Hello,
I am trying to create an OpenLDAP master/slave solution with syncrepl, but I have not been successful so far.
I followed the suggestions of this site, with another sync password:
https://www.itzgeek.com/how-tos/linux/configure-openldap-master-slave-replic...
One thing I made different, on the master server, I created the replication user with a userPassword: in SSHA-Format instead of clear text. Additionally, I set, following the suggestion of another website:
olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq
Now, I can see with tcpdump that the slave server contacts the master server and that the master server send replies, but no LDAP users are synchronized to the slave. Unfortunately, nothing about replication is logged to syslog, though I started slapd on both master and slave with options "-s Sync -c rid=001".
Any idea what is wrong or how I can at least get some debgging output about what is happening on master and slave, related to replication?
Regards Christoph
I am trying to create an OpenLDAP master/slave solution with syncrepl, but I have not been successful so far.
I followed the suggestions of this site, with another sync password:
https://www.itzgeek.com/how-tos/linux/configure-openldap-master-slave- replication.html
One thing I made different, on the master server, I created the replication user with a userPassword: in SSHA-Format instead of clear text.
I have clear text (older os), maybe that is it?
Additionally, I set, following the suggestion of another website:
olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq
Now, I can see with tcpdump that the slave server contacts the master server and that the master server send replies, but no LDAP users are synchronized to the slave.
Maybe acl's? You have to give your sync users access to everything. On the other hand if you do not need these accounts on your slaves, it is safer not to have this copied ;)
Unfortunately, nothing about replication is logged to syslog, though I started slapd on both master and slave with options "-s Sync -c rid=001".
change logging like this or so.
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: ber sync acl
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: ber sync acl stats
--On Thursday, October 12, 2023 4:11 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
I am trying to create an OpenLDAP master/slave solution with syncrepl, but I have not been successful so far.
I followed the suggestions of this site, with another sync password:
https://www.itzgeek.com/how-tos/linux/configure-openldap-master-slave- replication.html
One thing I made different, on the master server, I created the replication user with a userPassword: in SSHA-Format instead of clear text.
I have clear text (older os), maybe that is it?
If a password is set using the LDAPv3 password modify extended operation, then the server will hash it. If the password is changed using an ldapmodify operation or an ldapadd operation, and it is in cleartext, the server will not hash it UNLESS ppolicy is also active on the server and it has been configured to intercept and hash passwords cleartext passwords. See the slapo-ppolicy man page on how to configure tihs.
For the rest of the questions, I advise reading the OpenLDAP admin guide and not following instructions on random websites which are often incorrect.
I'd also note that OpenLDAP offers many secure password hashing mechanisms as the default SSHA is not considered secure. I've been moving to ARGON2 generally. You would need to know if the provider of your OpenLDAP packages included argon2 support in their build.
--Quanah
Hello,
change logging like this or so.
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: ber sync acl
dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: ber sync acl stats
Ok, thank you. I got some error logging and it said:
Oct 12 19:24:07 openldap2 slapd[1713088]: slap_client_connect: URI=ldaps://openldap.plmail.de/ DN="uid=replica,dc=plmail,dc=de" ldap_sasl_bind_s failed (-1) Oct 12 19:24:07 openldap2 slapd[1713088]: do_syncrepl: rid=001 rc -1 retrying (1 retries left)
So, I switched from ldaps to ldap, and suddenly, the synchronozation worked. But I have no idea what the the problem with ldaps is. Isn't it enough to just write an ldaps uri instead of an ldap uri?
Regards Christoph
Ok, thank you. I got some error logging and it said:
Oct 12 19:24:07 openldap2 slapd[1713088]: slap_client_connect: URI=ldaps://openldap.plmail.de/ DN="uid=replica,dc=plmail,dc=de" ldap_sasl_bind_s failed (-1) Oct 12 19:24:07 openldap2 slapd[1713088]: do_syncrepl: rid=001 rc -1 retrying (1 retries left)
So, I switched from ldaps to ldap, and suddenly, the synchronozation worked.
Ok that is bad, because that means your SSHA is going over a unencrypted connection and afaik this ssha can be (easily?) brute forced with something like john the ripper (only tried one account of mine, so could be not as bad as I write)
But I have no idea what the the problem with ldaps is. Isn't it enough to just write an ldaps uri instead of an ldap uri?
Most likely your cert. If it is self signed make sure you have things like this in your ldap.conf, and your hostnames are correct.
TLS_CACERTDIR TLS_REQCERT demand
On 10/13/2023 7:45 AM, Marc wrote:
So, I switched from ldaps to ldap, and suddenly, the synchronozation worked.
Ok that is bad, because that means your SSHA is going over a unencrypted connection and afaik this ssha can be (easily?) brute forced with something like john the ripper (only tried one account of mine, so could be not as bad as I write)
Also: an unencrypted connection is vulnerable to man-in-the-middle attacks. A villain who is able to stage a man-in-the-middle attack could feed malicious data to your client - like, say, a user record with uid==0 and a password that the villain knows.
--On Friday, October 13, 2023 10:42 AM +0200 Christoph Pleger Christoph.Pleger@cs.tu-dortmund.de wrote:
So, I switched from ldaps to ldap, and suddenly, the synchronozation worked. But I have no idea what the the problem with ldaps is. Isn't it enough to just write an ldaps uri instead of an ldap uri?
If you read the man page, you will see there is a setting to provide the CA cert as part of the syncrepl stanza.
--Quanah
openldap-technical@openldap.org
-
Christoph Pleger -
Jordan Brown -
Marc -
Quanah Gibson-Mount