[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slurpd with kerberos working config


Thanks for your how-to write up, I've been working from it for 
weeks and wouldn't have gotten this far without it.  My setup is 
like you specify except I've opened up permissions on the slave side to
   access to * by * write  
to try and eliminate permissions as the problem.

Kinit has been run on the master and slave and klist verifies a current
ticket for the replicator principal.  I tail -f the log on the kdc and see 
the authentication for replicator@MY_REALM so I know the keytab file is 
being used.

The updatedn line on the slave is as you specified:
updatedn        "uid=replicator.\+realm=MY.REALM"
and the replica lines in the master slapd.conf are just like your example.

When I modify a record on the master slurpd reports the following error:
Error: ldap_modify_s failed modifying "No such object":
As the rootdn on the slave I am able to search and update this dn so I know
its there.

The slapd log on the slave is shown below.  When I change the slapd.confs
to use the simple rootdn for updatedn the replication works fine.  It seems
a permissions problem on the slave side but I can't find where.  

Any help would be appreciated.  Both master and slave are openldap version
on debian linux.  

Keith Lally

ber_scanf fmt ({iat) ber:
ber_scanf fmt ({a) ber:
ber_scanf fmt (o) ber:
ber_scanf fmt (}}) ber:
do_sasl_bind: dn () mech GSSAPI
conn=0 op=3 BIND dn="" method=163
SASL Authorize [conn=0]: "replicator" as "u:replicator"
slap_sasl_bind: username="u:replicator" realm="" ssf=56
<== slap_sasl_bind: authzdn: "uid=replicator"
send_ldap_sasl: err=0 len=-1
send_ldap_response: msgid=4 tag=97 err=0
ber_flush: 14 bytes to sd 10
<== slap_sasl_bind: rc=0
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next: tag 0x30 len 195 contents:
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({a) ber:
ber_scanf fmt ({i{a[V]}}) ber:
ber_scanf fmt ({i{a[V]}}) ber:
ber_scanf fmt ({i{a[V]}}) ber:
=> get_ctrls
ber_scanf fmt ({a) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: 1 0
conn=0 op=4 MOD dn="uid=test,ou=People,dc=my,dc=realm"
send_ldap_result: conn=0 op=4 p=3
send_ldap_response: msgid=5 tag=103 err=32
ber_flush: 14 bytes to sd 10
conn=0 op=4 RESULT tag=103 err=32 text=