Hi,
I am new to Openldap + Keberos project. I am setting up slurpd from ldap1(master) to ldap2(replica). I am hopping someone can give me some suggestion to troubleshoot this. I ran into this error when slurpd attempt to add new DN to ldap2.
This is the error when I run slurpd -d 4
begin replication thread for ldap2.test.domain:389 Initializing session to ldap2.test.domain:389 request done: ld 0x9b27778 msgid 1 bind to ldap2.test.domain as host/krbmaster.test.domain@TEST.DOMAIN via GSSAPI (SASL) request done: ld 0x9b27778 msgid 2 request done: ld 0x9b27778 msgid 3 request done: ld 0x9b27778 msgid 4 replica ldap2.test.domain:389 - add dn "uid=ppham4,ou=people,dc=test,dc=domain" request done: ld 0x9b27778 msgid 5 Error: ldap_add_s failed adding DN "uid=ppham4,ou=people,dc=test,dc=domain": Referral Error: ldap operation failed, data written to "/var/lib/ldap/replica/ldap2.test.domain:389.rej
Here's the slapd.conf on ldap1(master)
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
disallow bind_simple #security tls=1 #require authc # Create a replication log in /var/lib/ldap for use by slurpd. # REPLICA: Comment this out on the replicas replogfile /var/lib/ldap/master-slapd.replog TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/slapd1-cert.pem TLSCertificateKeyFile /etc/openldap/slapd1.key
sasl-secprops noanonymous,noplain,noactive
# Map SASL authentication DNs to LDAP DNs # This leaves "username/admin" principals untouched saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain # This should be a ^ plus, not a star, but slapd won't accept it
# REPLICA: # On replica servers replace the first line of each section below (the # line that allows /admin principals to write to things) with the # following line (allowing the primary server to write instead). Thus # admins can make changes on the primary server, and the primary # server can push changes to the replicas. #by dn.exact="uid=host/foo.example.com,cn=GSSAPI,cn=auth" write
# Users with /admin principals can change anything
# Users can change their shell, anyone else can see it access to attrs=loginShell by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by self write by * read # Only the user can see their employeeNumber access to attrs=employeeNumber by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by self read by * none # Default read access for everything else access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read sizelimit 5000 threads 8 loglevel 256 # Allow LDAPv2 for Mozilla's address book #allow bind_v2
database bdb suffix "dc=test,dc=domain" cachesize 10000
checkpoint 256 15
# Uncomment these only for the initial load, then comment them back # out and restart slapd. rootdn "cn=Manager,dc=test,dc=domain" rootpw Secret!
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial # REPLICA: Comment this out on replicas replica host=ldap2.test.domain:389 tls=critical bindmethod=sasl saslmech=GSSAPI authcId=host/krbmaster.test.domain@TEST.DOMAIN
Here's the copy of my slapd.conf on replica ldap2 server:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
#referral ldap://root.openldap.org #pidfile /var/run/slapd.pid #argsfile /var/run/slapd.args # Create a replication log in /var/lib/ldap for use by slurpd. # REPLICA: Comment this out on the replicas #replogfile /var/lib/ldap/master-slapd.replog TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/slapd1-cert.pem TLSCertificateKeyFile /etc/openldap/slapd1.key sasl-secprops noanonymous,noplain,noactive saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain access to attrs=loginShell by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write by self write by * read # Only the user can see their employeeNumber access to attrs=employeeNumber by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write by self read by * none # Default read access for everything else access to * by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write sizelimit 5000 threads 8 idletimeout 14400
loglevel 256
# Allow LDAPv2 for Mozilla's address book allow bind_v2
database bdb suffix "dc=test,dc=domain"
# Increase the size of slapd's entry cache. Note that this is a cachesize 10000 checkpoint 256 15 # Uncomment these only for the initial load, then comment them back # out and restart slapd. rootdn "cn=Manager,dc=test,dc=domain" rootpw Secret! # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial # The purpose of the updatedn is to tell slapd not to send the updateref # if that DN tries to make changes. Any other user which attempts to # submit a change will be refered to the master LDAP server found in # updateref. # REPLICA: Uncomment these on replicas updatedn "uid=host/krbmaster.test.domain" updateref ldaps://ldap1.test.domain/
Greatly appreciate any help.
Thanks
Phil