Fedora Linux Support Community & Resources Center
  #1  
Old 1st August 2008, 05:32 PM
jnojr Offline
Registered User
 
Join Date: Jul 2007
Posts: 8
OpenLDAP 2.3.27 syncrepl authentication problem

I have two servers running CentOS 5.2 and openldap-2.3.27-8.el5_2.4

10.99.16.11 is the master/producer, and can be used as an authentication server. It's slapd.conf is:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/DUAConfigProfile.schema
include /etc/openldap/schema/solaris.schema

allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by * read

loglevel -1

database bdb
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"
rootpw {SSHA}Iex0F3m24GcxJMup71DpGMlGMgZDta9o

directory /var/lib/ldap

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


10.99.16.7 is the slave/consumer. It's slapd.conf is:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/DUAConfigProfile.schema
include /etc/openldap/schema/solaris.schema

allow bind_v2

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by dn.base="cn=syncuser,dc=mydomain,dc=com" write
by * read

loglevel -1

database bdb
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"

directory /var/lib/ldap

index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

syncrepl rid=123
provider=ldap://10.99.16.11:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=mydomain,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=syncuser,dc=mydomain,dc=com"
credentials=aa11

updateref ldap://10.99.16.11


When I start ldap on .7, I get:

Jul 30 09:30:12 unix-services2 slapd[8391]: slapd starting
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: added 4r
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: added 7r
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: select:
listen=7active_threads=0 tvp=zero
Jul 30 09:30:12 unix-services2 slapd[8391]: =>do_syncrepl
Jul 30 09:30:12 unix-services2 slapd[8391]: do_syncrep1: ldap_sasl_bind_s failed (49)
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: shutdown requested
and initiated.
Jul 30 09:30:12 unix-services2 slapd[8391]: daemon: closing 7
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd shutdown: waiting for
0 threads to terminate
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd shutdown: initiated
Jul 30 09:30:12 unix-services2 slapd[8391]: ====> bdb_cache_release_all
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd destroy: freeing system resources.
Jul 30 09:30:12 unix-services2 slapd[8391]: slapd stopped.


.11 says:

Jul 30 08:55:18 test1 slapd[4919]: daemon: read active on 13
Jul 30 08:55:18 test1 slapd[4919]: connection_get(13)
Jul 30 08:55:18 test1 slapd[4919]: connection_get(13): got connid=0
Jul 30 08:55:18 test1 slapd[4919]: connection_read(13): checking for
input on id=0
Jul 30 08:55:18 test1 slapd[4919]: ber_get_next on fd 13 failed errno=11
(Resource temporarily unavailable)
Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=7
active_threads=0 tvp=NULL
Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jul 30 08:55:18 test1 slapd[4919]: do_bind
Jul 30 08:55:18 test1 slapd[4919]: >>> dnPrettyNormal:
<cn=syncuser,dc=mydomain,dc=com>
Jul 30 08:55:18 test1 slapd[4919]: <<< dnPrettyNormal:
<cn=syncuser,dc=mydomain,dc=com>,
<cn=syncuser,dc=mydomain,dc=com>
Jul 30 08:55:18 test1 slapd[4919]: do_bind: version=3
dn="cn=syncuser,dc=mydomain,dc=com" method=128
Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 BIND
dn="cn=syncuser,dc=mydomain,dc=com" method=128
Jul 30 08:55:18 test1 slapd[4919]: ==> bdb_bind: dn:
cn=syncuser,dc=mydomain,dc=com
Jul 30 08:55:18 test1 slapd[4919]:
bdb_dn2entry("cn=syncuser,dc=mydomain,dc=com")
Jul 30 08:55:18 test1 slapd[4919]: =>
bdb_dn2id("cn=syncuser,dc=mydomain,dc=com")
Jul 30 08:55:18 test1 slapd[4919]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30989)
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: conn=0 op=0 p=3
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: err=49 matched=""
text=""
Jul 30 08:55:18 test1 slapd[4919]: send_ldap_response: msgid=1 tag=97
err=49
Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 RESULT tag=97 err=49
text=


However, I can log in to a client that is using .11 as "syncuser" with "aa11" as the password. So this isn't a cut-and-dried authentication failure. Maybe an ACL issue, or ??? But it's got me stumped.
Reply With Quote
Reply

Tags
authentication, openldap, problem, syncrepl

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Openldap problem nekdo123 Servers & Networking 6 16th March 2007 10:15 PM
openldap problem pattchen Servers & Networking 0 10th June 2006 04:24 PM
authentication pam_krb5, authorization openldap question blurpee Servers & Networking 0 19th October 2005 12:58 PM
OpenLDAP Contact list authentication jimbo Using Fedora 6 14th September 2004 11:17 PM


Current GMT-time: 09:18 (Tuesday, 02-09-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat