hi,
I got problem in openldap master,slave replication. I had configured openldap in RHEL 5 as master/slave in syncrepl method ( refreshOnly) my problem is my slave server is not getting replicated with master. I had integrated openldap with postfix also,so when i restart the postfix service i get the below error which i mentioned. plz help me with this issue.
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/qmail.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: # modulepath /usr/lib64/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # access to attrs=userPassword by self write by dn="cn=syncuser,dc=panafnet,dc=com" read by * auth
access to * by dn="cn=syncuser,dc=panafnet,dc=com" read by * read
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=panafnet,dc=com" rootdn "cn=Manager,dc=panafnet,dc=com" rootpw {SSHA}9ma4wkvWQM2ws7E9q7qIgK9vQ2Rp4IhZ
# Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/panafnet.com
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index default sub index entryCSN,entryUUID eq
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
overlay syncprov
syncprov-checkpoint 100 05 [root@master ~]#
=============================================================================
/etc/ldap.conf(master) ==============================================================================
#host 127.0.0.1 host 192.168.117.4 192.168.117.5
# The distinguished name of the search base. base dc=panafnet,dc=com
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn dc=panafnet,dc=com
# The credentials to bind with. # Optional: default is no credential. bindpw secret # may incur a small performance impact. nss_base_passwd ou=People,dc=panafnet,dc=com?one nss_base_shadow ou=People,dc=panafnet,dc=com?one nss_base_group ou=Group,dc=panafnet,dc=com?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one #nss_base_services ou=Services,dc=example,dc=com?one # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 #uri ldap://127.0.0.1/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 ==================================================================================
/etc/openlldap/slapd.conf(slave) ===================================================================================
# network or connect timeouts (see bind_timelimit). host 192.168.117.5 192.168.117.4
# The distinguished name of the search base. base dc=panafnet,dc=com
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn dc=panafnet,dc=com
# The credentials to bind with. # Optional: default is no credential. bindpw secret
# to append the default base DN but this # may incur a small performance impact. nss_base_passwd ou=People,dc=panafnet,dc=com?one nss_base_shadow ou=People,dc=panafnet,dc=com?one nss_base_group ou=Group,dc=pananfet,dc=com?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one
ssl no tls_cacertdir /etc/openldap/cacerts =====================================================================================
Note: I had integrated ldap with postfix. So when am restart my postfix service i got this error in logs.
Jul 1 16:05:59 master postfix/postfix-script: stopping the Postfix mail system Jul 1 16:05:59 master postfix/master[6303]: terminating on signal 15 Jul 1 16:06:01 master postfix/postfix-script: starting the Postfix mail system Jul 1 16:06:02 master postfix/master[1283]: daemon started -- version 2.3.3, configuration /etc/postfix Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: could not search LDAP server - Server is unavailable Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: could not search LDAP server - Server is unavailable Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: could not search LDAP server - Server is unavailable Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: could not search LDAP server - Server is unavailable
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules: # modulepath /usr/lib64/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=panafnet,dc=com" rootdn "cn=Manager,dc=panafnet,dc=com" rootpw {SSHA}F/VF2kcFeRzWxmYddG2JryM/0odBN7Hy
# Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/panafnet.com
syncrepl rid=0 provider=ldap://192.168.117.4:389 binddn="dc=panafnet,dc=com" bindmethod=simple credentials=SyncUser searchbase="dc=panafnet,dc=com" filter="(objectClass=*)" attrs="*" schemachecking=off scope=sub type=refreshOnly interval=00:00:00:06
access to attrs=userPassword by dn="cn=syncuser,dc=panafnet,dc=com" write by * auth
access to * by dn="cn=syncuser,dc=panafnet,dc=com" write by * read
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index default sub index entryCSN,entryUUID eq
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM [root@slave ~]# =====================================================================================
/etc/ldap.conf(slave ======================================================================================
openldap-technical@openldap.org