I have inherited an openldap server (2.4.9) and have set about to making it a bit more fault tolerant. So I have added a syncrepl slave and everything seems to work fine. It pulls down the whole ldap tree and stays in sync in real time with type=refreshAndPersist. I can use command line tools to very that it has all the information from the original master server using a command like this:
ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W
My problem however is that when I try to authenticate users against the slave server, it does not work. All attempts fail. Also when I use ApacheDS (graphical LDAP browser) to view its contents, it only shows the Root DSE and none of the child objects like cn=config or any of the users or any of that. I can use ApacheDS fine to view and modify everything on the master server though.
The slapd.conf config files between the two are exactly the same (except one is declared as sync master and one as slave), the password hashes are successfully replicated to the slave as I can see with ldapsearch, but I have no idea how to debug why it won't authenticate users. For reference, here is my syncrepl config section (in slapd.conf) on the slave:
syncrepl rid=123
provider=ldaps://ldap1.domain.com:636
type=refreshAndPersist
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=syncuser,ou=People,dc=domain,dc=com"
credentials=syncpassword
and on the master server:
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
As a failover/backup server seems extremely prudent especially on the ancient hardware we have running these things, I really want to get this to work properly. Perhaps even later doing a round-robin style load balancing between the two or what have you.
I have no idea how to debug this, any help would be greatly appreciated!
-a