[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL replication - the continuing saga



Hello everyone,

I'm continuing my effort to successfully configure OpenLDAP and SASL.  This
effort has thus far taken 40 hours of my time. I'm doing this in the hopes 
that I will be able to have OpenLDAP replication use SASL authentication.

I had previously not been able to have the supportedSASLMechanisms attribute
report anything.  After some further experimentation with SASL-SECPROPS and
SECURITY in slapd.conf, and /usr/lib/sasl/slapd.conf, it now reports PLAIN 
and LOGIN.  I can't get it to recognize DIGEST-MD5, which is what I'm hoping 
to have it use.

As this is progress, I thought I'd try to use either PLAIN or LOGIN for
authentication.  This DOES NOT work. I'm specifically concerned with these 
lines in the slurpd output:

	bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
	ldap_interactive_sasl_bind_s: user selected: PLAIN
	ldap_int_sasl_bind: PLAIN

The "user selected: PLAIN" is either a poorly-written debug message or in 
error. The user I've specified is repl.ldap.company.com.

Any assistance would be greatly appreciated.  I hope to consolidate my efforts
into a FAQ or installation guide. This seems to be the most frequently asked
question on the list.

I'm including full output from the relevant items (ldapsearch, 
sasldblistusers, slurpd, slapd.conf).

--- ldapsearch on server ---
[root@ldap openldap-2.0.11]# ldapsearch -x -b "" -s base -LLL 
supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

--- ldapsearch on backup ---
[root@backup /root]# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

--- sasldblistusers on backup ---
[root@backup /root]# sasldblistusers
user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: PLAIN
user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: CRAM-MD5
user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: DIGEST-MD5

--- slurpd output ---
[root@ldap openldap-2.0.11]# /usr/local/libexec/slurpd -d 255
Config: opening config file "/usr/local/etc/openldap/slapd.conf"
Config: (include                /usr/local/etc/openldap/schema/core.schema)
Config: (include                /usr/local/etc/openldap/schema/cosine.schema)
Config: (include                
/usr/local/etc/openldap/schema/inetorgperson.schema)
Config: (include                /usr/local/etc/openldap/schema/local.schema)
Config: (pidfile                /usr/local/var/slapd.pid)
Config: (argsfile       /usr/local/var/slapd.args)
Config: (loglevel 0)
Config: (idletimeout 30)
Config: (sizelimit 100)
Config: (timelimit 120)
Config: (defaultsearchbase "dc=company,dc=com")
Config: (schemacheck on)
Config: (disallows      bind_krbv4)
Config: (sasl-secprops   noanonymous minssf=112)
Config: (security        update_sasl=112 update_ssf=112)
Config: (database       ldbm)
Config: (rootdn         "cn=LDAProot,dc=company,dc=com")
Config: (rootpw         {crypt}papAq5PwY/QQM)
Config: (suffix         "dc=company,dc=com")
Config: (replogfile     /usr/local/etc/openldap/replog/replog.log)
Config: (lastmod                off)
Config: (replica host=backup.company.com:389    
binddn="uid=repl.ldap.company.com"       bindmethod=sasl saslmech=PLAIN  
authcID="repl.ldap.company.com"  authzID="repl.ldap.company.com"  
realm=company.com        credentials="password")
Config: ** successfully added replica "backup.company.com:389"
Config: (security        update_ssf=112)
Config: (directory      /usr/local/var/openldap-ldbm)
Config: (mode   0600)
Config: (index  objectClass                             eq,pres)
Config: (index  uid                                     eq)
Config: (index  cn                                      eq,sub)
Config: (index  mail                                    eq,pres,sub)
Config: (index  givenName                               eq,sub)
Config: (index  sn                                      eq,sub)
Config: (index  o                                       eq,sub)
Config: (access to attr=userPassword    by dn="cn=LDAPRoot, dc=company, 
dc=com" write    by * none)
Config: (access to *    by anonymous read       by dn="cn=LDAPRoot, 
dc=company, dc=com" write)
Config: (dbnolocking)
Config: (dbnosync)
Config: (cachesize 10000)
Config: (dbcachesize 100000)
Config: ** configuration file successfully read and parsed
Retrieved state information for backup.company.com:389 (timestamp 997309400.0)
begin replication thread for backup.company.com:389
Replica backup.company.com:389, skip repl record for 
uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
Initializing session to backup.company.com:389
ldap_create
bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
ldap_interactive_sasl_bind_s: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: backup.company.com
ldap_err2string
Error: LDAP SASL for backup.company.com:389 failed: Unknown authentication 
method
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_write: want=7, written=7
  0000:  30 05 02 01 01 42 00                               0....B.
ldap_free_connection: actually freed
fm: exiting
Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on 
replica backup.company.com:389
end replication thread for backup.company.com:389
slurpd: terminated.

--- slapd.conf on server
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/local.schema

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

loglevel 0
idletimeout 30
sizelimit 100
timelimit 120
defaultsearchbase "dc=company,dc=com"
schemacheck on
disallows       bind_krbv4

sasl-secprops   noanonymous minssf=112
security        update_sasl=112 update_ssf=112

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
rootdn          "cn=LDAProot,dc=company,dc=com"
rootpw          {crypt}papAq5PwY/QQM
suffix          "dc=company,dc=com"

replogfile      /usr/local/etc/openldap/replog/replog.log
lastmod         off

## REPLICATION OPTIONS
replica host=backup.company.com:389
        binddn="uid=repl.ldap.company.com"
        bindmethod=sasl
        saslmech=PLAIN
        authcID="repl.ldap.company.com"
        authzID="repl.ldap.company.com"
        realm=company.com
        credentials="password"

security        update_ssf=112

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /usr/local/var/openldap-ldbm
mode    0600

# Indices to maintain
index   objectClass                             eq,pres
index   uid                                     eq

index   cn                                      eq,sub
index   mail                                    eq,pres,sub
index   givenName                               eq,sub
index   sn                                      eq,sub
index   o                                       eq,sub

#ldbm access control definitions
access to attr=userPassword
        by dn="cn=LDAPRoot, dc=company, dc=com" write
        by * none

access to *
        by anonymous read
        by dn="cn=LDAPRoot, dc=company, dc=com" write

dbnolocking
dbnosync
cachesize 10000
dbcachesize 100000

--- slapd.conf on backup ---
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/local.schema

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args

loglevel 0
idletimeout 30
sizelimit 100
timelimit 120
defaultsearchbase "dc=company,dc=com"
schemacheck on
disallows       bind_krbv4

sasl-secprops   noanonymous minssf=112
security        update_sasl=112 update_ssf=112

#######################################################################
# ldbm database definitions
#######################################################################

database        ldbm
rootdn          "cn=LDAProot,dc=company,dc=com"
rootpw          {crypt}papAq5PwY/QQM
suffix          "dc=company,dc=com"

updatedn        "UID=REPL.LDAP.COMPANY.COM+REALM=BACKUP.COMPANY.COM"
updateref       ldap://ldap.company.com

security        update_ssf=112

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /usr/local/var/openldap-ldbm
mode    0600

# Indices to maintain
index   objectClass                             eq,pres
index   uid                                     eq

index   cn                                      eq,sub
index   mail                                    eq,pres,sub
index   givenName                               eq,sub
index   sn                                      eq,sub
index   o                                       eq,sub

#ldbm access control definitions
access to attr=userPassword
        by dn="cn=LDAPRoot, dc=company, dc=com" write
        by * none

access to *
        by anonymous read
        by dn="cn=LDAPRoot, dc=company, dc=com" write

dbnolocking
dbnosync
cachesize 10000
dbcachesize 100000