Hello all.
I see a dumb problem trying to implement LDAP Sync Replication in a group of Debian servers. Everything works fine except userPassword, sambaLMPassword and sambaNTPassowrd attributes; the replicas (two of two) just don't have those attributes in any downloaded entries.
Yes, I have checked the access rights: syncrepl binddn has "read" rights for passwords, and "ldapsearch -H ldap://master..." with RDN and credentials used in replicas shows everything including all three password hashes.
Slave logs show nothing useful. "loglevel Args" at slave mentions all attributes except those "*Password" upon master entry modification.
OpenLDAP version is 2.3.30-5+etch2, the current in Debian Etch. A proposal to upgrade to 2.4 will not be accepted unless I'll know about *exact* change in 2.4 fixing this [mis]behavior; just because the master is a production server.
Alexey
On Mon, 15 Dec 2008, Alexey Lobanov wrote:
group of Debian servers. Everything works fine except userPassword, sambaLMPassword and sambaNTPassowrd attributes; the replicas (two of two) just don't have those attributes in any downloaded entries.
Are sambaLMPassword/sambaNTPassword visible on the slave cn=Subschema? (slapd -d config perhaps, too.)
Hello.
15.12.2008 18:26, Aaron Richton пишет:
On Mon, 15 Dec 2008, Alexey Lobanov wrote:
group of Debian servers. Everything works fine except userPassword, sambaLMPassword and sambaNTPassowrd attributes; the replicas (two of two) just don't have those attributes in any downloaded entries.
Are sambaLMPassword/sambaNTPassword visible on the slave cn=Subschema? (slapd -d config perhaps, too.)
The master and slave schemas are absolutely identical. Just rsynced. And the attributes are present in schema, because I can add them manually with an editor like Luma.
root@mail:/etc/ldap/schema# slapd -d config ..... reading config file /etc/ldap/schema/samba.schema ........ line 185 (attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ))
line 190 (attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ))
However, I am really surprised now. There is no "NAME 'userPassword'" definition in schema files, neither in master nor in slaves. More exactly, the definition in generic core.schema is commented out:
# system schema #attributetype ( 2.5.4.35 NAME 'userPassword' # DESC 'RFC2256/2307: password of user' # EQUALITY octetStringMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
It looks like that this attribute definition is hardcoded in slapd. Correct?
Alexey
--On Monday, December 15, 2008 7:01 PM +0300 Alexey Lobanov A.Lobanov@gctrials.com wrote:
# system schema # attributetype ( 2.5.4.35 NAME 'userPassword' # DESC 'RFC2256/2307: password of user' # EQUALITY octetStringMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
It looks like that this attribute definition is hardcoded in slapd. Correct?
Correct.
And we can all try to guess and guess what's wrong. What would really help, is to know your configurations on the master & replica. Likely either an ACL or limit is blocking things on the master, or your syncrepl config on your replica is incorrect.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Hello.
15.12.2008 20:21, Quanah Gibson-Mount пишет:
And we can all try to guess and guess what's wrong. What would really help, is to know your configurations on the master & replica. Likely either an ACL or limit is blocking things on the master,
No it does not. The test was to connect master from slave machine using ldapsearch and *same* (copy'n'paste) credentials. The password hashes were displayed properly in ldapsearch output, and I wrote about it in my very first message. Is this test comprehensive or not?
Search limits are not set in master.
or your syncrepl config on your replica is incorrect.
The syncrepl config is trivial: no filters.
================== syncrepl rid=123 provider=ldap://ldap.office.rct-int type=refreshAndPersist interval=00:00:10:00 searchbase="dc=office,dc=rct-int" scope=sub schemachecking=on bindmethod=simple binddn="uid=syncuser,ou=People,dc=office,dc=rct-int" credentials="****" ====================
All (really all!) entries are replicated properly but none of them contains any userPassword, sambaLMPassword or sambaNTPassword attribute. It had been checked both via LDAP browser with rootdn binding and via slapcat output.
Actually, I hoped that someone in this list knows the nature of this problem already. In my understanding, it can be related either with hashed (vs. plaintext) attributes processing in syncrepl or with undocumented requirements to access rights (i.e., syncrepl binddn must have "write" rights instead of "read").
-- Alexey
--On Monday, December 15, 2008 8:56 PM +0300 Alexey Lobanov A.Lobanov@gctrials.com wrote:
All (really all!) entries are replicated properly but none of them contains any userPassword, sambaLMPassword or sambaNTPassword attribute. It had been checked both via LDAP browser with rootdn binding and via slapcat output.
Well, it would seem then that something is denying access to those attributes. What OpenLDAP release are you using? Anything that ships with Debian is not likely to work well, replication wise.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Alexey Lobanov schrieb: [snipp]
Actually, I hoped that someone in this list knows the nature of this problem already. In my understanding, it can be related either with hashed (vs. plaintext) attributes processing in syncrepl or with undocumented requirements to access rights (i.e., syncrepl binddn must have "write" rights instead of "read").
I would remove all ACLs or put a "... by * write" in front for testing and see if it helps. FWIW, we're running 2.3.x as a slave against 2.2.x from a certain Vendor and I failed to get refreshAndPersist working but refreshOnly works.
cheers Paul
The problem was really dumb. An illegally located commented string in slave configs.
==== syncrepl rid=123 provider=ldap://ldap.office.rct-int type=refreshAndPersist interval=00:00:10:00 searchbase="dc=office,dc=rct-int" # filter="(objectClass=qmailUser)||(objectClass=posixGroup)" scope=sub schemachecking=on binddn="uid=syncuser,ou=People,dc=office,dc=rct-int" ========
As the result, parsing ended at "searchbase", and connection to master was actually anonymous.
Thanks to everyone.
Alexey
15.12.2008 17:24, Alexey Lobanov пишет:
I see a dumb problem trying to implement LDAP Sync Replication in a group of Debian servers. Everything works fine except userPassword, sambaLMPassword and sambaNTPassowrd attributes; the replicas (two of two) just don't have those attributes in any downloaded entries.
Yes, I have checked the access rights: syncrepl binddn has "read" rights for passwords, and "ldapsearch -H ldap://master..." with RDN and credentials used in replicas shows everything including all three password hashes.
openldap-software@openldap.org
-
Aaron Richton -
Alexey Lobanov -
paul kölle -
Quanah Gibson-Mount