Howard Chu wrote:
Eivind Olsen wrote:
Michael Ströder wrote:
49 is "invalidCredentials". Likely either one of the following reasons are causing this:
- entry cn=replicator,ou=admins,ou=internal,o=aminor does not exist
- the password is wrong
- some ACLs reject authentication
That's what puzzles me. I can from both nodes do ldapsearch as the replication user to both nodes, and that part behaves as I'd expect it to (I get a connection with answers, and if I try to connect with the wrong password I get "ldap_bind: Invalid credentials (49)").
dn: olcDatabase={3}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {3}hdb olcDbDirectory: /usr/local/openldap/var/openldap-data/radius olcSuffix: ou=radius,ou=no,o=aminor
olcSyncrepl: {0}rid=005 provider=ldap://ldap01-testing.aminor.no binddn ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple credent ials=<REPLICATOR-password> searchbase="ou=radius,ou=no,o=aminor" type=refreshAndPersis t retry="5 5 5 +" timeout=3 olcSyncrepl: {1}rid=006 provider=ldap://ldap02-testing.aminor.no binddn ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple credent ials=<REPLICATOR-password> searchbase="ou=radius,ou=no,o=aminor" type=refreshAndPersi st retry="5 5 5 +" timeout=3
Clearly you have a mistake in the password of one of these two lines, because if they were identical they would be identical in length, but they wrap the "refreshAndPersist" in two different positions.
PS: Most mistakes are obvious if you actually pay attention to details. But LDIF config format makes mistakes like these even more obvious. Good luck emailing a slapd.conf with this type of mistake in it and having the problem still be apparent after being mangled and rewrapped by multiple mail agents.