Hello guys,
I'm meeting an issue when configuring ldap replication. The synchronisation account doesn't authenticate with the provider.
Here are my configuration files :
/etc/ldap/slapd.conf (provider): ----------------------- moduleload syncprov database bdb overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
index objectClass,entryCSN,entryUUID eq
/etc/ldap/slapd.conf (consumer): -------------------------- Syncrepl rid=666 provider=ldaps://provider.domain.tld:636/ type=refreshOnly retry="60 10 600 +" interval=00:00:30:00 searchbase="dc=domain,dc=tld" scope=sub schemachecking=on bindmethod=simple binddn="cn=syncrepluser,dc=domain,dc=tld" credentials=secret
Errors below :
From consumer
------------ slap_client_connect: URI=ldaps://provider.domain.tld:636/ DN="cn=syncrepluser,dc=domain,dc=tld" ldap_sasl_bind_s failed (49) do_syncrepl: rid=666 retrying (9 retries left)
From provider
------------ Nov 26 15:28:47 provider slapd[2514]: do_bind: version=3 dn="cn=syncrepluser,dc=domain,dc=tld" method=128 Nov 26 15:28:47 provider slapd[2514]: bdb_dn2entry("cn=syncrepluser,dc=domain,dc=tld") Nov 26 15:28:47 provider slapd[2514]: => bdb_dn2id("cn=syncrepluser,dc=domain,dc=tld") Nov 26 15:28:47 provider slapd[2514]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) Nov 26 15:28:47 provider slapd[2514]: send_ldap_result: conn=3 op=0 p=3 Nov 26 15:28:47 provider slapd[2514]: send_ldap_response: msgid=1 tag=97 err=49 Nov 26 15:28:47 provider slapd[2514]: connection_get(14): got connid=3 Nov 26 15:28:47 provider slapd[2514]: connection_read(14): checking for input on id=3 Nov 26 15:28:47 provider slapd[2514]: ber_get_next on fd 14 failed errno=0 (Success) Nov 26 15:28:47 provider slapd[2514]: connection_closing: readying conn=3 sd=14 for close Nov 26 15:28:47 provider slapd[2514]: connection_close: deferring conn=3 sd=14 Nov 26 15:28:47 provider slapd[2514]: conn=3 op=1 do_unbind Nov 26 15:28:47 provider slapd[2514]: connection_resched: attempting closing conn=3 sd=14 Nov 26 15:28:47 provider slapd[2514]: connection_close: conn=3 sd=14
Do i have to create an account in the ldap tree? Is there a problem using SSL?
Thank you for your help.
Regards, Grifith
On Thursday, 26 November 2009 16:35:00 smainklh@free.fr wrote:
Hello guys,
I'm meeting an issue when configuring ldap replication. The synchronisation account doesn't authenticate with the provider.
Here are my configuration files :
/etc/ldap/slapd.conf (provider):
moduleload syncprov database bdb overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
index objectClass,entryCSN,entryUUID eq
/etc/ldap/slapd.conf (consumer):
Syncrepl rid=666 provider=ldaps://provider.domain.tld:636/ type=refreshOnly retry="60 10 600 +" interval=00:00:30:00 searchbase="dc=domain,dc=tld" scope=sub schemachecking=on bindmethod=simple binddn="cn=syncrepluser,dc=domain,dc=tld" credentials=secret
Errors below :
From consumer
slap_client_connect: URI=ldaps://provider.domain.tld:636/ DN="cn=syncrepluser,dc=domain,dc=tld" ldap_sasl_bind_s failed (49) do_syncrepl: rid=666 retrying (9 retries left)
From provider
Nov 26 15:28:47 provider slapd[2514]: do_bind: version=3 dn="cn=syncrepluser,dc=domain,dc=tld" method=128 Nov 26 15:28:47 provider slapd[2514]: bdb_dn2entry("cn=syncrepluser,dc=domain,dc=tld") Nov 26 15:28:47 provider slapd[2514]: => bdb_dn2id("cn=syncrepluser,dc=domain,dc=tld") Nov 26 15:28:47 provider slapd[2514]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
The DN you specified doesn't seem to exist.
Nov 26 15:28:47 provider slapd[2514]: send_ldap_result: conn=3 op=0 p=3 Nov 26 15:28:47 provider slapd[2514]: send_ldap_response: msgid=1 tag=97 err=49 Nov 26 15:28:47 provider slapd[2514]: connection_get(14): got connid=3 Nov 26 15:28:47 provider slapd[2514]: connection_read(14): checking for input on id=3 Nov 26 15:28:47 provider slapd[2514]: ber_get_next on fd 14 failed errno=0 (Success) Nov 26 15:28:47 provider slapd[2514]: connection_closing: readying conn=3 sd=14 for close Nov 26 15:28:47 provider slapd[2514]: connection_close: deferring conn=3 sd=14 Nov 26 15:28:47 provider slapd[2514]: conn=3 op=1 do_unbind Nov 26 15:28:47 provider slapd[2514]: connection_resched: attempting closing conn=3 sd=14 Nov 26 15:28:47 provider slapd[2514]: connection_close: conn=3 sd=14
Do i have to create an account in the ldap tree?
Syncrepl performs an LDAP search against the provider. As with any ldap search, it needs to perform a bind as an identity that has sufficient access to retrieve the data it needs to replicate the directory content. You could either use the rootdn on the provider (not recommended) or anonymous access (not recommended) with a totally unsecured provider, or you need to use a DN that has been granted sufficient access.
See for example: http://www.openldap.org/doc/admin24/replication.html#Set%20up%20the%20consum...
(unfortunately, the preceding section doesn't show the access controls mentioned, nor the creation of the DN)
Is there a problem using SSL?
A problem with SSL wouldn't give you an "invalid credentials" error.
Regards, Buchan
Selon Buchan Milne bgmilne@staff.telkomsa.net:
On Thursday, 26 November 2009 16:35:00 smainklh@free.fr wrote:
Hello guys,
I'm meeting an issue when configuring ldap replication. The synchronisation account doesn't authenticate with the provider.
Here are my configuration files :
/etc/ldap/slapd.conf (provider):
moduleload syncprov database bdb overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
index objectClass,entryCSN,entryUUID eq
/etc/ldap/slapd.conf (consumer):
Syncrepl rid=666 provider=ldaps://provider.domain.tld:636/ type=refreshOnly retry="60 10 600 +" interval=00:00:30:00 searchbase="dc=domain,dc=tld" scope=sub schemachecking=on bindmethod=simple binddn="cn=syncrepluser,dc=domain,dc=tld" credentials=secret
Errors below :
From consumer
slap_client_connect: URI=ldaps://provider.domain.tld:636/ DN="cn=syncrepluser,dc=domain,dc=tld" ldap_sasl_bind_s failed (49) do_syncrepl: rid=666 retrying (9 retries left)
From provider
Nov 26 15:28:47 provider slapd[2514]: do_bind: version=3 dn="cn=syncrepluser,dc=domain,dc=tld" method=128 Nov 26 15:28:47 provider slapd[2514]: bdb_dn2entry("cn=syncrepluser,dc=domain,dc=tld") Nov 26 15:28:47 provider slapd[2514]: => bdb_dn2id("cn=syncrepluser,dc=domain,dc=tld") Nov 26 15:28:47 provider slapd[2514]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
The DN you specified doesn't seem to exist.
Nov 26 15:28:47 provider slapd[2514]: send_ldap_result: conn=3 op=0 p=3 Nov 26 15:28:47 provider slapd[2514]: send_ldap_response: msgid=1 tag=97 err=49 Nov 26 15:28:47 provider slapd[2514]: connection_get(14): got connid=3 Nov 26 15:28:47 provider slapd[2514]: connection_read(14): checking for input on id=3 Nov 26 15:28:47 provider slapd[2514]: ber_get_next on fd 14 failed errno=0 (Success) Nov 26 15:28:47 provider slapd[2514]: connection_closing: readying conn=3 sd=14 for close Nov 26 15:28:47 provider slapd[2514]: connection_close: deferring conn=3 sd=14 Nov 26 15:28:47 provider slapd[2514]: conn=3 op=1 do_unbind Nov 26 15:28:47 provider slapd[2514]: connection_resched: attempting closing conn=3 sd=14 Nov 26 15:28:47 provider slapd[2514]: connection_close: conn=3 sd=14
Do i have to create an account in the ldap tree?
Syncrepl performs an LDAP search against the provider. As with any ldap search, it needs to perform a bind as an identity that has sufficient access to retrieve the data it needs to replicate the directory content. You could either use the rootdn on the provider (not recommended) or anonymous access (not recommended) with a totally unsecured provider, or you need to use a DN that has been granted sufficient access.
See for example:
http://www.openldap.org/doc/admin24/replication.html#Set%20up%20the%20consum...
(unfortunately, the preceding section doesn't show the access controls mentioned, nor the creation of the DN)
Is there a problem using SSL?
A problem with SSL wouldn't give you an "invalid credentials" error.
Regards, Buchan
Ok thanks Buchan, I only had to create an account.
openldap-technical@openldap.org
-
Buchan Milne -
smainklh@free.fr