Hello!
I've got a syncrepl setup with the following settings:
provider slapd.conf:
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
consumer slapd.conf:
syncrepl rid=100 provider="ldaps://ldap-master.com.com" binddn="cn=syncrepl,ou=services,dc=com,dc=com" bindmethod=simple credentials="secret" searchbase="dc=com,dc=com" scope=sub type=refreshOnly interval=00:00:10:00
provider log:
Dec 4 21:15:23 ldap-master slapd[18046]: conn=15053 fd=37 ACCEPT from IP=<slave_ip>:56390 (IP=0.0.0.0:636) Dec 4 21:15:24 ldap-master slapd[18046]: conn=15053 fd=37 TLS established tls_ssf=256 ssf=256 Dec 4 21:15:24 ldap-master slapd[18046]: conn=15053 fd=37 closed (connection lost)
consumer log:
Dec 4 21:15:24 ldap-slave slapd[6149]: do_syncrep1: rid 100 ldap_sasl_bind_s failed (-1) Dec 4 21:15:24 ldap-slave slapd[6149]: do_syncrepl: rid 100 quitting
I've double checked the credentials, they're OK. /etc/openldap/ldap.conf has "TLS_REQCERT never" in order to exclude certificate issues.
What could be wrong? Maybe it tries to authenticate by SASL despite bindmethod=simple?
Thanks, Sab
--On December 5, 2007 8:21:20 AM +0100 RUMI Szabolcs rumi_ml@rtfm.hu wrote:
Hello!
I've got a syncrepl setup with the following settings:
What could be wrong? Maybe it tries to authenticate by SASL despite bindmethod=simple?
Your log does not show it trying a SASL bind, and it clearly shows that starting TLS was successful. It also shows that it didn't even try to bind, so you have something else wrong somewhere. You don't really give enough information about your conf files to say much one way or the other, but I would suggest you start by using the ldapsearch binary to try and bind as the syncrepl user to the master. Until that works, nothing else will.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wed, 05 Dec 2007 06:42:51 -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
Your log does not show it trying a SASL bind, and it clearly shows that starting TLS was successful. It also shows that it didn't even try to bind, so you have something else wrong somewhere. You don't really give enough information about your conf files to say much one way or the other, but I would suggest you start by using the ldapsearch binary to try and bind as the syncrepl user to the master. Until that works, nothing else will.
Indeed I forgot to mention this but of course I've checked it with ldapsearch and it works seamlessly with the same settings. ACLs are set so that the syncrepl DN can read everything, and it really can.
Thanks, Sab
openldap-software@openldap.org
-
Quanah Gibson-Mount -
RUMI Szabolcs