Hi all,
I'm testing multi-master replication between (at least 2) openldap nodes
(2.4.45, on Ubuntu 18.04) and facing a problem with replication account.
I set up configuration for node1 and node2 (see configuration below),
and rpuser account for replication (with same hashed password on both
nodes).
I can connect to node1 and node2 with rpuser account : ldapsearch -H
ldap://node1-vpn -W -D "uid=rpuser,dc=foo,dc=bar" -b "dc=foo,dc=bar"
Then I add a group or a user to a node to test replication with
ldapadd -H ldap://node1-vpn -W -D "cn=admin,dc=foo,dc=bar" -f
/tmp/openldap/rep_test_groupadd.ldif
and rep_test_groupadd.ldif:
dn: cn=testgroup,dc=foo,dc=bar
objectClass: top
objectClass: posixGroup
gidNumber: 456
The new group or user is replicated on the other node, but then the
rpuser's password doesn't work anymore on the other node.
I can't connect anymore with ldapsearch -H ldap://node2-vpn -W -D
"uid=rpuser,dc=foo,dc=bar" -b "dc=foo,dc=bar"
and I got errors messages for replication in /var/log/syslog
slap_client_connect: URI=ldap://node2-vpn DN="uid=rpuser,dc=foo,dc=bar"
ldap_sasl_bind_s failed (49)
rpuser's password is still valid on node1
Any idea of what could cause this problem ?
Thanks
Vincent
# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcDisallows: bind_anon
olcLogLevel: any
olcPidFile: /var/run/slapd/slapd.pid
olcRequires: authc
olcToolThreads: 1
olcServerID: 0 ldap:///
olcServerID: 1 ldap://node1-vpn
olcServerID: 2 ldap://node2-vpn
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
# module{1}, config
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModuleLoad: {0}syncprov.la
# {0}mdb, config
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRequires: authc
olcRootDN: cn=admin,dc=nodomain
olcRootPW: {SSHA}HdZbPd66TxCjeYEIAASbAQTnvFh3GOTw
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
# {2}mdb, config
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lab/ldap
olcSuffix: dc=foo,dc=bar
olcAccess: {0}to attrs=userPassword by self =xw by anonymous auth by * none
olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self write by
user
s read by * none
olcAccess: {2}to * by dn="uid=rpuser,dc=foo,dc=bar" read
olcAccess: {3}to * by dn="uid=rpuser,dc=foo,dc=bar" write
olcLastMod: TRUE
olcLimits: {0}dn.exact="uid=rpuser,dc=foo,dc=bar" time.soft=unlimited
time.h
ard=unlimited size.soft=unlimited size.hard=unlimited
olcRequires: authc
olcRootDN: cn=admin,dc=foo,dc=bar
olcRootPW: {SSHA}zL8CSrnkBacsebLUsJ+dzva6eQ7xcyZJ
olcSyncrepl: {0}rid=101 provider=ldap://node1-vpn binddn="uid=rpuser,dc=foo,
dc=bar" bindmethod=simple credentials=rppwd searchbase="dc=foo,dc=bar"
type=r
efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1
olcSyncrepl: {1}rid=102 provider=ldap://node2-vpn binddn="uid=rpuser,dc=foo,
dc=bar" bindmethod=simple credentials=rppwd searchbase="dc=foo,dc=bar"
type=r
efreshOnly interval=00:00:00:20 retry="5 10 20 10" timeout=1
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbMaxSize: 1073741824
# {0}syncprov, {2}mdb, config
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov