On 04/20/2010 06:12 AM, Ariel wrote:
I have inherited an openldap server (2.4.9) and have set about to making it a bit more fault tolerant. So I have added a syncrepl slave and everything seems to work fine. It pulls down the whole ldap tree and stays in sync in real time with type=refreshAndPersist. I can use command line tools to very that it has all the information from the original master server using a command like this:
ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W
My problem however is that when I try to authenticate users against the slave server, it does not work. All attempts fail. Also when I use ApacheDS (graphical LDAP browser) to view its contents, it only shows the Root DSE and none of the child objects like cn=config or any of the users or any of that. I can use ApacheDS fine to view and modify everything on the master server though.
The slapd.conf config files between the two are exactly the same (except one is declared as sync master and one as slave), the password hashes are successfully replicated to the slave as I can see with ldapsearch, but I have no idea how to debug why it won't authenticate users. For reference, here is my syncrepl config section (in slapd.conf) on the slave:
syncrepl rid=123 provider=ldaps://ldap1.domain.com:636 type=refreshAndPersist searchbase="dc=domain,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="uid=syncuser,ou=People,dc=domain,dc=com" credentials=syncpassword
and on the master server:
moduleload syncprov.la overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
As a failover/backup server seems extremely prudent especially on the ancient hardware we have running these things, I really want to get this to work properly. Perhaps even later doing a round-robin style load balancing between the two or what have you.
I have no idea how to debug this, any help would be greatly appreciated!
-a
Hi
If you can show ACL on master and slave it will help to understand why you cannot auth users against slave. From what you described, it looks like slave has either access restriction to userPassword and base DN for users or access fails. I also never noticed any TLS certificates configuration mentioned.