All,
My situation is that I'm trying to get replication working between two instances of openldap 2.4.23, both running on RHEL5, both built with the same options, and db built under them with the same options, and both OS instances are the same (cloned VMs)
I can see the two slapd's trying to communicate, but athough the passwords supplied in 'credentials' are definitely correct, I keep seeing the err=49 in the logs below
I've been struggling with this for days now.. can anyone give me a hint what I've messed up?
Also, I'm not sure if it's related, but I now can't change anything in the servers configs directly, I keep getting -
ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
I think this is the behaviour you would expect when the server was a syncrepl slave, but these are supposed to be multi-mastered.
Any help, greatfully received Alister
output of ldapsearch:
# {0}config, config dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmet hod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindme thod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersis t retry="5 5 300 5" timeout=1
Sep 3 14:08:59 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.11 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:08:59 rhel-lnx1 slapd[12715]: do_syncrepl: rid=002 rc 49 retrying (1 retries left) Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 fd=9 ACCEPT from IP=10.211.55.11:33025 (IP=0.0.0.0:389) Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=1 UNBIND Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 fd=9 closed Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 fd=11 ACCEPT from IP=10.211.55.8:33001 (IP=0.0.0.0:389) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:04 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.8 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: do_syncrepl: rid=001 rc 49 retrying Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=1 UNBIND Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 fd=11 closed Sep 3 14:09:04 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.11 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: do_syncrepl: rid=002 rc 49 retrying Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 fd=9 ACCEPT from IP=10.211.55.11:33027 (IP=0.0.0.0:389) Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=1 UNBIND Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 fd=9 closed
-- Alister Forbes TACSUNS _.|._.|._ Cisco Systems
Please avoid sending me Word or PowerPoint attachments. See - http://www.gnu.org/philosophy/no-word-attachments.html
Hi,
Le 03/09/2010 14:25, Alister Forbes a écrit :
My situation is that I'm trying to get replication working between two instances of openldap 2.4.23, both running on RHEL5, both built with the same options, and db built under them with the same options, and both OS instances are the same (cloned VMs)
I can see the two slapd's trying to communicate, but athough the passwords supplied in 'credentials' are definitely correct, I keep seeing the err=49 in the logs below
I've been struggling with this for days now.. can anyone give me a hint what I've messed up?
If you're certain the password is correct, it's possible that your ACLs don't allow authentication. At the very least, you need to allow auth access to the userPassword attribute.
To make sure the password can be used to bind with this account (and it's not a purely syncrepl-related problem), I recommend testing with something like: ldapsearch -x -D cn=config -w cisco123 -b cn=config
Also, I'm not sure if it's related, but I now can't change anything in the servers configs directly, I keep getting -
ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
I think this is the behaviour you would expect when the server was a syncrepl slave, but these are supposed to be multi-mastered.
If you want multi-master, have you also defined serverIDs for each server, and set olcMirrorMode to TRUE?
Regards, Jonathan
Any help, greatfully received Alister
output of ldapsearch:
# {0}config, config dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmet hod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindme thod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersis t retry="5 5 300 5" timeout=1
Sep 3 14:08:59 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.11 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:08:59 rhel-lnx1 slapd[12715]: do_syncrepl: rid=002 rc 49 retrying (1 retries left) Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 fd=9 ACCEPT from IP=10.211.55.11:33025 (IP=0.0.0.0:389) Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 op=1 UNBIND Sep 3 14:09:00 rhel-lnx1 slapd[12715]: conn=1007 fd=9 closed Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 fd=11 ACCEPT from IP=10.211.55.8:33001 (IP=0.0.0.0:389) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:04 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.8 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: do_syncrepl: rid=001 rc 49 retrying Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 op=1 UNBIND Sep 3 14:09:04 rhel-lnx1 slapd[12715]: conn=1008 fd=11 closed Sep 3 14:09:04 rhel-lnx1 slapd[12715]: slap_client_connect: URI=ldap://10.211.55.11 DN="cn=config" ldap_sasl_bind_s failed (49) Sep 3 14:09:04 rhel-lnx1 slapd[12715]: do_syncrepl: rid=002 rc 49 retrying Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 fd=9 ACCEPT from IP=10.211.55.11:33027 (IP=0.0.0.0:389) Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=0 BIND dn="cn=config" method=128 Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=0 RESULT tag=97 err=49 text= Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 op=1 UNBIND Sep 3 14:09:05 rhel-lnx1 slapd[12715]: conn=1009 fd=9 closed
-- Alister Forbes TACSUNS _.|._.|._ Cisco Systems
Please avoid sending me Word or PowerPoint attachments. See - http://www.gnu.org/philosophy/no-word-attachments.html
Am Fri, 3 Sep 2010 14:25:51 +0200 schrieb Alister Forbes a@cisco.com:
All,
My situation is that I'm trying to get replication working between two instances of openldap 2.4.23, both running on RHEL5, both built with the same options, and db built under them with the same options, and both OS instances are the same (cloned VMs)
I can see the two slapd's trying to communicate, but athough the passwords supplied in 'credentials' are definitely correct, I keep seeing the err=49 in the logs below
I've been struggling with this for days now.. can anyone give me a hint what I've messed up?
Also, I'm not sure if it's related, but I now can't change anything in the servers configs directly, I keep getting -
ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
I think this is the behaviour you would expect when the server was a syncrepl slave, but these are supposed to be multi-mastered.
Any help, greatfully received Alister
output of ldapsearch:
# {0}config, config dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmet hod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindme thod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersis t retry="5 5 300 5" timeout=1
[...]
Did you load the syncprov overlay? And did you declare mirrorMode? You only provide some syncrepl configuration.
-Dieter
Hi Dieter,
Here are the two ldifs I used to configure everything: (only difference is the order the olcServerID is placed in.
First Master: dn: cn=config changetype: modify replace: olcServerID olcServerID: 10 ldap://10.211.55.8 olcServerID: 20 ldap://10.211.55.11
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE
Second Master: dn: cn=config changetype: modify replace: olcServerID olcServerID: 20 ldap://10.211.55.11 olcServerID: 10 ldap://10.211.55.8
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE
On 03 Sep 2010, at 15:55, Dieter Kluenter wrote:
Am Fri, 3 Sep 2010 14:25:51 +0200 schrieb Alister Forbes a@cisco.com:
All,
My situation is that I'm trying to get replication working between two instances of openldap 2.4.23, both running on RHEL5, both built with the same options, and db built under them with the same options, and both OS instances are the same (cloned VMs)
I can see the two slapd's trying to communicate, but athough the passwords supplied in 'credentials' are definitely correct, I keep seeing the err=49 in the logs below
I've been struggling with this for days now.. can anyone give me a hint what I've messed up?
Also, I'm not sure if it's related, but I now can't change anything in the servers configs directly, I keep getting -
ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
I think this is the behaviour you would expect when the server was a syncrepl slave, but these are supposed to be multi-mastered.
Any help, greatfully received Alister
output of ldapsearch:
# {0}config, config dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmet hod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindme thod=simple credentials=cisco123 searchbase="cn=config" type=refreshAndPersis t retry="5 5 300 5" timeout=1
[...]
Did you load the syncprov overlay? And did you declare mirrorMode? You only provide some syncrepl configuration.
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
-- Alister Forbes Work: +32 2 704 5762 Internal: 322 5762 a@cisco.com TACSUNS _.|._.|._ Cisco Systems
Please avoid sending me Word or PowerPoint attachments. See - http://www.gnu.org/philosophy/no-word-attachments.html
Alister Forbes a@cisco.com writes:
Hi Dieter,
Here are the two ldifs I used to configure everything: (only difference is the order the olcServerID is placed in.
First Master: dn: cn=config changetype: modify replace: olcServerID olcServerID: 10 ldap://10.211.55.8 olcServerID: 20 ldap://10.211.55.11
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
add: olcMirrorMode olcMirrorMode: TRUE
Second Master: dn: cn=config changetype: modify replace: olcServerID olcServerID: 20 ldap://10.211.55.11 olcServerID: 10 ldap://10.211.55.8
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
add: olcMirrorMode olcMirrorMode: TRUE
OK I don't see anything obvious
On 03 Sep 2010, at 15:55, Dieter Kluenter wrote:
Am Fri, 3 Sep 2010 14:25:51 +0200 schrieb Alister Forbes a@cisco.com:
All,
My situation is that I'm trying to get replication working between two instances of openldap 2.4.23, both running on RHEL5, both built with the same options, and db built under them with the same options, and both OS instances are the same (cloned VMs)
I can see the two slapd's trying to communicate, but athough the passwords supplied in 'credentials' are definitely correct, I keep seeing the err=49 in the logs below
How did you create the password and which hashing scheme did you use? It seems that the userpassword hashed value does not match the presented value.
I've been struggling with this for days now.. can anyone give me a hint what I've messed up?
Also, I'm not sure if it's related, but I now can't change anything in the servers configs directly, I keep getting -
ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
Please check if oclReadOnly: is set to FALSE
[...]
-Dieter
Hi Dieter,
Password was created with slappasswd, and I know it's ok, because I can use ldapsearch, ldapmodify etc, to search, check etc, it's stored in the config in {SSHA} format, but presented in the olcSynRepl line in cleartext. (It's not actually $PASS, I'm just stupidly paranoid about passwords) Here's the (partial) output from searching for it:
# {0}config, config dn: olcDatabase={0}config,cn=config olcRootPW: {SSHA}wm6t06uLEx1nzsGHT/VJc4g3whG4ihVZ
and yes, olcReadOnly is false...
dn: cn=config olcReadOnly: FALSE
Alister
On 06 Sep 2010, at 09:14, Dieter Kluenter wrote:
OK I don't see anything obvious
On 03 Sep 2010, at 15:55, Dieter Kluenter wrote:
Am Fri, 3 Sep 2010 14:25:51 +0200 schrieb Alister Forbes a@cisco.com:
All,
My situation is that I'm trying to get replication working between two instances of openldap 2.4.23, both running on RHEL5, both built with the same options, and db built under them with the same options, and both OS instances are the same (cloned VMs)
I can see the two slapd's trying to communicate, but athough the passwords supplied in 'credentials' are definitely correct, I keep seeing the err=49 in the logs below
How did you create the password and which hashing scheme did you use? It seems that the userpassword hashed value does not match the presented value.
I've been struggling with this for days now.. can anyone give me a hint what I've messed up?
Also, I'm not sure if it's related, but I now can't change anything in the servers configs directly, I keep getting -
ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
Please check if oclReadOnly: is set to FALSE
[...]
-- Alister Forbes Work: +32 2 704 5762 Internal: 322 5762 a@cisco.com TACSUNS _.|._.|._ Cisco Systems
Please avoid sending me Word or PowerPoint attachments. See - http://www.gnu.org/philosophy/no-word-attachments.html
Found it!
It was all my own fault... the binddn is wrong. I can't tell you how long I've been looking at that.. and how much of a pillock I now feel.
But to hopefully help someone learn from my mistakes... The binddn given in the documentation on openldap.org shows binddn="cn=config" this wasn't working for me though, (not sure if this is something I changed earlier in config, or if it's something changed in they way slapd works, but changing that to 'binddn="cn=admin,cn=config" ' fixed the problem for me... they are now syncing, and I'm cursing the fact that it's only 11am, and I can't go for a beer.
Thanks to all on the list, and especially Dieter.
Alister
On 06 Sep 2010, at 09:14, Dieter Kluenter wrote:
Alister Forbes a@cisco.com writes:
<SNIP> olcSyncRepl: rid=001 provider=ldap://10.211.55.8 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://10.211.55.11 binddn="cn=config" bindmethod=simple credentials=$PASS searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
<SNIP>
-- Alister Forbes Work: +32 2 704 5762 Internal: 322 5762 a@cisco.com TACSUNS _.|._.|._ Cisco Systems
Please avoid sending me Word or PowerPoint attachments. See - http://www.gnu.org/philosophy/no-word-attachments.html
openldap-technical@openldap.org
-
Alister Forbes -
Dieter Kluenter -
Jonathan CLARKE