[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: I can not get Replication via digest-md5

To: <openldap-software@OpenLDAP.org>
Subject: RE: I can not get Replication via digest-md5
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 7 Apr 2004 05:00:23 -0700
Importance: Normal
In-reply-to: <INEPJMLEFKHHPAPCECLKMEEHCAAA.giampaolo.rossi@datamat.it>

>  -----Original Message-----
> From: 	owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] 
 
> Hi list,
> 
> I have two PC-linux RH Enterprise Edition with OpenLdap 2.1.29, one working
as Master and the other working as Slave. The database is Berkeley DB 4.1.25.
Cyrus-SASL version is 2.1.15.
> My job is to get replication and it works well with the simple mechanism.
> This is not true when I use the digest-md5 mechanism. The Slave authorizes
the request coming from slurpd but gets a strange error related to the
updateref instruction. The simple mechanism didn't require the updateref
instruction.

Unless you're using the (unsupported) Multimaster code, all slaves should be
configured with an updateref. (There are some cases where you might have to
omit it, but in general it doesn't make sense to omit it.)

The reason your Simple Bind works but your SASL Bind doesn't is because the
SASL Bind is establishing an identity that isn't being recognized.
Specifically, you've set your updatedn to a certain value, which is the DN
provided in the Simple Bind request, so that works. But SASL Binds ignore
Bind DNs; they generate their identities using a completely different
mechanism. You should read the Admin Guide and fix your SASL configuration on
the slave.

The discrepancy is obvious in your attached log file. The SASL Bind results
in binding as "uid=admin,cn=digest-md5,cn=auth" which is different from your
updatedn and so the changes are rejected.

> The modification request was performed (on the Master PC) using ldapmodify
giving in input a ldif file:
> 
> dn: uid=CO,ou=Operator,o=Organization
> changetype: modify
> replace: description
> description: new-descrition
> 
> Only the Master database was modified.
> 
> The Slapd error message on the Slave is :
> 
> [root@LDAPSlave etc]# /usr/local/libexec/slapd -d 260 -f sldap.conf
> daemon_init: <null>
> daemon: socket() failed errno=97 (Address family not supported by protocol)
> bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (August 21, 2003)
> bdb_db_init: Initializing BDB database
> bdb_db_open: o=Organization
> slapd starting
> conn=0 fd=10 ACCEPT from IP=10.1.28.31:32824 (IP=0.0.0.0:389)
> connection_get(10)
> conn=0 op=0 BIND
dn="uid=replicator,ou=Staff,o=Organization,cn=digest-md5,cn=auth" method=163
> ==> sasl_bind:
dn="uid=replicator,ou=Staff,o=Organization,cn=digest-md5,cn=auth"
mech=DIGEST-MD5 datalen=265
> connection_get(10)
> conn=0 op=1 BIND
dn="uid=replicator,ou=Staff,o=Organization,cn=digest-md5,cn=auth" method=163
> ==> sasl_bind:
dn="uid=replicator,ou=Staff,o=Organization,cn=digest-md5,cn=auth"
mech=<continuing> datalen=265
> SASL Canonicalize [conn=0]: authcid="admin"
> slap_sasl_getdn: id=admin [len=5]
> SASL Canonicalize [conn=0]: authcDN="uid=admin,cn=digest-md5,cn=auth"
> SASL Canonicalize [conn=0]: authzid="admin"
> SASL Authorize [conn=0]: authcid="admin" authzid="admin"
> conn=0 op=1 BIND authcid="admin"
> conn=0 op=1 BIND dn="uid=admin,cn=digest-md5,cn=auth" mech=DIGEST-MD5
ssf=128
> connection_get(10)
> do_modify: dn (uid=CO,ou=Operator,o=Organization)
> modifications:
>         replace: description
>                 one value, length 35
>         replace: entryCSN
>                 one value, length 31
>         replace: modifiersName
>                 one value, length 31
>         replace: modifyTimestamp
>                 one value, length 15
> conn=0 op=2 MOD dn="uid=CO,ou=Operator,o=Organization"
> conn=0 op=2 MOD attr=description entryCSN modifiersName modifyTimestamp
> send_ldap_result: err=10 matched="" text=""
> send_ldap_result:
referral="ldap://10.1.28.31/uid=CO,ou=Operator,o=Organization";
> send_ldap_response:
ref="ldap://10.1.28.31/uid=CO,ou=Operator,o=Organization";
> conn=0 op=2 RESULT tag=103 err=10 text=
> 
> 
> The Master configuration file is :
> 
> include		/usr/local/etc/openldap/schema/core.schema
> include		/usr/local/etc/openldap/schema/cosine.schema
> include		/usr/local/etc/openldap/schema/inetorgperson.schema
> access 	to * by read
> database 	bdb
> suffix 	"o=Organization"
> directory 	/home/giampaolorossi/OpenLDAP/Database
> rootdn 	"uid=root,o=Organization,cn=digest-md5,cn=auth"
> sasl-regexp	uid=(.*),cn=LDAPMaster,cn=digest-md5,cn=auth
> 		uid=$1,ou=Operator,o=Organization
> replogfile	/home/giampaolorossi/OpenLDAP/Replication/slapd.replog
> #
> replica	host=10.1.30.125:389
>
binddn="uid=replicator,ou=Staff,o=Organization,cn=digest-md5,cn=auth"> 
> 		bindmethod=sasl
> 		saslmech=digest-md5
> 		authcid=admin
> 		credentials=admin_PWD
> #
> index		cn,sn,uid 		pres,eq
> index		objectClass 	eq
> #index		default		none
> #
> access	to *
> 		by selfwrite
> 		by dn.base="cn=admin, ou=Operator, o=Organization" write
> 		by dn.base="cn=admin, ou=Staff, o=Organization" write
> 		by * read
> 
> The Slave configuration file is similar (the access has the grant for the
replicator ) but has two new instructions :
> updatedn
"uid=replicator,ou=Staff,o=Organization,cn=digest-md5,cn=auth"
> updateref ldap://10.1.28.31



  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

<<attachment: winmail.dat>>

References:
- I can not get Replication via digest-md5
  - From: "Giampaolo Rossi" <giampaolo.rossi@datamat.it>

Prev by Date: Re: TLS error
Next by Date: RE: backing up: slapcat vs. ldapsearch vs. db_checkpoint
Index(es):
- Chronological
- Thread