I am having trouble getting multi-master syncrepl to sync when using
"bindmethod=sasl" and "saslmech=gssapi". I achieved success when I tried
"bindmethod=simple", so at least I know it has been narrowed down to a
sasl/gssapi authentication problem (incorrect/missing sasl AuthzRegexp or
perhaps an incorrect/missing slapd ACL?).
My syncrepl config is as follows (do I need to specify an authcid/authzid
or is this id automatically obtained from gssapi?):
olcMirrorMode: TRUE
olcSyncRepl:
rid=001
provider=ldap://or-dc1-db.example.corp
retry="5 10 30 +"
bindmethod=sasl
saslmech=gssapi
type=refreshAndPersist
searchbase="cn=config"
olcSyncRepl:
rid=002
provider=ldap://or-dc2-db.example.corp
retry="5 10 30 +"
bindmethod=sasl
saslmech=gssapi
type=refreshAndPersist
searchbase="cn=config"
# Syncprov overlay
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcMirrorMode: TRUE
olcSyncRepl:
rid=003
provider=ldap://or-dc1-db.example.corp
retry="5 10 30 +"
bindmethod=sasl
saslmech=gssapi
type=refreshAndPersist
searchbase="dc=example,dc=corp"
olcSyncRepl:
rid=004
provider=ldap://or-dc2-db.example.corp
retry="5 10 30 +"
bindmethod=sasl
saslmech=gssapi
type=refreshAndPersist
searchbase="dc=example,dc=corp"
# Syncprov overlay
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
My access control:
olcAccess: to attrs=userPassword,shadowLastChange
by dn="uid=ldap-admin,ou=people,dc=example,dc=corp" write
by
dn="uid=ldap/or-dc1-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
by
dn="uid=ldap/or-dc2-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
by anonymous auth
by self write
by * none
olcAccess: to dn.subtree="ou=krb5,dc=example,dc=corp"
by dn="cn=kdc-srv,ou=krb5,dc=example,dc=corp" read
by dn="cn=adm-srv,ou=krb5,dc=example,dc=corp" write
by * none
olcAccess: to *
by dn="uid=ldap-admin,ou=people,dc=example,dc=corp" write
by
dn="uid=ldap/or-dc1-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
by
dn="uid=ldap/or-dc2-db.example.corp,cn=example.corp,cn=gssapi,cn=auth"
write
by peername.ip="192.168.0.0%255.255.255.0" read
My sasl AuthzRegexp:
olcAuthzRegexp: uid=([^,]+),cn=example.corp,cn=gssapi,cn=auth
uid=$1,ou=people,dc=example,dc=corp
I know sasl/gssapi are working since ldapwhoami on or-dc1-db returns:
SASL/GSSAPI authentication started
SASL username: ldap/or-dc1-db.example.corp(a)EXAMPLE.CORP
SASL SSF: 56
SASL data security layer installed.
dn:uid=ldap/or-dc1-db.example.corp,ou=people,dc=example,dc=corp
ldapwhoami on or-dc2-db returns:
SASL/GSSAPI authentication started
SASL username: ldap/or-dc2-db.example.corp(a)EXAMPLE.CORP
SASL SSF: 56
SASL data security layer installed.
dn:uid=ldap/or-dc2-db.example.corp,ou=people,dc=example,dc=corp
I get the following /var/log/syslog errors on or-dc1-db:
OR-DC1-DB slapd[5446]: slap_client_connect:
URI=ldap://or-dc2-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC1-DB slapd[5446]: do_syncrepl: rid=004 rc -2 retrying
OR-DC1-DB slapd[5446]: slap_client_connect:
URI=ldap://or-dc2-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC1-DB slapd[5446]: do_syncrepl: rid=002 rc -2 retrying
/var/log/syslog errors on or-dc2-db:
OR-DC2-DB slapd[5455]: slap_client_connect:
URI=ldap://or-dc1-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC2-DB slapd[5455]: do_syncrepl: rid=003 rc -2 retrying
OR-DC2-DB slapd[5455]: slap_client_connect:
URI=ldap://or-dc1-db.example.corp ldap_sasl_interactive_bind_s failed (-2)
OR-DC2-DB slapd[5455]: do_syncrepl: rid=001 rc -2 retrying