[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd/slurpd replication log not written to





--On Wednesday, August 09, 2006 11:47 AM +0100 Juliet Kemp <j.kemp@imperial.ac.uk> wrote:

Howard Chu wrote:
Juliet Kemp wrote:

I'm attempting to set up a slave LDAP server.

I have replogfile & replica config set in the master server, but when
I restart it & try a test entry, the replication log contains no
data.  It does, however, show a change in the 'last modified' date.

Note that the replog should usually be empty since slurpd truncates it as soon as it reads it.

Ah, right, thanks for that.

I've now been able to get it running with simple auth (by setting rootdn
& rootpw on the slave server), but I'd prefer to have it using GSSAPI
like the rest of my setup.

The .rej file just has "ERROR: Referral"

The slave logfile (with loglevel 1) is shown below (for an attempted
add).  I'm slightly confused in that it seems to switch halfway through
from using slurpd_adm (my replication admin) to ldapadm (the 'general'
admin).

Master replication config:

replica uri=ldaps://elysium.ph.ic.ac.uk:636
         tls=yes
         bindmethod=sasl
         binddn="uid=slurpd_adm,ou=people,dc=ph,dc=ic,dc=ac,dc=uk"
         saslmech=GSSAPI

SASL/GSSAPI doesn't have a bind dn. The DN is determined either by a authz-regexp mapping the SASL Identity to an entry in the directory, or by the SASL identity itself, if there isn't one. However, IIRC, you still have to specify the binddn parameter in the replica statement, it is essentially pointless.


For GSSAPI replication to work correctly, you'll need to give slurpd access to a ticket in its environment (KRB5CCNAME generally). I would suggest a utility like kstart for keeping the ticket refreshed, see:

<http://www.eyrie.org/~eagle/software/kstart/>

You may also want to look at:

<http://www.stanford.edu/services/directory/openldap/configuration/slapd-conf-replica.html>

for an example of authz-regexp statements (which used to be called authz-regexp).

Here's my old example replicator entry (from before I switched to using delta-syncrepl):

dn: cn=Replicator,cn=service,cn=applications,dc=stanford,dc=edu
objectClass: applicationProcess
objectClass: krb5Principal
cn: Replicator
krb5PrincipalName: service/ldap@stanford.edu

Here's the related authz-regexp mapping:

authz-regexp uid=service/(.*),cn=stanford.edu,cn=gssapi,cn=auth ldap:///cn=Service,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=service/$1@stanford.edu


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html