Hi,
I've spent 2 days on this now and can't figure it out.
Master directory (2.4.21 on FBSD 7, compiled with SASL)
Slave (2.4.31 on Debian Squeeze)
The goal is to eventually use TLS as both the servers are remote from one to another, but for the sake of simplicity during testing i'm not using TLS at this stage.
RefreshAndPersist replication is setup and working
Master config(not complete, but related parts):
authz-policy to
database bdb suffix cn=accesslog directory /db/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
# Let the replica DN have limitless searches limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
database bdb suffix "dc=webgate,dc=net,dc=au" rootdn "cn=Manager,dc=webgate,dc=net,dc=au"
rootpw deleted
password-hash {SSHA}
directory /var/db/openldap-data mode 0600
cachesize 2000
# syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
access to attrs=userPassword by self write by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by * auth
access to dn.base="ou=zones,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=zones,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=emails,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=emails,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=users,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=users,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=groups,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=groups,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=virtualhosts,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=virtualhosts,dc=webgate,dc=net,dc=au" by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to * by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read by users read by anonymous none by * none
Slave config:
overlay chain
chain-uri ldap://xxx:389/ chain-rebind-as-user Yes
chain-idassert-bind bindmethod="simple" binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" credentials="xxx" mode="self" chain-return-error Yes
access to attrs=userPassword,shadowLastChange by anonymous auth by * none
access to dn.base="" by * read
access to * by * read
# syncrepl directives syncrepl rid=0 provider=ldap://xxx:389 bindmethod=simple binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" credentials=deleted searchbase="dc=webgate,dc=net,dc=au" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
# Refer updates to the master updateref ldap://xxx
cn=replicator contains: dn: cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au objectClass: top objectClass: inetOrgPerson cn: replicator sn: replicator userPassword:: xxx authzTo: {0}dn:*
No matter what I change, when I run ldapmodify on slave
ldapmodify -x -D "cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" -W -f test_update.ldif
modifying entry "uid=xxx,ou=emails,dc=webgate,dc=net,dc=au" ldap_modify: Strong(er) authentication required (8)
I run the server with -d 1 to see what's going on and it seems even if i change
chain-idassert-bind binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
to anything that doesn't even exist in the directory it never gets used...
The only thing that makes a difference from the chain-* directives is the
chain-return-error Yes, setting it to "no" makes it return just the referral address
What am I doing wrong???
Thanks Petr
cn=replicator contains: dn: cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au objectClass: top objectClass: inetOrgPerson cn: replicator sn: replicator userPassword:: xxx authzTo: {0}dn:*
You may be getting hit by ITS#4744 (fixed in 2.4.30 and you provider is older) http://www.openldap.org/its/index.cgi/Archive.Software%20Bugs?id=4744;select... but will take a closer look at your config.
Thanks.
You may be getting hit by ITS#4744 (fixed in 2.4.30 and you provider is older) http://www.openldap.org/its/index.cgi/Archive.Software%20Bugs?id=4744;select... but will take a closer look at your config.
Ive rebuilt OpenLDAP on provider to 2.4.31 but it's still happening. I've rebuilt twice - first with SASL, then without and it makes no difference either.
This is driving me crazy bannanas now. Anything in my config that's wrong?
What's the cause of "Strong(er) authentication required" error?
If I do ldapmodify -x -D ".." -h "provider.hostname" -W -f "modfile.ldif" it works fine. It's only when slapo-chain handles the referrals.
Cheers
Ive rebuilt OpenLDAP on provider to 2.4.31 but it's still happening. I've rebuilt twice - first with SASL, then without and it makes no difference either.
This is driving me crazy bannanas now. Anything in my config that's wrong?
What's the cause of "Strong(er) authentication required" error?
If I do ldapmodify -x -D ".." -h "provider.hostname" -W -f "modfile.ldif" it works fine. It's only when slapo-chain handles the referrals.
Remove your dn{} line and see http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#stronger... (8)
openldap-technical@openldap.org