[Date Prev][Date Next] [Chronological] [Thread] [Top]

Setting up syncrepl, replicated LDAP doesn't work

To: openldap-technical@openldap.org
Subject: Setting up syncrepl, replicated LDAP doesn't work
From: John Oliver <joliver@john-oliver.net>
Date: Thu, 24 Jul 2008 10:49:37 -0700
Content-disposition: inline
User-agent: Mutt/1.4.2.2i

On my working master server openldap-2.3.27-8 under CentOS 5, I added:

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

On the slave server openldap-2.3.27-8.el5_2.4 under CentOS 5.2, I added:

syncrepl rid=123
                provider=ldaps://primary-ldap-server:636
                type=refreshOnly
                interval=01:00:00:00
                searchbase="dc=mydomain,dc=com"
                filter="(objectClass=*)"
                scope=sub
                attrs="*"
                schemachecking=off
                bindmethod=simple
                binddn="cn=syncuser,dc=mydomain,dc=com"
                credentials=mysecret

ldap started on the slave server OK, and /var/lib/ldap has all of the
database files.  On that server, from the command line, I can:

[root@ldap2 ~]# ldapsearch -xLLL -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
dn: uid=joliver,ou=People,dc=mydomain,dc=com
givenName: John
sn: Oliver
cn: John Oliver


But when I point another machine at that slave server, it won't
authenticate:

Jul 23 03:06:28 localhost login(pam_unix)[9475]: check pass; user
unknown
Jul 23 03:06:28 localhost login(pam_unix)[9475]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jul 23 03:06:28 localhost login[9475]: pam_ldap: ldap_search_s No such
object
Jul 23 03:06:30 localhost login[9475]: FAILED LOGIN 1 FROM (null) FOR
joliver, Authentication failure

[root@localhost ~]# ldapsearch -H
ldaps://ldap2.mydomain.com -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

[root@localhost ~]# ldapsearch -H
ldap://ldap2.mydomain.com -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in
database


When using just ldap:// with ldapsearch, I don't know what password it's
asking for.  My LDAP password doesn't work, the LDAP admin password
doesn't work, the local root password doesn't work...

Here's the odd thing.  When I started setting this up, the machine
that's the primary (and working) LDAP server now was running fedora-ds.
I set up OpenLDAP on what is now the slave server, and it worked
perfectly.  I slapcat'ed it, installed OpenLDAP on the primary server,
and slapadded the db.  I never generated any certificates on it at all,
and it works perfectly.  I just regenerated the cert on the slave
server, but no joy.

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************

Follow-Ups:
- Re: Setting up syncrepl, replicated LDAP doesn't work
  - From: Jonathan Clarke <jclarke@linagora.com>

Prev by Date: Re: Client says Can't contact LDAP server, but it can!
Next by Date: Re: Client says Can't contact LDAP server, but it can!
Index(es):
- Chronological
- Thread