Michael Ströder wrote:
49 is "invalidCredentials". Likely either one of the following reasons are causing this:
- entry cn=replicator,ou=admins,ou=internal,o=aminor does not exist
- the password is wrong
- some ACLs reject authentication
That's what puzzles me. I can from both nodes do ldapsearch as the replication user to both nodes, and that part behaves as I'd expect it to (I get a connection with answers, and if I try to connect with the wrong password I get "ldap_bind: Invalid credentials (49)").
Try from ldap02-testing.aminor.no: ldapwhoami -H ldap://ldap01-testing.aminor.no -x \ -D "cn=replicator,ou=admins,ou=internal,o=aminor" -w <password>
[root@ldap02-testing ~]# ldapwhoami -H ldap://ldap01-testing.aminor.no -x -D "cn=replicator,ou=admins,ou=internal,o=aminor" -w <a_password> dn:cn=replicator,ou=admins,ou=internal,o=aminor
For further questions you should post your config.
I will. At the risk of someone going "OMG, why the h... are you doing it like this?" :)
Here's the contents of cn=config (minus all the stuff under cn=schema,cn=config - since that would have added over 2000 lines). I have hidden the passwords. I have done a diff on the output from cn=config on both servers and it's identical.
[root@ldap01-testing ~]# ldapsearch -x -b "cn=config" -D "cn=admin,cn=config" -w <CONFIG-password> -h ldap01-testing.aminor.no -LLL dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d olcArgsFile: /usr/local/openldap/var/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcListenerThreads: 1 olcLocalSSF: 71 olcLogLevel: 0 olcPidFile: /usr/local/openldap/var/run/slapd.pid olcReadOnly: FALSE olcSaslSecProps: noplain,noanonymous olcServerID: 101 ldap://ldap01-testing.aminor.no olcServerID: 201 ldap://ldap02-testing.aminor.no olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSProtocolMin: 0.0 olcToolThreads: 1 olcWriteTimeout: 0
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}syncprov.la
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=subschema" by * read olcAccess: {2}to * by self write by users read by anonymous auth olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema olcSyncUseSubentry: FALSE olcMonitoring: FALSE
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage by * +0 break olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcRootPW: <CONFIG-password> olcSyncUseSubentry: FALSE olcSyncrepl: {0}rid=001 provider=ldap://ldap01-testing.aminor.no binddn ="cn=admin,cn=config" bindmethod=simple credentials=<CONFIG-password> searchbase="cn=co nfig" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://ldap02-testing.aminor.no binddn ="cn=admin,cn=config" bindmethod=simple credentials=<CONFIG-password> searchbase="cn=co nfig" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE olcMonitoring: FALSE
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="cn=admin,cn=config" read by * none olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE
dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /usr/local/openldap/var/openldap-data/internal olcSuffix: ou=internal,o=aminor olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.chil dren="ou=admins,ou=internal,o=aminor" write by * none olcAccess: {1}to * by self write by dn.children="ou=admins,ou=internal,o=ami nor" write by * read olcLimits: {0}dn.exact="cn=Manager,ou=internal,o=aminor" time.soft=unlimit ed time.hard=unlimited size.soft=unlimited size.hard=unlimited olcRootDN: cn=Manager,ou=internal,o=aminor olcRootPW: <MANAGER-password> olcSyncrepl: {0}rid=003 provider=ldap://ldap01-testing.aminor.no binddn ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple creden tials=<REPLICATOR-password> searchbase="ou=internal,o=aminor" type=refreshAndPersist retry="5 5 5 +" timeout=3 olcSyncrepl: {1}rid=004 provider=ldap://ldap02-testing.aminor.no binddn ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple creden tials=<REPLICATOR-password> searchbase="ou=internal,o=aminor" type=refreshAndPersist retry="5 5 5 +" timeout=3 olcMirrorMode: TRUE olcDbCacheSize: 1000 olcDbCheckpoint: 1024 10 olcDbConfig: {0}set_cachesize 0 10485760 0 olcDbConfig: {1}set_lg_bsize 2097152 olcDbConfig: {2}set_lg_dir /usr/local/berkeleydb/openldap-logs/internal olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE olcDbIDLcacheSize: 3000 olcDbIndex: uid pres,eq,sub olcDbIndex: cn,sn,displayName pres,eq,approx,sub olcDbIndex: uidNumber,gidNumber eq olcDbIndex: memberUid eq olcDbIndex: objectClass eq olcDbIndex: entryUUID pres,eq olcDbIndex: entryCSN pres,eq
dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov
dn: olcDatabase={3}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {3}hdb olcDbDirectory: /usr/local/openldap/var/openldap-data/radius olcSuffix: ou=radius,ou=no,o=aminor olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.chil dren="ou=admins,ou=radius,ou=no,o=aminor" write by * none olcAccess: {1}to * by self write by dn.children="ou=admins,ou=internal,o=ami nor" write by group.exact="cn=radius write,ou=groups,ou=internal,o=amin or" write by group.exact="cn=radius read,ou=groups,ou=internal,o=aminor" read by * read olcLimits: {0}dn.exact="cn=Manager,ou=radius,ou=no,o=aminor" time.soft=unl imited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcRootDN: cn=Manager,ou=radius,ou=no,o=aminor olcRootPW: <MANAGER-password> olcSyncrepl: {0}rid=005 provider=ldap://ldap01-testing.aminor.no binddn ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple credent ials=<REPLICATOR-password> searchbase="ou=radius,ou=no,o=aminor" type=refreshAndPersis t retry="5 5 5 +" timeout=3 olcSyncrepl: {1}rid=006 provider=ldap://ldap02-testing.aminor.no binddn ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple credent ials=<REPLICATOR-password> searchbase="ou=radius,ou=no,o=aminor" type=refreshAndPersi st retry="5 5 5 +" timeout=3 olcMirrorMode: TRUE olcDbCacheSize: 1000 olcDbCheckpoint: 1024 10 olcDbConfig: {0}set_cachesize 0 10485760 0 olcDbConfig: {1}set_lg_bsize 2097152 olcDbConfig: {2}set_lg_dir /usr/local/berkeleydb/openldap-logs/radius olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE olcDbIDLcacheSize: 3000 olcDbIndex: uid pres,eq,sub olcDbIndex: cn,sn,displayName pres,eq,approx,sub olcDbIndex: uidNumber,gidNumber eq olcDbIndex: memberUid eq olcDbIndex: objectClass eq olcDbIndex: entryUUID pres,eq olcDbIndex: entryCSN pres,eq olcDbIndex: amiCustomerId pres,eq,sub olcDbIndex: amipppProfileType pres,eq olcDbIndex: amiLineId pres,eq,sub
dn: olcOverlay={0}syncprov,olcDatabase={3}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov
Here is the contents of ou=internal,o=aminor (I also verified that this looks the same on both servers):
dn: ou=internal,o=aminor objectClass: top objectClass: organizationalUnit ou: internal
dn: ou=groups,ou=internal,o=aminor objectClass: organizationalUnit ou: groups description: generic groups branch
dn: cn=radius read,ou=groups,ou=internal,o=aminor objectClass: groupOfNames cn: radius read description: read permission to radius tree member: cn=radius app user,ou=applications,ou=internal,o=aminor
dn: cn=radius write,ou=groups,ou=internal,o=aminor objectClass: groupOfNames cn: radius write description: write permission to radius tree member: cn=radius app user,ou=applications,ou=internal,o=aminor
dn: ou=people,ou=internal,o=aminor objectClass: organizationalUnit ou: people description: generic people branch
dn: ou=admins,ou=internal,o=aminor objectClass: organizationalUnit ou: admins description: administrative accounts
dn: cn=replicator,ou=admins,ou=internal,o=aminor cn: replicator sn: user objectClass: person userPassword: <REPLICATOR-password>
dn: ou=applications,ou=internal,o=aminor objectClass: organizationalUnit ou: applications description: application users
dn: cn=radius app user,ou=applications,ou=internal,o=aminor objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: radius app user sn: radius app user userPassword: <RADIUS-password>
Regards Eivind Olsen