldap-software@openldap.org
-
Dieter Kluenter -
HORSTMAN, MARK A (ATTSI) -
Howard Chu -
Lawrence Strydom