On Thursday, 26 November 2009 16:35:00 smainklh(a)free.fr wrote:
Hello guys,
I'm meeting an issue when configuring ldap replication.
The synchronisation account doesn't authenticate with the provider.
Here are my configuration files :
/etc/ldap/slapd.conf (provider):
-----------------------
moduleload syncprov
database bdb
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
index objectClass,entryCSN,entryUUID eq
/etc/ldap/slapd.conf (consumer):
--------------------------
Syncrepl rid=666
provider=ldaps://provider.domain.tld:636/
type=refreshOnly
retry="60 10 600 +"
interval=00:00:30:00
searchbase="dc=domain,dc=tld"
scope=sub
schemachecking=on
bindmethod=simple
binddn="cn=syncrepluser,dc=domain,dc=tld"
credentials=secret
Errors below :
>From consumer
------------
slap_client_connect: URI=ldaps://provider.domain.tld:636/
DN="cn=syncrepluser,dc=domain,dc=tld" ldap_sasl_bind_s failed (49)
do_syncrepl: rid=666 retrying (9 retries left)
>From provider
------------
Nov 26 15:28:47 provider slapd[2514]: do_bind: version=3
dn="cn=syncrepluser,dc=domain,dc=tld" method=128
Nov 26 15:28:47 provider slapd[2514]:
bdb_dn2entry("cn=syncrepluser,dc=domain,dc=tld")
Nov 26 15:28:47 provider slapd[2514]: =>
bdb_dn2id("cn=syncrepluser,dc=domain,dc=tld")
Nov 26 15:28:47 provider slapd[2514]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
The DN you specified doesn't seem to exist.
Nov 26 15:28:47 provider slapd[2514]: send_ldap_result: conn=3 op=0
p=3
Nov 26 15:28:47 provider slapd[2514]: send_ldap_response: msgid=1 tag=97
err=49 Nov 26 15:28:47 provider slapd[2514]: connection_get(14): got
connid=3 Nov 26 15:28:47 provider slapd[2514]: connection_read(14):
checking for input on id=3
Nov 26 15:28:47 provider slapd[2514]: ber_get_next on fd 14 failed errno=0
(Success)
Nov 26 15:28:47 provider slapd[2514]: connection_closing: readying conn=3
sd=14 for close
Nov 26 15:28:47 provider slapd[2514]: connection_close: deferring conn=3
sd=14 Nov 26 15:28:47 provider slapd[2514]: conn=3 op=1 do_unbind
Nov 26 15:28:47 provider slapd[2514]: connection_resched: attempting
closing conn=3 sd=14
Nov 26 15:28:47 provider slapd[2514]: connection_close: conn=3 sd=14
Do i have to create an account in the ldap tree?
Syncrepl performs an LDAP search against the provider. As with any ldap
search, it needs to perform a bind as an identity that has sufficient access to
retrieve the data it needs to replicate the directory content. You could
either use the rootdn on the provider (not recommended) or anonymous access
(not recommended) with a totally unsecured provider, or you need to use a DN
that has been granted sufficient access.
See for example:
http://www.openldap.org/doc/admin24/replication.html#Set%20up%20the%20con...
(unfortunately, the preceding section doesn't show the access controls
mentioned, nor the creation of the DN)
Is there a problem using SSL?
A problem with SSL wouldn't give you an "invalid credentials" error.
Regards,
Buchan