[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Sync Replication issues with bindmethod=simple
Michael Cassaniti wrote:
> Hi,
> I have followed the OpenLDAP v2.3 Software Administrators Guide to
> using Sync Replication. I have the following snippets for my LDAP
> servers.
>
> [provider]
> overlay syncprov
> syncprov-checkpoint 10 60
> syncprov-sessionlog 100
>
> [consumer]
> syncrepl rid=101
> provider=ldap://192.168.0.4
> type=refreshOnly
> interval=00:00:30:00
> retry="05 +"
> searchbase="dc=home,dc=net"
> bindmethod=simple
> binddn="uid=ldap,ou=Users,dc=home,dc=net"
> credentials=secret
>
> I have checked that I can authenticate using simple authentication as
> user ldap (via ldapwhoami) against the sync provider server. This was
> successful. I also know that the credentials information, which is in
> SSHA form is correct.
>
> The problem is that there is a bind issue. In particular it returns
> the following error in the log on the consumer: do_syncrep1:
> ldap_sasl_bind_s failed (49)
>
> On the provider, there is not much information to determine the error.
> I extracted the following:
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on 1 descriptor
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on:
> Feb 24 22:13:14 Home-Server4 slapd[3749]:
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: listen=7, new
> connection on 12
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: added 12r (active)
> listener=(nil)
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on 1 descriptor
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on:
> Feb 24 22:13:14 Home-Server4 slapd[3749]: 12r
> Feb 24 22:13:14 Home-Server4 slapd[3749]:
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: read active on 12
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:13:14 Home-Server4 slapd[3749]: => access_allowed: auth
> access to "uid=ldap,ou=Users,dc=home,dc=net" "userPassword" requested
> Feb 24 22:13:14 Home-Server4 slapd[3749]: => acl_get: [1] attr userPassword
> Feb 24 22:13:14 Home-Server4 slapd[3749]: => slap_access_allowed: no
> res from state (userPassword)
> Feb 24 22:13:14 Home-Server4 slapd[3749]: => acl_mask: access to entry
> "uid=ldap,ou=Users,dc=home,dc=net", attr "userPassword" requested
> Feb 24 22:13:14 Home-Server4 slapd[3749]: => acl_mask: to value by "", (=0)
> Feb 24 22:13:14 Home-Server4 slapd[3749]: <= check a_dn_pat: self
> Feb 24 22:13:14 Home-Server4 slapd[3749]: <= check a_dn_pat:
> cn=root,dc=home,dc=net
> Feb 24 22:13:14 Home-Server4 slapd[3749]: <= check a_dn_pat:
> uid=ldap,ou=users,dc=home,dc=net
> Feb 24 22:13:14 Home-Server4 slapd[3749]: <= check a_dn_pat: anonymous
> Feb 24 22:13:14 Home-Server4 slapd[3749]: <= acl_mask: [4] applying
> auth(=xd) (stop)
> Feb 24 22:13:14 Home-Server4 slapd[3749]: <= acl_mask: [4] mask: auth(=xd)
> Feb 24 22:13:14 Home-Server4 slapd[3749]: => slap_access_allowed: auth
> access granted by auth(=xd)
> Feb 24 22:13:14 Home-Server4 slapd[3749]: => access_allowed: auth
> access granted by auth(=xd)
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on 1 descriptor
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on:
> Feb 24 22:13:14 Home-Server4 slapd[3749]: 12r
> Feb 24 22:13:14 Home-Server4 slapd[3749]:
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: read active on 12
> Feb 24 22:13:14 Home-Server4 slapd[3749]: connection_read(12): input
> error=-2 id=0, closing.
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on 1 descriptor
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: activity on:
> Feb 24 22:13:14 Home-Server4 slapd[3749]:
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:13:14 Home-Server4 slapd[3749]: daemon: removing 12
>
> I don't think, though I could be wrong, that this has anything to do
> with poor ACLs being set. I also tried the bind using the rootdn, but
> this also failed. The output log from the provider gave the
> folllowing:
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on 1 descriptor
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on:
> Feb 24 22:16:03 Home-Server4 slapd[4083]:
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: listen=7, new
> connection on 12
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: added 12r (active)
> listener=(nil)
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on 1 descriptor
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on:
> Feb 24 22:16:03 Home-Server4 slapd[4083]: 12r
> Feb 24 22:16:03 Home-Server4 slapd[4083]:
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: read active on 12
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on 1 descriptor
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on:
> Feb 24 22:16:03 Home-Server4 slapd[4083]: 12r
> Feb 24 22:16:03 Home-Server4 slapd[4083]:
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: read active on 12
> Feb 24 22:16:03 Home-Server4 slapd[4083]: connection_read(12): input
> error=-2 id=0, closing.
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on 1 descriptor
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: activity on:
> Feb 24 22:16:03 Home-Server4 slapd[4083]:
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: epoll: listen=7
> active_threads=1 tvp=zero
> Feb 24 22:16:03 Home-Server4 slapd[4083]: daemon: removing 12
>
> As you can see, none of this is very forthcoming for information. Log
> level is set to 28904, so there should be a high amount of logging
> done to show any/all errors. Modifying the ACLs on the provider to:
> access to * by * write still returned this error.
you're logging at: conns + filter + config + acl + sync + some undefined
level (slapd.conf(5): loglevel; if you read the manual, you would have
found that log level can now be specified in frinedly form, instead of
numbers); since you already worked out (by setting "access to * by *
write") that's not an ACL issue, the rest of the logging you selected,
apart from sync, which would come into play later, after authentication
succeeds, makes little sense with respect to the issue you're trying to
address. I'd rather log at: stats + args + trace + sync, increasing the
log level in this order, to work out what's going on (note that stats
should be pointless, but it's good to get an overview of what the server
is doing in relation to external stimuli)
> What suprises me is that this is an SASL error, when SASL is not used
> for a simple bind. Like I have already stated, this is a configuration
> straight from the OpenLDAP Guide, so what have I done wrong.
How did you get to that conclusion? ldap_sasl_bind_s() is a catchall
for any type of bind (see ldap_sasl_bind_s(3)), and 49 indicates
"invalid credentials", which is the only error you'll get from the
server in case the bind failed. It could be anything: wrong DN, wrong
password, no auth access to password, ...
It is apparent, from the logs you show, that password fetching goes just
fine at the producer, but fails later on for some reason. You should
definitely provide more meaningful logging, instead of making
conjectures on SASL errors...
<http://www.openldap.org/faq/data/cache/231.html>
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------