On Fri, Oct 28, 2016 at 09:50:30PM -0600, Joshua Schaeffer wrote:
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=harmonywave,dc=com
replace: olcRootDN olcRootDN: cn=admin,dc=harmonywave,dc=com
You may have done this - I didn't see it - but if you change the suffix this way when there are existing entries in that database, and you don't clear them out, you risk exposing yourself to issues such as https://bugs.debian.org/546368. If you change your suffix this way, after you do it, consider initializing a new, empty database: stop slapd, rm /var/lib/ldap/*, and start it again. I'm bringing this up because it looks like you're using the Debian/Ubuntu package, which does indeed add a couple of entries to the default database during setup.
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 fd=36 TLS established tls_ssf=128 ssf=128
As I understand it, using Kerberos with OpenLDAP already gets you an encrypted transport - I believe using TLS on top of that is redundant.
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 BIND authcid="ldap/koprulu.harmonywave.com@HARMONYWAVE.COM" authzid="ldap/koprulu.harmonywave.com@HARMONYWAVE.COM" Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 BIND dn="uid=ldap/koprulu.harmonywave.com,cn=harmonywave.com,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=128 Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 RESULT tag=97 err=0 text=
That looks fine, the GSSAPI bind seems to have succeeded.
So at this point, based on your ACLs above, I'd expect it to be able to read all of your data (to * by * read), except for the userPassword and shadowLastChange attributes.
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=4 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(objectClass=*)" Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=4 SRCH attr=* + Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=5 UNBIND Oct 28 21:39:02 baneling slapd[12540]: conn=4421 fd=36 closed
Odd - I was expecting to see a RESULT line there. Not sure what that means. I guess something goes wrong on the client and it aborts early?
It would be interesting to see logs from the syncrepl consumer, at loglevel 'sync', when you bring it up with an empty database.
If you do an ldapsearch against the provider as anonymous, or doing a GSSAPI bind using that sevice ticket, do you see all the data returned that you expected?
If you want a decent example config to compare your work against, I would suggest rjsystems' articles:
http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php
It's a little dated, but not too badly. (For example, most or all of the bugs he mentions have since been fixed; and the hdb backend is deprecated now in favour of mdb.)