[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl - ldap_bind: Invalid credentials error

To: "Gocher, Mark" <Mark.Gocher.1@city.ac.uk>, openldap-technical@openldap.org
Subject: Re: Syncrepl - ldap_bind: Invalid credentials error
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Tue, 01 Jun 2010 09:19:40 -0700
Content-disposition: inline
In-reply-to: <E2DEBB5D9C47BB4199132D4826B9E051027FF08977@NSQ161EX.enterprise.internal.city.ac.uk>
References: <E2DEBB5D9C47BB4199132D4826B9E051027FF08977@NSQ161EX.enterprise.internal.city.ac.uk>

--On Tuesday, June 01, 2010 9:51 AM +0100 "Gocher, Mark"<Mark.Gocher.1@city.ac.uk> wrote:



I'm receiving the following error on my consumer, using logging -d
stats + args + trace + sync 2> /var/log/ldap



@(#) $OpenLDAP: slapd 2.4.22 (May 21 2010 12:10:42) $

        @cambridge:/usr/local/openldap-2.4.22/servers/slapd

slapd starting

slap_client_connect: URI=ldap://oxford.unix1.city.ac.uk:389
DN="cn=replicator,dc=city,dc=ac,dc=uk" ldap_sasl_bind_s failed (49)

Error 49 says that an invalid password was provided (or that the DN isn'tright).

I have created the uid for replicator and repeated this search with the
'access to attrs=userPassword' line commented out on the provider to
ensure that the userPassword for replicator is clear text 'secret'. I
can also perform this search from the consumer successfully.

Your provider conf file is a mess. It has a mix of global and databasespecific directives peppered through it. You load modules after usingthem, etc. I would spend some time cleaning up your provider'sconfiguration (and possible the replica one too, I didn't look at itclosely).

Provider ldap.conf:

database        bdb

suffix          "dc=city,dc=ac,dc=uk"

rootdn          "cn=DSAmgr,dc=city,dc=ac,dc=uk"

rootpw         {CRYPT}aZmvWMwFgg.vk




Crypt is non portable.  You should use SSHA or similar.

directory       /var/opt/csw/openldap-data     

index   default         pres,eq,sub

index   objectClass     eq

index   cn

index   sn

index   uid

access to *

        by dn.base="cn=replicator,dc=city,dc=ac,dc=uk" read

        by * break



access to attrs=userPassword

       by anonymous auth

       by * none



access to *

        by * read



modulepath /usr/local/openldap-2.4.22

moduleload back_bdb.la

moduleload accesslog.la

moduleload syncprov.la

database bdb

suffix cn=accesslog

directory /var/opt/csw/accesslog

rootdn cn=accesslog

index default eq

index objectClass,reqEnd,reqResult,reqStart



overlay syncprov

syncprov-nopresent TRUE

syncprov-reloadhint TRUE

limits dn.exact="cn=replicator,dc=city,dc=ac,dc=uk" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited

#      database bdb

#      suffix "dc=dc=city,dc=ac,dc=uk"

#      rootdn "cn=DSAmgr,dc=city,dc=ac,dc=uk"

index entryCSN eq

index entryUUID eq

overlay syncprov

syncprov-checkpoint 1000 60

overlay accesslog

logdb cn=accesslog

logops writes

logsuccess TRUE

logpurge 99+00:00 00+00:01



# Let the replica DN have limitless searches

limits dn.exact="cn=replicator,dc=city,dc=ac,dc=uk" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited

database monitor




--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- RE: Syncrepl - ldap_bind: Invalid credentials error
  - From: "Gocher, Mark" <Mark.Gocher.1@city.ac.uk>
- RE: Syncrepl - ldap_bind: Invalid credentials error
  - From: "Gocher, Mark" <Mark.Gocher.1@city.ac.uk>

References:
- Syncrepl - ldap_bind: Invalid credentials error
  - From: "Gocher, Mark" <Mark.Gocher.1@city.ac.uk>

Prev by Date: Re: replication issue
Next by Date: TLS certs needed for Provider and consumer
Index(es):
- Chronological
- Thread