Hello everyone, I've been testing the How-To document I've written for Red Hat Linux 7.1. The goal is to use SASL to authenticate the replication user account, and permit replication traffic to work in plain text. I already have this configuration working on FreeBSD 4.3 - for details, see http://home.att.net/~ldap-sasl.howto/freebsd-howto.html . However, the Red Hat Linux 7.1 instructions aren't complete yet as I'm stuck on an issue. Please refer to the following documents with this email: http://home.att.net/~ldap-sasl.howto/primary.slapd.conf - master slapd configuration file http://home.att.net/~ldap-sasl.howto/sasl.slapd.conf - /usr/lib/sasl/slapd.conf http://home.att.net/~ldap-sasl.howto/backup.slapd.conf - backup slapd configuration file linux-howto.html - the DRAFT how-to document debug.txt - output of /usr/local/libexex/slurpd -d 255 The debug.txt file shows the entire output from slurpd, running on the primary LDAP server. This server can and will replicate successfully via SASL with a FreeBSD 4.3 server. However, it cannot yet replicate with the Red Hat Linux 7.1 server. FYI, the primary LDAP server is running Red Hat Linux 7.1. The error that concerns me is on line 270 of debug.txt: Error: LDAP SASL for jarrett.safeco.com:389 failed: Unknown error This does not kick out a reject file as with other slurpd errors. If you would like to have a How To document for installing OpenLDAP with SASL on Red Hat Linux, please test the configuration described in linux-howto.html. I would appreciate it if someone would assist me in troubleshooting this difficult error. Credit will be given to those who assist. Thank you, Kayne McGladrey kaymcg@safeco.com Kayne McGladrey, MCSE kaymcg@safeco.com (425)376-5926
Config: ** configuration file successfully read and parsed
No status file found, defaulting values
new work in /usr/local/etc/openldap/replog/replog.log
copy replog "/usr/local/etc/openldap/replog/replog.log" to "/usr/local/var/openldap-slurp/replica/slurpd.replog"
begin replication thread for jarrett.safeco.com:389
Initializing session to jarrett.safeco.com:389
ldap_create
bind to jarrett.safeco.com as REPL.LDAP.SAFECO.COM via DIGEST-MD5 (SASL)
ldap_interactive_sasl_bind_s: user selected: DIGEST-MD5
ldap_int_sasl_bind: DIGEST-MD5
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: jarrett.safeco.com
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 50 bytes to sd 6
0000: 30 30 02 01 01 60 2b 02 01 03 04 18 75 69 64 3d 00...`+.....uid=
0010: 52 45 50 4c 2e 4c 44 41 50 2e 53 41 46 45 43 4f REPL.LDAP.SAFECO
0020: 2e 43 4f 4d a3 0c 04 0a 44 49 47 45 53 54 2d 4d .COM....DIGEST-M
0030: 44 35 D5
ldap_write: want=50, written=50
0000: 30 30 02 01 01 60 2b 02 01 03 04 18 75 69 64 3d 00...`+.....uid=
0010: 52 45 50 4c 2e 4c 44 41 50 2e 53 41 46 45 43 4f REPL.LDAP.SAFECO
0020: 2e 43 4f 4d a3 0c 04 0a 44 49 47 45 53 54 2d 4d .COM....DIGEST-M
0030: 44 35 D5
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: jarrett.safeco.com port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Oct 3 13:52:16 2001
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 81 .
ldap_read: want=1, got=1
0000: b7 .
ldap_read: want=183, got=183
0000: 02 01 01 61 81 b1 0a 01 0e 04 00 04 00 87 81 a7 ...a............
0010: 72 65 61 6c 6d 3d 22 6a 61 72 72 65 74 74 22 2c realm="jarrett",
0020: 6e 6f 6e 63 65 3d 22 6a 4b 4b 36 54 2f 39 74 30 nonce="jKK6T/9t0
0030: 2f 41 31 47 50 2b 34 36 6f 71 43 34 2b 6f 75 35 /A1GP+46oqC4+ou5
0040: 5a 4b 5a 54 2f 63 4e 65 4c 67 77 42 45 4b 2b 49 ZKZT/cNeLgwBEK+I
0050: 4a 49 3d 22 2c 71 6f 70 3d 22 61 75 74 68 2c 61 JI=",qop="auth,a
0060: 75 74 68 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e uth-int,auth-con
0070: 66 22 2c 63 69 70 68 65 72 3d 22 72 63 34 2d 34 f",cipher="rc4-4
0080: 30 2c 72 63 34 2d 35 36 2c 72 63 34 2c 64 65 73 0,rc4-56,rc4,des
0090: 2c 33 64 65 73 22 2c 63 68 61 72 73 65 74 3d 75 ,3des",charset=u
00a0: 74 66 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d tf-8,algorithm=m
00b0: 64 35 2d 73 65 73 73 d5-sess
ber_get_next: tag 0x30 len 183 contents:
ber_dump: buf=0x08082080 ptr=0x08082080 end=0x08082137 len=183
0000: 02 01 01 61 81 b1 0a 01 0e 04 00 04 00 87 81 a7 ...a............
0010: 72 65 61 6c 6d 3d 22 6a 61 72 72 65 74 74 22 2c realm="jarrett",
0020: 6e 6f 6e 63 65 3d 22 6a 4b 4b 36 54 2f 39 74 30 nonce="jKK6T/9t0
0030: 2f 41 31 47 50 2b 34 36 6f 71 43 34 2b 6f 75 35 /A1GP+46oqC4+ou5
0040: 5a 4b 5a 54 2f 63 4e 65 4c 67 77 42 45 4b 2b 49 ZKZT/cNeLgwBEK+I
0050: 4a 49 3d 22 2c 71 6f 70 3d 22 61 75 74 68 2c 61 JI=",qop="auth,a
0060: 75 74 68 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e uth-int,auth-con
0070: 66 22 2c 63 69 70 68 65 72 3d 22 72 63 34 2d 34 f",cipher="rc4-4
0080: 30 2c 72 63 34 2d 35 36 2c 72 63 34 2c 64 65 73 0,rc4-56,rc4,des
0090: 2c 33 64 65 73 22 2c 63 68 61 72 73 65 74 3d 75 ,3des",charset=u
00a0: 74 66 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d tf-8,algorithm=m
00b0: 64 35 2d 73 65 73 73 d5-sess
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x08082080 ptr=0x08082083 end=0x08082137 len=180
0000: 61 81 b1 0a 01 0e 04 00 04 00 87 81 a7 72 65 61 a............rea
0010: 6c 6d 3d 22 6a 61 72 72 65 74 74 22 2c 6e 6f 6e lm="jarrett",non
0020: 63 65 3d 22 6a 4b 4b 36 54 2f 39 74 30 2f 41 31 ce="jKK6T/9t0/A1
0030: 47 50 2b 34 36 6f 71 43 34 2b 6f 75 35 5a 4b 5a GP+46oqC4+ou5ZKZ
0040: 54 2f 63 4e 65 4c 67 77 42 45 4b 2b 49 4a 49 3d T/cNeLgwBEK+IJI=
0050: 22 2c 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 ",qop="auth,auth
0060: 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c -int,auth-conf",
0070: 63 69 70 68 65 72 3d 22 72 63 34 2d 34 30 2c 72 cipher="rc4-40,r
0080: 63 34 2d 35 36 2c 72 63 34 2c 64 65 73 2c 33 64 c4-56,rc4,des,3d
0090: 65 73 22 2c 63 68 61 72 73 65 74 3d 75 74 66 2d es",charset=utf-
00a0: 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 2d 8,algorithm=md5-
00b0: 73 65 73 73 sess
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x08082080 ptr=0x08082083 end=0x08082137 len=180
0000: 61 81 b1 0a 01 0e 04 00 04 00 87 81 a7 72 65 61 a............rea
0010: 6c 6d 3d 22 6a 61 72 72 65 74 74 22 2c 6e 6f 6e lm="jarrett",non
0020: 63 65 3d 22 6a 4b 4b 36 54 2f 39 74 30 2f 41 31 ce="jKK6T/9t0/A1
0030: 47 50 2b 34 36 6f 71 43 34 2b 6f 75 35 5a 4b 5a GP+46oqC4+ou5ZKZ
0040: 54 2f 63 4e 65 4c 67 77 42 45 4b 2b 49 4a 49 3d T/cNeLgwBEK+IJI=
0050: 22 2c 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 ",qop="auth,auth
0060: 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c -int,auth-conf",
0070: 63 69 70 68 65 72 3d 22 72 63 34 2d 34 30 2c 72 cipher="rc4-40,r
0080: 63 34 2d 35 36 2c 72 63 34 2c 64 65 73 2c 33 64 c4-56,rc4,des,3d
0090: 65 73 22 2c 63 68 61 72 73 65 74 3d 75 74 66 2d es",charset=utf-
00a0: 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 2d 8,algorithm=md5-
00b0: 73 65 73 73 sess
ber_scanf fmt (O) ber:
ber_dump: buf=0x08082080 ptr=0x0808208d end=0x08082137 len=170
0000: 87 81 a7 72 65 61 6c 6d 3d 22 6a 61 72 72 65 74 ...realm="jarret
0010: 74 22 2c 6e 6f 6e 63 65 3d 22 6a 4b 4b 36 54 2f t",nonce="jKK6T/
0020: 39 74 30 2f 41 31 47 50 2b 34 36 6f 71 43 34 2b 9t0/A1GP+46oqC4+
0030: 6f 75 35 5a 4b 5a 54 2f 63 4e 65 4c 67 77 42 45 ou5ZKZT/cNeLgwBE
0040: 4b 2b 49 4a 49 3d 22 2c 71 6f 70 3d 22 61 75 74 K+IJI=",qop="aut
0050: 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 2d h,auth-int,auth-
0060: 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 63 conf",cipher="rc
0070: 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 2c 4-40,rc4-56,rc4,
0080: 64 65 73 2c 33 64 65 73 22 2c 63 68 61 72 73 65 des,3des",charse
0090: 74 3d 75 74 66 2d 38 2c 61 6c 67 6f 72 69 74 68 t=utf-8,algorith
00a0: 6d 3d 6d 64 35 2d 73 65 73 73 m=md5-sess
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x08082080 ptr=0x08082083 end=0x08082137 len=180
0000: 61 81 b1 0a 01 0e 04 00 04 00 87 81 a7 72 65 61 a............rea
0010: 6c 6d 3d 22 6a 61 72 72 65 74 74 22 2c 6e 6f 6e lm="jarrett",non
0020: 63 65 3d 22 6a 4b 4b 36 54 2f 39 74 30 2f 41 31 ce="jKK6T/9t0/A1
0030: 47 50 2b 34 36 6f 71 43 34 2b 6f 75 35 5a 4b 5a GP+46oqC4+ou5ZKZ
0040: 54 2f 63 4e 65 4c 67 77 42 45 4b 2b 49 4a 49 3d T/cNeLgwBEK+IJI=
0050: 22 2c 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 ",qop="auth,auth
0060: 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c -int,auth-conf",
0070: 63 69 70 68 65 72 3d 22 72 63 34 2d 34 30 2c 72 cipher="rc4-40,r
0080: 63 34 2d 35 36 2c 72 63 34 2c 64 65 73 2c 33 64 c4-56,rc4,des,3d
0090: 65 73 22 2c 63 68 61 72 73 65 74 3d 75 74 66 2d es",charset=utf-
00a0: 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 2d 8,algorithm=md5-
00b0: 73 65 73 73 sess
ber_scanf fmt (x) ber:
ber_dump: buf=0x08082080 ptr=0x0808208d end=0x08082137 len=170
0000: 87 81 a7 72 65 61 6c 6d 3d 22 6a 61 72 72 65 74 ...realm="jarret
0010: 74 22 2c 6e 6f 6e 63 65 3d 22 6a 4b 4b 36 54 2f t",nonce="jKK6T/
0020: 39 74 30 2f 41 31 47 50 2b 34 36 6f 71 43 34 2b 9t0/A1GP+46oqC4+
0030: 6f 75 35 5a 4b 5a 54 2f 63 4e 65 4c 67 77 42 45 ou5ZKZT/cNeLgwBE
0040: 4b 2b 49 4a 49 3d 22 2c 71 6f 70 3d 22 61 75 74 K+IJI=",qop="aut
0050: 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 2d h,auth-int,auth-
0060: 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 63 conf",cipher="rc
0070: 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 2c 4-40,rc4-56,rc4,
0080: 64 65 73 2c 33 64 65 73 22 2c 63 68 61 72 73 65 des,3des",charse
0090: 74 3d 75 74 66 2d 38 2c 61 6c 67 6f 72 69 74 68 t=utf-8,algorith
00a0: 6d 3d 6d 64 35 2d 73 65 73 73 m=md5-sess
ber_scanf fmt (}) ber:
ber_dump: buf=0x08082080 ptr=0x08082137 end=0x08082137 len=0
ldap_msgfree
sasl_client_start: 2
sasl_client_start: 1
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 346 bytes to sd 6
0000: 30 82 01 56 02 01 02 60 82 01 4f 02 01 03 04 18 0..V...`..O.....
0010: 75 69 64 3d 52 45 50 4c 2e 4c 44 41 50 2e 53 41 uid=REPL.LDAP.SA
0020: 46 45 43 4f 2e 43 4f 4d a3 82 01 2e 04 0a 44 49 FECO.COM......DI
0030: 47 45 53 54 2d 4d 44 35 04 82 01 1e 75 73 65 72 GEST-MD5....user
0040: 6e 61 6d 65 3d 22 52 45 50 4c 2e 4c 44 41 50 2e name="REPL.LDAP.
0050: 53 41 46 45 43 4f 2e 43 4f 4d 22 2c 72 65 61 6c SAFECO.COM",real
0060: 6d 3d 22 6a 61 72 72 65 74 74 22 2c 6e 6f 6e 63 m="jarrett",nonc
0070: 65 3d 22 6a 4b 4b 36 54 2f 39 74 30 2f 41 31 47 e="jKK6T/9t0/A1G
0080: 50 2b 34 36 6f 71 43 34 2b 6f 75 35 5a 4b 5a 54 P+46oqC4+ou5ZKZT
0090: 2f 63 4e 65 4c 67 77 42 45 4b 2b 49 4a 49 3d 22 /cNeLgwBEK+IJI="
00a0: 2c 63 6e 6f 6e 63 65 3d 22 53 31 72 4c 4c 70 67 ,cnonce="S1rLLpg
00b0: 66 6a 58 50 52 6f 72 57 64 44 33 37 52 44 48 2b fjXPRorWdD37RDH+
00c0: 71 70 54 78 33 56 33 41 72 47 41 5a 59 39 6f 4a qpTx3V3ArGAZY9oJ
00d0: 69 4e 38 34 3d 22 2c 6e 63 3d 30 30 30 30 30 30 iN84=",nc=000000
00e0: 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 01,qop=auth-conf
00f0: 2c 63 69 70 68 65 72 3d 22 72 63 34 22 2c 63 68 ,cipher="rc4",ch
0100: 61 72 73 65 74 3d 75 74 66 2d 38 2c 64 69 67 65 arset=utf-8,dige
0110: 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 6a 61 72 st-uri="ldap/jar
0120: 72 65 74 74 2e 73 61 66 65 63 6f 2e 63 6f 6d 22 rett.safeco.com"
0130: 2c 72 65 73 70 6f 6e 73 65 3d 63 63 62 35 62 35 ,response=ccb5b5
0140: 63 38 33 34 39 34 37 66 30 39 38 33 62 31 65 31 c834947f0983b1e1
0150: 34 61 30 31 64 33 65 64 34 61 4a01d3ed4a
ldap_write: want=346, written=346
0000: 30 82 01 56 02 01 02 60 82 01 4f 02 01 03 04 18 0..V...`..O.....
0010: 75 69 64 3d 52 45 50 4c 2e 4c 44 41 50 2e 53 41 uid=REPL.LDAP.SA
0020: 46 45 43 4f 2e 43 4f 4d a3 82 01 2e 04 0a 44 49 FECO.COM......DI
0030: 47 45 53 54 2d 4d 44 35 04 82 01 1e 75 73 65 72 GEST-MD5....user
0040: 6e 61 6d 65 3d 22 52 45 50 4c 2e 4c 44 41 50 2e name="REPL.LDAP.
0050: 53 41 46 45 43 4f 2e 43 4f 4d 22 2c 72 65 61 6c SAFECO.COM",real
0060: 6d 3d 22 6a 61 72 72 65 74 74 22 2c 6e 6f 6e 63 m="jarrett",nonc
0070: 65 3d 22 6a 4b 4b 36 54 2f 39 74 30 2f 41 31 47 e="jKK6T/9t0/A1G
0080: 50 2b 34 36 6f 71 43 34 2b 6f 75 35 5a 4b 5a 54 P+46oqC4+ou5ZKZT
0090: 2f 63 4e 65 4c 67 77 42 45 4b 2b 49 4a 49 3d 22 /cNeLgwBEK+IJI="
00a0: 2c 63 6e 6f 6e 63 65 3d 22 53 31 72 4c 4c 70 67 ,cnonce="S1rLLpg
00b0: 66 6a 58 50 52 6f 72 57 64 44 33 37 52 44 48 2b fjXPRorWdD37RDH+
00c0: 71 70 54 78 33 56 33 41 72 47 41 5a 59 39 6f 4a qpTx3V3ArGAZY9oJ
00d0: 69 4e 38 34 3d 22 2c 6e 63 3d 30 30 30 30 30 30 iN84=",nc=000000
00e0: 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 01,qop=auth-conf
00f0: 2c 63 69 70 68 65 72 3d 22 72 63 34 22 2c 63 68 ,cipher="rc4",ch
0100: 61 72 73 65 74 3d 75 74 66 2d 38 2c 64 69 67 65 arset=utf-8,dige
0110: 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 6a 61 72 st-uri="ldap/jar
0120: 72 65 74 74 2e 73 61 66 65 63 6f 2e 63 6f 6d 22 rett.safeco.com"
0130: 2c 72 65 73 70 6f 6e 73 65 3d 63 63 62 35 62 35 ,response=ccb5b5
0140: 63 38 33 34 39 34 37 66 30 39 38 33 62 31 65 31 c834947f0983b1e1
0150: 34 61 30 31 64 33 65 64 34 61 4a01d3ed4a
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: jarrett.safeco.com port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Oct 3 13:52:16 2001
** Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 2, all 1
ber_get_next
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 0c .
ldap_read: want=12, got=12
0000: 02 01 02 61 07 0a 01 50 04 00 04 00 ...a...P....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x08082180 ptr=0x08082180 end=0x0808218c len=12
0000: 02 01 02 61 07 0a 01 50 04 00 04 00 ...a...P....
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x08082180 ptr=0x08082183 end=0x0808218c len=9
0000: 61 07 0a 01 50 04 00 04 00 a...P....
read1msg: 0 new referrals
read1msg: mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x08082180 ptr=0x08082183 end=0x0808218c len=9
0000: 61 07 0a 01 50 04 00 04 00 a...P....
ldap_msgfree
ldap_err2string
Error: LDAP SASL for jarrett.safeco.com:389 failed: Unknown error
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
0000: 30 05 02 01 03 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 03 42 00 0....B.
ldap_free_connection: actually freed
fm: exiting
Retrying operation for DN uid=Bill_Friesen, ou=Distributors, dc=safeco,dc=com on replica jarrett.safeco.com:389
end replication thread for jarrett.safeco.com:389
slurpd: terminated.
Click here for the FreeBSD 4.3 version of this document.
Summary: This how to document describes how to install and configure OpenLDAP on Red Hat Linux 7.1. The specific objective is to secure the replication user account via DIGEST-MD5 authentication implemented in the SASL library. This guide does NOT involve use of Kerberos, Cyrus-IMAP, or SSL. Under the model described in this how to, the user name and password of the replication account will be passed in an encrypted form. Actual replication traffic will be sent in plain-text. This is a suitable model for using behind a corporate firewall, where replication traffic will not expose sensitive data. If you need to secure your replication traffic (i.e., in the case of authenticating user logins via LDAP), this guide will not help you.
This document has been tested but is by no means complete. If you have comments or questions, email me at kaymcg@safeco.com and I may be able to help. Alternatively, join the OpenLDAP mailing list and post your question there. This how to would not be possible without the help of several individuals from that mailing list. Thanks to
This how to assumes that you have a working copy of Red Hat Linux on two servers. The installation and configuration of Red Hat Linux 7.1 is outside the scope of this document. As a side note, I'm successfully running replication between both Red Hat 7.1 and FreeBSD 4.3.
Type su root and press Enter. Type the root password and press Enter.
By default, the Server installation
of Red Hat Linux 7.1 installs many of the RPMS required. To
determine which RPMS to install, type:
rpm
-qa | grep cyrus
rpm -qa | grep db3
rpm -qa | grep openssh
You
must have both the binary package and the devel package for each of
these commands. Skip those steps for packages that are already
installed. You should have to download openssl-devel
at a minimum.
If you don't have the Red Hat CDROMs, you'll have to download the files. You should be able to find the most recent version of each file at rpmfind.net. Switch the relevant path statements from /mnt/cdrom to where you downloaded the files, i.e., /home/user/incoming.
Insert the Red Hat Linux 7.1 CDROM 1 in the CD-ROM drive.
Type mount /cdrom and press Enter.
Type rpm -Ivh /mnt/cdrom/RedHat/RPMS/cyrus-sasl-1.5.24-17.rpm and press Enter.
Type umount /mnt/cdrom and press Enter.
Remove the CDROM from the CDROM drive. Insert the Red Hat Linux 7.1 CDROM 2 in the drive.
Type mount /mnt/cdrom and press Enter.
Type rpm -ivh /mnt/cdrom/RedHat/RPMS/cyrus-sasl-deevel-1.5.24-17.rpm and press Enter.
Type umount /mnt/cdrom and press Enter.
Insert the Red Hat Linux 7.1 CDROM 1 in the CD-ROM drive.
Type mount /cdrom and press Enter.
Type rpm -ivh /mnt/cdrom/RedHat/RPMS/db3-3.1.1-17.rpm and press Enter.
Type umount /mnt/cdrom and press Enter.
Remove the CDROM from the CDROM drive. Insert the Red Hat Linux 7.1 CDROM 2 in the drive.
Type mount /mnt/cdrom and press Enter.
Type rpm -ivh /mnt/cdrom/RedHat/RPMS/db3-devel-3.1.1-17.rpm and press Enter.
Type umount /mnt/cdrom and press Enter.
Insert the Red Hat Linux 7.1 CDROM 1 in the CD-ROM drive.
Type mount /cdrom and press Enter.
Type rpm -ivh /mnt/cdrom/RedHat/RPMS/openssl-2.5.2p2-5.rpm and press Enter.
Type umount /cdrom and press Enter. The CD-ROM should now be put aside.
Type rpm -ivh /home/user/incoming/openssl-devel-2.5.2p2-5.rpm and press Enter. (Replace /home/user/incoming with the path to the copy of openssl-devel you downloaded.
Download the stable version of OpenLDAP from OpenLDAP.org. This document describes installation for 2.0.11 and has not been tested on more recent versions. If you install on a new version, please write and let me know if these instructions still apply.
Download the following files: backup.slapd.conf, primary.slapd.conf, sasl.slapd.howto. Save these in a convenient location, i.e., /home/user/incoming/. Replace "user" with your user ID.
Copy the file to the /usr/src directory. For example, type cp /home/user/incoming/openldap-stable-20010524.tgz /usr/src and press Enter.
Type cd /usr/src and press Enter.
Type tar -xzf openldap-stable-20010524.tgz and press Enter.
Type cd openldap-2.0.11 and press Enter.
Type env CPPFLAGS="-I/usr/include/sasl" LDFLAGS="-L/usr/lib -L/usr/lib/sasl" ./configure --enable-login --disable-krb4 --disable-gssapi --with-des=/usr/include/openssl --without-kerberos --disable-kpasswd --with-cyrus-sasl-includes=/usr/include/sasl --with-cyrus-sasl-libraries=/usr/lib/sasl/ --enable-spasswd and press Enter.
Type make depend and press Enter.
Type make and press Enter. Depending on the speed of your server, this might be a good time to catch up on your email and get a cup of coffee.
Type make test and press Enter. You should be well through the second cup by now.
Type make install and press Enter.
Type cp /home/user/incoming/sasl.slapd.conf /usr/lib/sasl/slapd.conf and press Enter.
If the server you are configuring is the primary LDAP server:
Type cp /home/user/incoming/primary.slapd.conf /usr/local/etc/openldap/slapd.conf and press Enter.
If the
server you are configuring is a backup LDAP Server:
1. Type
saslpasswd -c
REPL.LDAP.DOMAIN.COM and press
Enter. When prompted, enter the password for REPL.LDAP.DOMAIN.COM
and press Enter. Replace "DOMAIN" with your own domain
name.
2. Type
sasldblistusers and press Enter.
The output should be as follows:
user:
REPL.LDAP.DOMAIN.COM realm: server.domain.com mech: DIGEST-MD5
user:
REPL.LDAP.DOMAIN.COM realm: server.domain.com mech: PLAIN
user:
REPL.LDAP.DOMAIN.COM realm: server.domain.com mech: CRAM-MD5
(where
server
should be equal to the server name).
3. Type cp
/home/incoming/backup.slapd.conf /usr/local/etc/openldap/slapd.conf
and press Enter.
Using the text editor of your choice, edit /user/local/etc/openldap/slapd.conf. The file is commented and has instructions on how to complete each of the relevant lines. This mostly consists of replacing domain with your domain name. This particular configuration file uses a flat namespace and is tuned to suit the needs of Microsoft Outlook and Netscape Communicator 4.x. Your mileage may vary.
Add some data to your database using either slapadd or ldapadd. Make certain to add the data to both the primary and the backup server.
If slapd is not started already on the primary server, type /usr/local/libexec/slapd and press Enter.
If slapd is not started already on the backup server, type /usr/local/libexec/slapd and press Enter.
Using ldapmodify, gq, or some other tool modify one of the records on the primary ldap server.
Start slurpd by typing /usr/local/libexec/slurpd -d 255. slurpd wil parse the configuration file.
Output will appear like this:
new
work in /usr/local/etc/openldap/replog/replog.log
copy replog
"/usr/local/etc/openldap/replog/replog.log" to
"/usr/local/var/openldap-slurp/replica/slurpd.replog"
Initializing
session to backup.domain.com:389
ldap_create
bind to
backup.com as REPL.LDAP.DOMAIN.COM via DIGEST-MD5
(SASL)
ldap_interactive_sasl_bind_s: user selected:
DIGEST-MD5
ldap_int_sasl_bind:
DIGEST-MD5
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket:
8
ldap_prepare_socket: 8
ldap_connect_to_host: Trying
192.168.1.2:389
ldap_connect_timeout: fd: 8 tm: -1 async:
0
ldap_ndelay_on: 8
ldap_is_sock_ready: 8
ldap_ndelay_off:
8
ldap_int_sasl_open:
backup.domain.com
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
Eventually, ldap_msgfree will appear on screen. Scroll back through the output and you'll see that the change was applied to your backup server. Press CTRL-C to quit slurpd.
Congratulations! slurpd is now working correctly. To start slurpd again (and without debugging options), type /usr/local/libexec/slurpd and press Enter.
Don't worry. This guide uses a large number of commands that are case-sensitive and must be typed exactly as shown. A typo will sabotage these instructions quite quickly. The first thing to do is to clean up.
Type cd /usr/src/openldap-2.0.11 and press Enter.
Type make veryclean and press Enter.
Start at the beginnning of this How To document again.
The OpenLDAP software mailing list has a large number of knowledgeable readers who may be able to help. First, check the archives. If your question is not answered there, post a question and wait for a response.