Hi,

I am new to Openldap + Keberos project.  I am setting up slurpd from ldap1(master)  to ldap2(replica).  I am hopping someone can give me some suggestion to troubleshoot this.  I ran into this error when slurpd attempt to add new DN to ldap2. 

This is the error when I run slurpd -d 4

begin replication thread for ldap2.test.domain:389
Initializing session to ldap2.test.domain:389
request done: ld 0x9b27778 msgid 1
bind to ldap2.test.domain as host/krbmaster.test.domain@TEST.DOMAIN via GSSAPI (SASL)
request done: ld 0x9b27778 msgid 2
request done: ld 0x9b27778 msgid 3
request done: ld 0x9b27778 msgid 4
replica ldap2.test.domain:389 - add dn "uid=ppham4,ou=people,dc=test,dc=domain"
request done: ld 0x9b27778 msgid 5
Error: ldap_add_s failed adding DN "uid=ppham4,ou=people,dc=test,dc=domain": Referral
Error: ldap operation failed, data written to "/var/lib/ldap/replica/ldap2.test.domain:389.rej

Here's the slapd.conf on ldap1(master)

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

disallow        bind_simple
#security               tls=1
#require                authc
# Create a replication log in /var/lib/ldap for use by slurpd.
#   REPLICA: Comment this out on the replicas
replogfile      /var/lib/ldap/master-slapd.replog
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd1-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd1.key

sasl-secprops noanonymous,noplain,noactive

# Map SASL authentication DNs to LDAP DNs
#   This leaves "username/admin" principals untouched
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain
# This should be a  ^  plus, not a star, but slapd won't accept it

# REPLICA:
#   On replica servers replace the first line of each section below (the
#   line that allows /admin principals to write to things) with the
#   following line (allowing the primary server to write instead).  Thus
#   admins can make changes on the primary server, and the primary
#   server can push changes to the replicas.
#by dn.exact="uid=host/foo.example.com,cn=GSSAPI,cn=auth" write

# Users with /admin principals can change anything

# Users can change their shell, anyone else can see it
access to attrs=loginShell
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by self write
        by * read
# Only the user can see their employeeNumber
access to attrs=employeeNumber
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by self read
        by * none
# Default read access for everything else
access to *
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read
sizelimit 5000
threads 8
loglevel 256                                                                               
# Allow LDAPv2 for Mozilla's address book
#allow bind_v2

database        bdb
suffix          "dc=test,dc=domain"
cachesize 10000

checkpoint 256 15

# Uncomment these only for the initial load, then comment them back
# out and restart slapd.
rootdn          "cn=Manager,dc=test,dc=domain"
rootpw          Secret!

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
#   REPLICA:  Comment this out on replicas
replica host=ldap2.test.domain:389 tls=critical
        bindmethod=sasl saslmech=GSSAPI
        authcId=host/krbmaster.test.domain@TEST.DOMAIN


Here's the copy of my slapd.conf on replica ldap2 server:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

#referral       ldap://root.openldap.org
#pidfile        /var/run/slapd.pid
#argsfile       /var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#   REPLICA: Comment this out on the replicas
#replogfile     /var/lib/ldap/master-slapd.replog
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd1-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd1.key
sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain
access to attrs=loginShell
        by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
        by self write
        by * read
# Only the user can see their employeeNumber
access to attrs=employeeNumber
        by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
        by self read
        by * none
# Default read access for everything else
access to *
        by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
sizelimit 5000
threads 8
idletimeout 14400

loglevel 256
                                                                               
# Allow LDAPv2 for Mozilla's address book
allow bind_v2

database        bdb
suffix          "dc=test,dc=domain"

# Increase the size of slapd's entry cache.  Note that this is a
cachesize 10000
checkpoint 256 15
# Uncomment these only for the initial load, then comment them back
# out and restart slapd.
rootdn          "cn=Manager,dc=test,dc=domain"
rootpw          Secret!
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
# The purpose of the updatedn is to tell slapd not to send the updateref
# if that DN tries to make changes.  Any other user which attempts to
# submit a change will be refered to the master LDAP server found in
# updateref.
#   REPLICA:  Uncomment these on replicas
updatedn "uid=host/krbmaster.test.domain"
updateref ldaps://ldap1.test.domain/

Greatly appreciate any help.

Thanks

Phil