1:03 p.m.
One of my coworkers just noticed that replication is broken between our
primary and secondary LDAP servers. It appears to have been broken for
about 1 week now. Nothing has changed relative to the LDAP configuration
on either of our servers, so this is an odd thing to suddenly happen.
When I look at the consumer with some debugging on, I see these messages
(/usr/sbin/slapd -d 1638 was used to get these messages):
It looks like the consumer
host/voltron-b.pppl.gov,cn=pppl.gov,cn=gssapi,cn=auth,is being rejected
as not being authorized, but this has been working for years w/o issue.
Any idea what has changed and how I may fix it?
ldap_write: want=22, written=22
0000: 30 14 02 01 02 60 0f 02 01 03 04 00 a3 08 04 06
0....`..........
0010: 47 53 53 41 50 49 GSSAPI
ldap_read: want=8, got=8
0000: 30 4a 02 01 02 61 45 0a 0J...aE.
ldap_read: want=68, got=68
0000: 01 0e 04 00 04 1c 53 41 53 4c 28 30 29 3a 20 73
......SASL(0): s
0010: 75 63 63 65 73 73 66 75 6c 20 72 65 73 75 6c 74 uccessful
result
0020: 3a 20 87 20 05 04 05 ff 00 0c 00 00 00 00 00 00 : .
............
0030: 3a f9 e0 c9 07 00 00 00 fd e6 0d 82 df 31 29 00
:............1).
0040: a7 27 90 6a .'.j
ldap_write: want=116, written=116
0000: 30 72 02 01 03 60 6d 02 01 03 04 00 a3 66 04 06
0r...`m......f..
0010: 47 53 53 41 50 49 04 5c 05 04 04 ff 00 0c 00 00
GSSAPI.\........
0020: 00 00 00 00 36 3c fc 1d 04 ff ff ff 64 6e 3a 75
....6<......dn:u
0030: 69 64 3d 68 6f 73 74 2f 76 6f 6c 74 72 6f 6e 2d
id=host/voltron-
0040: 62 2e 70 70 70 6c 2e 67 6f 76 2c 63 6e 3d 70 70
b.pppl.gov,cn=pp
0050: 70 6c 2e 67 6f 76 2c 63 6e 3d 67 73 73 61 70 69
pl.gov,cn=gssapi
0060: 2c 63 6e 3d 61 75 74 68 c2 5d 9b 4a ce d9 d6 8b
,cn=auth.].J....
0070: 23 5f b4 1d #_..
ldap_read: want=8, got=8
0000: 30 3c 02 01 03 61 37 0a 0<...a7.
ldap_read: want=54, got=54
0000: 01 32 04 00 04 30 53 41 53 4c 28 2d 31 34 29 3a
.2...0SASL(-14):
0010: 20 61 75 74 68 6f 72 69 7a 61 74 69 6f 6e 20 66
authorization f
0020: 61 69 6c 75 72 65 3a 20 6e 6f 74 20 61 75 74 68 ailure: not
auth
0030: 6f 72 69 7a 65 64 orized
5e20cedc slap_client_connect: URI=ldap://ldap1.pppl.gov
ldap_sasl_interactive_bind_s failed (50)
ldap_write: want=7, written=7
0000: 30 05 02 01 04 42 00 0....B.
5e20cedc do_syncrepl: rid=001 rc 50 retrying
-- Prentice
5:05 p.m.
--On Thursday, January 16, 2020 9:03 PM +0000 Prentice Bisbal
<pbisbal(a)princeton.edu> wrote:
One of my coworkers just noticed that replication is broken between
our
primary and secondary LDAP servers. It appears to have been broken for
about 1 week now. Nothing has changed relative to the LDAP configuration
on either of our servers, so this is an odd thing to suddenly happen.
When I look at the consumer with some debugging on, I see these messages
(/usr/sbin/slapd -d 1638 was used to get these messages):
It looks like the consumer
host/voltron-b.pppl.gov,cn=pppl.gov,cn=gssapi,cn=auth,is being rejected
as not being authorized, but this has been working for years w/o issue.
Any idea what has changed and how I may fix it?
Well, the error came from cyrus-sasl rather than OpenLDAP. This would
indicate to me that the not authorized came from the KDC. Have you checked
to ensure the keys in the keytab file haven't expired inside the KDC?
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1235
days inactive
1236
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Prentice Bisbal -
Quanah Gibson-Mount