I am having trouble getting multi-master syncrepl to sync when using "bindmethod=sasl" and "saslmech=gssapi". I achieved success when I tried "bindmethod=simple", so at least I know it has been narrowed down to a sasl/gssapi authentication problem (incorrect/missing sasl AuthzRegexp or perhaps an incorrect/missing slapd ACL?).
My syncrepl config is as follows (do I need to specify an authcid/authzid or is this id automatically obtained from gssapi?):
olcMirrorMode: TRUE olcSyncRepl: rid=001 provider=ldap://or-dc1-db.example.corp retry="5 10 30 +" bindmethod=sasl saslmech=gssapi type=refreshAndPersist searchbase="cn=config" olcSyncRepl: rid=002 provider=ldap://or-dc2-db.example.corp retry="5 10 30 +" bindmethod=sasl saslmech=gssapi type=refreshAndPersist searchbase="cn=config"
# Syncprov overlay dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
olcMirrorMode: TRUE olcSyncRepl: rid=003 provider=ldap://or-dc1-db.example.corp retry="5 10 30 +" bindmethod=sasl saslmech=gssapi type=refreshAndPersist searchbase="dc=example,dc=corp" olcSyncRepl: rid=004 provider=ldap://or-dc2-db.example.corp retry="5 10 30 +" bindmethod=sasl saslmech=gssapi type=refreshAndPersist searchbase="dc=example,dc=corp"
# Syncprov overlay dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
My access control:
olcAccess: to attrs=userPassword,shadowLastChange by dn="uid=ldap-admin,ou=people,dc=example,dc=corp" write by dn="uid=ldap/or-dc1-db.example.corp,cn=example.corp,cn=gssapi,cn=auth" write by dn="uid=ldap/or-dc2-db.example.corp,cn=example.corp,cn=gssapi,cn=auth" write by anonymous auth by self write by * none olcAccess: to dn.subtree="ou=krb5,dc=example,dc=corp" by dn="cn=kdc-srv,ou=krb5,dc=example,dc=corp" read by dn="cn=adm-srv,ou=krb5,dc=example,dc=corp" write by * none olcAccess: to * by dn="uid=ldap-admin,ou=people,dc=example,dc=corp" write by dn="uid=ldap/or-dc1-db.example.corp,cn=example.corp,cn=gssapi,cn=auth" write by dn="uid=ldap/or-dc2-db.example.corp,cn=example.corp,cn=gssapi,cn=auth" write by peername.ip="192.168.0.0%255.255.255.0" read
My sasl AuthzRegexp:
olcAuthzRegexp: uid=([^,]+),cn=example.corp,cn=gssapi,cn=auth uid=$1,ou=people,dc=example,dc=corp
I know sasl/gssapi are working since ldapwhoami on or-dc1-db returns:
SASL/GSSAPI authentication started SASL username: ldap/or-dc1-db.example.corp@EXAMPLE.CORP SASL SSF: 56 SASL data security layer installed. dn:uid=ldap/or-dc1-db.example.corp,ou=people,dc=example,dc=corp
ldapwhoami on or-dc2-db returns:
SASL/GSSAPI authentication started SASL username: ldap/or-dc2-db.example.corp@EXAMPLE.CORP SASL SSF: 56 SASL data security layer installed. dn:uid=ldap/or-dc2-db.example.corp,ou=people,dc=example,dc=corp
I get the following /var/log/syslog errors on or-dc1-db:
OR-DC1-DB slapd[5446]: slap_client_connect: URI=ldap://or-dc2-db.example.corp ldap_sasl_interactive_bind_s failed (-2) OR-DC1-DB slapd[5446]: do_syncrepl: rid=004 rc -2 retrying OR-DC1-DB slapd[5446]: slap_client_connect: URI=ldap://or-dc2-db.example.corp ldap_sasl_interactive_bind_s failed (-2) OR-DC1-DB slapd[5446]: do_syncrepl: rid=002 rc -2 retrying
/var/log/syslog errors on or-dc2-db:
OR-DC2-DB slapd[5455]: slap_client_connect: URI=ldap://or-dc1-db.example.corp ldap_sasl_interactive_bind_s failed (-2) OR-DC2-DB slapd[5455]: do_syncrepl: rid=003 rc -2 retrying OR-DC2-DB slapd[5455]: slap_client_connect: URI=ldap://or-dc1-db.example.corp ldap_sasl_interactive_bind_s failed (-2) OR-DC2-DB slapd[5455]: do_syncrepl: rid=001 rc -2 retrying