Hello,
Please keep replies on the list.
--On Tuesday, January 28, 2020 8:06 AM +0000 Клеусов Владимир Сергеевич Kleusov.Vladimir@wildberries.ru wrote:
Fixed
Not sure what you're saying was fixed. There was not really any errors discussed in your prior email, simply a note that the replication you were configurating would only replicate the cn=config database. Your modification appears to keep that behavior.
dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://infra-ldap-m9.wb.ru searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2 binddn="cn=admin,cn=config" starttls=no tls_cert="/etc/ldap/sasl2/wb.ru.crt" tls_key="/etc/ldap/sasl2/wb.ru.key" tls_cacert="/etc/ldap/sasl2/commercial_ca.crt" tls_reqcert=allow type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldaps://infra-ldap.dl.wb.ru searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2 binddn="cn=admin,cn=config" credentials=5fX?BLR2 starttls=no tls_cert="/etc/ldap/sasl2/w.ru.crt" tls_key="/etc/ldap/sasl2/wb.ru.key" tls_cacert="/etc/ldap/sasl2/commercial_ca.crt" tls_reqcert=allow type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=003 provider=ldaps://infra-ldap.dp.wb.ru searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2 binddn="cn=admin,cn=config" starttls=no tls_cert="/etc/ldap/sasl2/wb.ru.crt" tls_key="/etc/ldap/sasl2/wb.ru.key"tls_cacert="/etc/ldap/sasl2/commercial _ca.crt" tls_reqcert=allow type=refreshAndPersist retry="5 5 300 5" timeout=1
Your above configuration seems very odd. You are not doing client cert authentication via SASL EXTERNAL, and yet you've specified a client cert and key. I would expect the only TLS configuration bits to be for the CA cert.
But in logs on each server slap_client_connect: URI=ldaps://infra-ldap.dl.wb.ru DN="cn=admin,cn=config" ldap_sasl_bind_s failed
So it's not able to bind with the configuration to the other server.
openssl s_client -connect infra-ldap.dp.wb.ru:636 Verify return code: 0 (ok) Do I need to specify port 636 in steps 5 and 7 ? For example, it was ldaps:/ / infra-ldap-m9.wb. ru and will become ldaps://infra-ldap-m9.wb. ru:636
No, port 636 is the default for ldaps.
And how else can you figure out what's wrong ?
I would use the ldapwhoami utility to ensure you can bind with the specified identity to each server.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org