[Date Prev][Date Next] [Chronological] [Thread] [Top]

Syncrepl with SASL External

To: openldap-software@openldap.org
Subject: Syncrepl with SASL External
From: Angela Gavazzi <edv@goetheanum.ch>
Date: Fri, 2 Mar 2007 17:14:44 +0100
Content-disposition: inline
Organization: Allgemeine Anthroposophische Gesellschaft
User-agent: KMail/1.9.1

Hallo!

I'm trying to set up a replication with syncrepl and saslmech external and it 
wont succeed.
I was reading a lot but I really don't see where the problem is now and don't 
know how to continue. So I really would appreciate if somebody could point me 
to the probable error.
Please let me know if you need more infos.

slapd is 2.3.31
master = erde.aag
slave = mond.aag

both compiled with:

./configure \
'--prefix=/usr/local/ldap' \
'--mandir=/usr/local/ldap/man' \
'--libexecdir=/usr/local/ldap/sbin' \
'--sysconfdir=/etc' \
'--with-configdir=/etc/ldap' \
'--with-subdir=ldap' \
'--enable-spasswd' \
'--enable-modules' \
'--enable-hdb' \
'--enable-overlays' \
'--enable-slurpd' \  (- will put this out when syncrepl works)
'--with-cyrus-sasl' \
'--with-tls'

Here the concerning parts of the slapd.conf:
*****************************************************************
master:
...
overlay syncprov
syncprov-checkpoint 100 600
syncprov-sessionlog 100
...
authz-regexp
        "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische 
Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one?
(cn=repl)"

limits dn.exact="cn=repl,dc=aag" size=unlimited time=unlimited

access to *
        by dn.exact="cn=repl,dc=aag" read
        by * none break
...
TLSCACertificateFile    /etc/ldap/certs/cacert.pem
TLSCACertificatePath    /etc/ldap/certs
TLSCertificateFile      /etc/ldap/certs/erde.aag_cert.pem
TLSCertificateKeyFile   /etc/ldap/certs/erde.aag_key.pem
TLSVerifyClient         demand

*****************************************************************
 slave:

...
overlay syncprov
syncrepl rid=001
        provider=ldap://erde.aag:389
        searchbase="dc=aag"
        type=refreshOnly
        filter="objectClass=*"
        attrs="*,+"
        schemachecking=off
        scope=sub
        interval=00:00:01:00
        updatedn "cn=repl,dc=aag"
        updateref="ldap://erde.aag:389";
        bindmethod=sasl
        saslmech=EXTERNAL

authz-regexp
        "C=CH,ST=Switzerland,L=Dornach,O=Allgemeine Anthroposophische 
Gesellschaft,OU=Goetheanum,CN=mond.aag,emailAddress=edv@goetheanum.ch" "ldap:///dc=aag??one?
(cn=repl)"

access to *
        by dn="cn=repl,dc=aag" write
        by * read break

TLSCACertificateFile    /etc/ldap/certs/cacert.pem
TLSCACertificatePath    /etc/ldap/certs
TLSCertificateFile      /etc/ldap/certs/mond.aag_cert.pem
TLSCertificateKeyFile   /etc/ldap/certs/mond.aag_key.pem
TLSVerifyClient         demand
**********

syncrepl with bindmethod simple works fine with user repl.


*****************************************************************
manual connection from the slave as client with the same certs I will use for 
syncrepl works:

ldapsearch -Y external -ZZ cn=repl -h erde.aag -LLL
SASL/EXTERNAL authentication started
SASL username: 
emailAddress=edv@goetheanum.ch,CN=mond.aag,OU=Goetheanum,O=Allgemeine 
Anthroposophische Gesellschaft,L=Dornach,ST=Switzerland,C=CH
SASL SSF: 0
dn: cn=repl,dc=aag
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: repl
description: LDAP replicator

*****************************************************************

When I start the slave for the firt replication with sasl external:

snip...
=>do_syncrepl rid 001
ldap_create
ldap_url_parse_ext(ldap://erde.aag:389)
ldap_sasl_interactive_bind_s: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP erde.aag:389
ldap_new_socket: 13
ldap_prepare_socket: 13
ldap_connect_to_host: Trying 192.168.100.72:389
ldap_connect_timeout: fd: 13 tm: -1 async: 0
ldap_int_sasl_open: host=192.168.100.72
do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (-6)

and on the master:

daemon: activity on 1 descriptor
daemon: activity on:
>>> slap_listener(ldap:///)daemon: listen=8, new connection on 12
daemon: added 12r (active) listener=(nil)
conn=21 fd=12 ACCEPT from IP=192.168.100.73:60625 (IP=0.0.0.0:389)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=21
connection_read(12): checking for input on id=21
ber_get_next
ldap_read: want=8, got=7
  0000:  30 05 02 01 01 42 00                               0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x082abc08 ptr=0x082abc08 end=0x082abc0d len=5
  0000:  02 01 01 42 00                                     ...B.
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=21, closing.
connection_closing: readying conn=21 sd=12 for close
connection_close: deferring conn=21 sd=12
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
do_unbind
conn=21 op=0 UNBIND
connection_resched: attempting closing conn=21 sd=12
connection_close: conn=21 sd=12
daemon: removing 12
conn=21 fd=12 closed ()
                          
thank you very much 
angela

Follow-Ups:
- Re: Syncrepl with SASL External
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Syncrepl with SASL External
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: ldbm bdb Conversion
Next by Date: Re: Syncrepl with SASL External
Index(es):
- Chronological
- Thread