Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up replication but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work. ****************************************************************************************************** slapd.conf of the Master: include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
#modulepath /usr/lib/openldap#moduleload syncprov.la # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args #sasl-realm ier.hit-u.ac.jp#sasl-host localhost#authz-regexp uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secret#password-hash {MD5}directory /var/lib/ldap TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100 # Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read ***************************************************************************************************** sladp.conf of the slave: include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"#rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secretofreplicator #password-hash {MD5}directory /var/lib/ldap#TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt#TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt#TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
# Replicas of this database#updatedn cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp#updateref uri=ldap://192.168.84.22 # Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword# by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by anonymous auth# by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by * read
#loglevel stats sync syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple# bindmethod=sasl saslmech=DIGEST-MD5# authcid=replicator credentials=secretofreplicator updateref ldap://mail.ier.hit-u.ac.jp/
*****************************************************************************************what puzzles me is that: I try on the slave to access the master withldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)' and it works. What is wrong? I really need your help.
hello,
I would say, try to understand the meaning of what you do. The openldap admin guide is a good place to start.
- for instance, on the slave, you bind to the master with dn uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp and password secretofreplicator does this objet exist *on the master*? with the right password? does this account have the right acl to read everything on the master (i.e., on the master, the acl is defined for cn=replicator,... which is not the same as uid=replicator,...) - also, why would you use the replicator dn as the rootdn for the slave?
one last thing: I advise you change the password of both the master and slave. posting the file with the hash password of the root dn on the internet is not a good idea :-)
good luck
2014-11-19 11:38 GMT+04:00 wailok tam wailoktam@yahoo.com:
Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up replication but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
slapd.conf of the Master:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
#modulepath /usr/lib/openldap #moduleload syncprov.la
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
#sasl-realm ier.hit-u.ac.jp #sasl-host localhost #authz-regexp uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secret #password-hash {MD5} directory /var/lib/ldap
TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none
access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
sladp.conf of the slave:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" #rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secretofreplicator #password-hash {MD5} directory /var/lib/ldap #TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt #TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt #TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
# Replicas of this database #updatedn cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp #updateref uri=ldap://192.168.84.22
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by anonymous auth # by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by * read
#loglevel stats sync
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
updateref ldap://mail.ier.hit-u.ac.jp/
what puzzles me is that:
I try on the slave to access the master with ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
and it works.
What is wrong? I really need your help.
Am Wed, 19 Nov 2014 07:38:02 +0000 (UTC) schrieb wailok tam wailoktam@yahoo.com:
Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up replication but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
slapd.conf of the Master: include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
#modulepath /usr/lib/openldap#moduleload syncprov.la # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args #sasl-realm ier.hit-u.ac.jp#sasl-host localhost#authz-regexp uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secret#password-hash {MD5}directory /var/lib/ldap TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100 # Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
sladp.conf of the slave: include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"#rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secretofreplicator #password-hash {MD5}directory /var/lib/ldap#TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt#TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt#TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
# Replicas of this database#updatedn cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp#updateref uri=ldap://192.168.84.22 # Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword# by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by anonymous auth# by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by * read
#loglevel stats sync syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple# bindmethod=sasl saslmech=DIGEST-MD5# authcid=replicator credentials=secretofreplicator updateref ldap://mail.ier.hit-u.ac.jp/
*****************************************************************************************what puzzles me is that: I try on the slave to access the master withldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)' and it works. What is wrong? I really need your help.
The master configuration is wrong. Configuration of slapd.conf has to follow a defined order, that is:
- global configuration parameters - global specific overlays parameters - first database specific configuration parameters - first database specific overlays configuration parameters - second database specific configuration parameters - second database specific overlays configuration parameters
-Dieter
On Wed, Nov 19, 2014 at 07:38:02AM +0000, wailok tam wrote:
Subject: any help on "ldap_sasl_bind_s failed (53)"
but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
sladp.conf of the slave:
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
The two comment lines are likely to be the problem. the manpage for slapd.conf says:
If a line begins with white space, it is considered a continuation of the previous line. No physical line should be over 2000 bytes long.
Blank lines and comment lines beginning with a `#' character are ignored. Note: continuation lines are unwrapped before comment processing is applied.
That says to me that comments inside an indented block are to be avoided.
As an aside, you may not want to use DIGEST-MD5 anyway, as it requires the server to store the password in cleartext rather than hashed.
Andrew
Hi, all, Thanks for your feedback. I summarize it and: 1. remove all the comment lines2. change the order of blocks a bit Now it ends up with: "ldap_sasl_bind_s failed (49)"
notice the error code changes from 53 to 49 Again, typing the following on slave: ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=myownaccount)'
works. I am posting the cleaned up config file. Any comment is appreciated. First the master: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args
######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofmasterdirectory /var/lib/ldap
overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read *********************************************************************************************************Next the slave: ### configuration for IER### writeen by T.Tanaka include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofslavedirectory /var/lib/ldap
# Replicas of this database
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword# by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by anonymous auth# by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by * read
#loglevel stats sync syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" credentials=pwofslave ****
From: Andrew Findlay andrew.findlay@skills-1st.co.uk To: wailok tam wailoktam@yahoo.com Cc: "openldap-technical@openldap.org" openldap-technical@openldap.org Sent: Wednesday, November 19, 2014 7:44 PM Subject: Re: any help on "ldap_sasl_bind_s failed (53)"
On Wed, Nov 19, 2014 at 07:38:02AM +0000, wailok tam wrote:
Subject: any help on "ldap_sasl_bind_s failed (53)"
but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
sladp.conf of the slave:
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
The two comment lines are likely to be the problem. the manpage for slapd.conf says:
If a line begins with white space, it is considered a continuation of the previous line. No physical line should be over 2000 bytes long.
Blank lines and comment lines beginning with a `#' character are ignored. Note: continuation lines are unwrapped before comment processing is applied.
That says to me that comments inside an indented block are to be avoided.
As an aside, you may not want to use DIGEST-MD5 anyway, as it requires the server to store the password in cleartext rather than hashed.
Andrew
Am Thu, 20 Nov 2014 06:55:46 +0000 (UTC) schrieb wailok tam wailoktam@yahoo.com:
Hi, all, Thanks for your feedback. I summarize it and:
- remove all the comment lines2. change the order of blocks a bit
Now it ends up with: "ldap_sasl_bind_s failed (49)"
[...] Read on LDAP Results Codes, Result 49 is invalid Credentials. there must be a typo in your syncrepl configuration.
-Dieter
Hi, just a bit more information. It is about the bit that I do not understand. I come up with these config files as a step in changing from the old slurpd replication to the newer syncrepl replication. In the old config file for slurpd, there is a slurpd directive: replica uri=ldap://192.168.90.20 binddn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple credentials=pwofslavereplogfile /var/lib/ldap/openldap-master-replog Of course, they get removed in the new config file. I suppose it means it uses the login details for the id: replicator to log inthe slave. But I can only find the "replicator" I create on the slave: ldapsearch -x -W -D 'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp' '(cn=replicator)' dn: cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jpuid: replicatorsn: replicatorcn: replicatorou: UsersobjectClass: personobjectClass: inetOrgPersonobjectClass: organizationalPersonuserPassword: pwofslave not the old "replicator". I create two new "replicator" account with the same pw on both the master and the slave. On the slave, it is used as the rootdn. Is there any difference between: 'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp' and 'cn=replicator, ou=Users, dc=ier,dc=hit-u,dc=ac,dc=jp'
It may be a irrelevant question. As someone mentions typo, I wonder whether space and tab make any difference in the config file.
From: wailok tam wailoktam@yahoo.com To: Andrew Findlay andrew.findlay@skills-1st.co.uk Cc: "openldap-technical@openldap.org" openldap-technical@openldap.org Sent: Thursday, November 20, 2014 3:55 PM Subject: Re: any help on "ldap_sasl_bind_s failed (53)"
Hi, all, Thanks for your feedback. I summarize it and: 1. remove all the comment lines2. change the order of blocks a bit Now it ends up with: "ldap_sasl_bind_s failed (49)"
notice the error code changes from 53 to 49 Again, typing the following on slave: ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=myownaccount)'
works. I am posting the cleaned up config file. Any comment is appreciated. First the master: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args
######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofmasterdirectory /var/lib/ldap
overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read *********************************************************************************************************Next the slave: ### configuration for IER### writeen by T.Tanaka include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofslavedirectory /var/lib/ldap
# Replicas of this database
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword# by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by anonymous auth# by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by * read
#loglevel stats sync syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" credentials=pwofslave ****
From: Andrew Findlay andrew.findlay@skills-1st.co.uk To: wailok tam wailoktam@yahoo.com Cc: "openldap-technical@openldap.org" openldap-technical@openldap.org Sent: Wednesday, November 19, 2014 7:44 PM Subject: Re: any help on "ldap_sasl_bind_s failed (53)"
On Wed, Nov 19, 2014 at 07:38:02AM +0000, wailok tam wrote:
Subject: any help on "ldap_sasl_bind_s failed (53)"
but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
sladp.conf of the slave:
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
The two comment lines are likely to be the problem. the manpage for slapd.conf says:
If a line begins with white space, it is considered a continuation of the previous line. No physical line should be over 2000 bytes long.
Blank lines and comment lines beginning with a `#' character are ignored. Note: continuation lines are unwrapped before comment processing is applied.
That says to me that comments inside an indented block are to be avoided.
As an aside, you may not want to use DIGEST-MD5 anyway, as it requires the server to store the password in cleartext rather than hashed.
Andrew
Hi!
You checked two of three compontents: 1) The DN you configured to read the data 2) The DN that exists in your database 3) The ACL allowing the DN to read the data
It should be obvious what you missed. Try lo log in manually (using ldapsearch to get all your database (as the replication would try). If you get it, replication should work; if not you know where you'll have to search for the bug.
Regards, Ulrich
wailok tam wailoktam@yahoo.com schrieb am 20.11.2014 um 09:11 in Nachricht
281303881.1918305.1416471067218.JavaMail.yahoo@jws10080.mail.ne1.yahoo.com:
Hi, just a bit more information. It is about the bit that I do not understand. I come up with these config files as a step in changing from the old slurpd replication to the newer syncrepl replication. In the old config file for slurpd, there is a slurpd directive: replica uri=ldap://192.168.90.20 binddn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple credentials=pwofslavereplogfile /var/lib/ldap/openldap-master-replog Of course, they get removed in the new config file. I suppose it means it uses the login details for the id: replicator to log inthe slave. But I can only find the "replicator" I create on the slave: ldapsearch -x -W -D 'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp' '(cn=replicator)' dn: cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jpuid: replicatorsn: replicatorcn: replicatorou: UsersobjectClass: personobjectClass: inetOrgPersonobjectClass: organizationalPersonuserPassword: pwofslave not the old "replicator". I create two new "replicator" account with the same pw on both the master and the slave. On the slave, it is used as the rootdn. Is there any difference between: 'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp' and 'cn=replicator, ou=Users, dc=ier,dc=hit-u,dc=ac,dc=jp'
It may be a irrelevant question. As someone mentions typo, I wonder whether space and tab make any difference in the config file.
From: wailok tam <wailoktam@yahoo.com>To: Andrew Findlay andrew.findlay@skills-1st.co.uk Cc: "openldap-technical@openldap.org" openldap-technical@openldap.org Sent: Thursday, November 20, 2014 3:55 PM Subject: Re: any help on "ldap_sasl_bind_s failed (53)"
Hi, all, Thanks for your feedback. I summarize it and:
- remove all the comment lines2. change the order of blocks a bit
Now it ends up with: "ldap_sasl_bind_s failed (49)"
notice the error code changes from 53 to 49 Again, typing the following on slave: ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=myownaccount)'
works. I am posting the cleaned up config file. Any comment is appreciated. First the master: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args
######################################################################## ldbm and/or bdb database definitions################################################################## ##### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofmasterdirectory /var/lib/ldap
overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
*****************************Next the slave: ### configuration for IER### writeen by T.Tanaka include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args ######################################################################## ldbm and/or bdb database definitions################################################################## ##### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofslavedirectory /var/lib/ldap
# Replicas of this database
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword# by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by anonymous auth# by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by * read
#loglevel stats sync syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" credentials=pwofslave
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>To: wailok tam wailoktam@yahoo.com Cc: "openldap-technical@openldap.org" openldap-technical@openldap.org Sent: Wednesday, November 19, 2014 7:44 PM Subject: Re: any help on "ldap_sasl_bind_s failed (53)"
On Wed, Nov 19, 2014 at 07:38:02AM +0000, wailok tam wrote:
Subject: any help on "ldap_sasl_bind_s failed (53)"
but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
sladp.conf of the slave:
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
The two comment lines are likely to be the problem. the manpage for slapd.conf says:
If a line begins with white space, it is considered a continuation of the previous line. No physical line should be over 2000 bytes long. Blank lines and comment lines beginning with a `#' character are ignored. Note: continuation lines are unwrapped before comment processing is applied.That says to me that comments inside an indented block are to be avoided.
As an aside, you may not want to use DIGEST-MD5 anyway, as it requires the server to store the password in cleartext rather than hashed.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
openldap-technical@openldap.org
-
Andrew Findlay -
Dieter Klünter -
Jephte Clain -
Ulrich Windl -
wailok tam