Replication issues with openldap 2.5 - openldap-technical

27 Dec 2024


      Good morning
I am trying to setup a replication in ldap 2.5, using syncrepl, I have a
provider server and a consumer, both of the servers are running 2.5.11 from
Ubuntu 22.04, I followed the admin guide chapter 18.3.1 to do the
configuration.  I have some information on the provider that is
successfully being replicated to the consumer without any errors
Consumer configuration
ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config olcSyncRepl olcUpdateref
dn: olcDatabase={1}mdb,cn=config
olcSyncrepl: {0}rid=100 provider=ldap://provider:389 type=refr
 eshOnly interval=00:00:05:00 retry="300 +"
searchbase="dc=metrocast,dc=net" f
 ilter="(|(entryDN:=dc=metrocast,dc=net)(entryDN:dnOneLevelMatch:=dc=metrocast
 ,dc=net)(&(entryDN:dnSubtreeMatch:=dc=metrocast,dc=net)(entrydn:dnSubtreeMatc
 h:=ou=Boxes,dc=metrocast,dc=net))(&(entryDN:dnSubtreeMatch:=dc=metrocast,dc=n
 et)(entrydn:dnSubtreeMatch:=ou=RadiusGroups,dc=metrocast,dc=net))(&(entryDN:d
 nSubtreeMatch:=dc=metrocast,dc=net)(entrydn:dnSubtreeMatch:=ou=group,dc=metro
 cast,dc=net))(&(entryDN:dnSubtreeMatch:=dc=metrocast,dc=net)(entryDN:distingu
 ishedNameMatch:=ou=People,dc=metrocast,dc=net))(&(entryDN:dnSubtreeMatch:=dc=
 metrocast,dc=net)(entryDN:dnSubtreeMatch:=ou=employees,dc=metrocast,dc=net)))
 " timelimit=unlimited sizelimit=unlimited bindmethod=simple
binddn="cn=user,ou=boxes,dc=metrocast,dc=net" credentials="xxxx" start
 tls=critical tls_cacertdir="/etc/ldap/certs"
olcUpdateRef: ldap://ldap-write.metrocast.net:389
I can confirm the DIT is present on the consumer and the values matches the
provider item by item, including the encrypted passwords,
The issue I am having is that a query that runs on the provider without any
issue is failing to run on the consumer with error 49 invalid credentials,
but I do know for sure that the provided credentials are good, I even did a
tcpdump and confirmed they are fine
On the provider  a query similar to this one runs fine and returns a result
ldapsearch  -Z  -LLL -H ldap://providert:389 -D
"uid=user1,ou=employees,dc=metrocast,dc=net" -W -b
"ou=employees,dc=metrocast,dc=net" "(mail=*pepe@breezeline.com)
On the consumer this same query returns error 49
ldapsearch  -Z  -LLL -H ldap://providert:389 -D
"uid=user1,ou=employees,dc=metrocast,dc=net" -W -b
"ou=employees,dc=metrocast,dc=net" "(mail=*pepe@breezeline.com)
I confirmed with ldapsearch -Y EXTERNAL -H ldapi:///  ..... that the
information for user1 is exactly the same in the provider and the consumer
for all the attributes including the passwords. Tcpdump confirmed that I am
sending the right password, doing -W or -w $password gives the same result.
For any user I use to run the query I get exactly the same error 49,
I did verify that ACLs are not blocking the query.
Is there anything else I should check?? any log level that could help me
identify where the error is?? Currently my loglevel is olcLogLevel: 128 256
1024
This is a dev environment so I can do changes at will.
Thanks and happy new year
Ulises Gonzalez Horta
Lead Linux Engineer
C: 786 450 2970/ 240 727 6267
E: ugonzalezhorta@breezeline.com jsutherland1@breezeline.com