[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slurpd authentication
On Wed, 2003-07-16 at 00:18, Dave Horsfall wrote:
> On Wed, 15 Jul 2003, Jonathan Stoneman wrote:
>
> > is all working fine except for one thing... the slave is accepting
> > updates from the rootdn because it matches the updatedn.
>
> Which is a good reason to keep them separate.
>
> > I have added a new user (using directory_administrator) and have
> > configured the slave to use their details for the updatedn and give them
> > write access to everything, but when slurpd connects with these details,
> > it gets an invalid credentials error.
>
> What version of OpenLDAP?
2.0.27
> What does the slave config look like?
I don't suppose you want the full config, but just in case...
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
include /etc/openldap/schema/local.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
database ldbm
suffix "dc=ftech,dc=net"
rootdn "cn=Manager,dc=ftech,dc=net"
rootpw {SSHA}GvlHVI/ngpm2y0LUo4X/x2KPTSDFlRM6
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Manager,dc=ftech,dc=net" write
by "dn=Replicator,ou=LDAPAdmin,dc=ftech,dc=net" write
by * none
access to *
by self read
by dn="cn=Manager,dc=ftech,dc=net" read
by "dn=Replicator,ou=LDAPAdmin,dc=ftech,dc=net" write
by * read
updatedn "cn=Replicator,ou=LDAPAdmin,dc=ftech,dc=net"
updateref ldap://ldapmaster.tynant.ftech.net
> > Boxes using the LDAP directory for authentication are accepting logins
> > for the new user, so I guess it's a problem with the way I have
> > configured slurpd:
> >
> > replica host=ldapslave:389
> > binddn="cn=Replicator,ou=LDAPAdmin,dc=ftech,dc=net"
> > bindmethod=simple credentials=secret
>
> What does debugging show? I use "-d-1" but that dumps *everything*.
Again, I don't suppose you want all this, but rather than risk cutting
something out that I don't realise is important, here is everything that
gets dumped when an update is made to the master.
new work in /var/lib/ldap/master-slapd.replog
copy replog "/var/lib/ldap/master-slapd.replog" to "/var/lib/ldap/replica/slurpd.replog"
Initializing session to ldapslave:389
ldap_create
bind to ldapslave:389 as cn=Replicator,ou=LDAPAdmin,dc=ftech,dc=net (simple)
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: ldapslave
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 195.200.23.5:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: host=ldapslave.tynant.ftech.net
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 61 bytes to sd 6
0000: 30 3b 02 01 01 60 36 02 01 03 04 2a 63 6e 3d 52 0;...`6....*cn=R
0010: 65 70 6c 69 63 61 74 6f 72 2c 6f 75 3d 4c 44 41 eplicator,ou=LDA
0020: 50 41 64 6d 69 6e 2c 64 63 3d 66 74 65 63 68 2c PAdmin,dc=ftech,
0030: 64 63 3d 6e 65 74 80 05 67 31 7a 6d 30 dc=net..secret
ldap_write: want=61, written=61
0000: 30 3b 02 01 01 60 36 02 01 03 04 2a 63 6e 3d 52 0;...`6....*cn=R
0010: 65 70 6c 69 63 61 74 6f 72 2c 6f 75 3d 4c 44 41 eplicator,ou=LDA
0020: 50 41 64 6d 69 6e 2c 64 63 3d 66 74 65 63 68 2c PAdmin,dc=ftech,
0030: 64 63 3d 6e 65 74 80 05 67 31 7a 6d 30 dc=net..secret
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: ldapslave port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Jul 16 09:50:26 2003
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 0c .
ldap_read: want=12, got=12
0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0806e9d0 ptr=0x0806e9d0 end=0x0806e9dc len=12
0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0806e9d0 ptr=0x0806e9d3 end=0x0806e9dc len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0806e9d0 ptr=0x0806e9d3 end=0x0806e9dc len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x0806e9d0 ptr=0x0806e9dc end=0x0806e9dc len=0
ldap_msgfree
ldap_err2string
Error: ldap_simple_bind_s for ldapslave:389 failed: Invalid credentials
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
0000: 30 05 02 01 02 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 02 42 00 0....B.
ldap_free_connection: actually freed
Thanks for your help on this...
JOn.
--
Jonathan Stoneman - Programmer - Frontier Internet Services Limited
Tel: 02920 820000 Fax: 02920 820038 http://www.frontier.net.uk
All statements made are subject to Frontier's Terms and Conditions
of Business which are available upon request.