[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd replication problem.



On Tuesday 28 October 2008 01:58:02 Choi, Justin wrote:
> I am seeing invalid credential error logs a lot.
>
> Could you guys let me know how to solve this issue?

In future, don't send screenshots of text that you could just have easily 
copied from Putty and pasted into your mail instead of sending everyone > 
100kB of screenshots they don't need. (The HTML format is also unnecessary 
...)

It would also help if you could list the version of OpenLDAP that you are 
suing, and the platform you are running on.

Note that in modern (2.3 or later) versions of OpenLDAP, slurpd is deprecated, 
and in the current (2.4) versions, is no longer available. 

>
> Thanks.
>
>
>
>
>
>
>
> Server Log(slurpd -d 2)
>
>
>
>
>
>
>
> Replicated Log (/usr/sbin/slapd -u ldap -d 2 -h ldap:///)
>
>
>
> Slapd.conf
>
> database        bdb
>
> suffix          "dc=ijji,dc=com"
>
> rootdn          "cn=Manager,dc=ijji,dc=com"
>
> rootpw          {SSHA}EpkPadkANDlpX7yfcsa2WbA+bSssh0S4
>
> # Cleartext passwords, especially for the rootdn, should
>
> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
>
> # Use of strong authentication encouraged.
>
> # rootpw                secret
>
> # rootpw                {crypt}ijFYNcSNctBYg
>
>
>
> # The database directory MUST exist prior to running slapd AND
>
> # should only be accessible by the slapd and slap tools.
>
> # Mode 700 recommended.
>
> directory       /var/lib/ldap/ijji.com
>
>
>
> # Indices to maintain for this database
>
> index objectClass                       eq,pres
>
> index ou,cn,mail,surname,givenname      eq,pres,sub
>
> index uidNumber,gidNumber,loginShell    eq,pres
>
> index uid,memberUid                     eq,pres,sub
>
> index nisMapName,nisMapEntry            eq,pres,sub
>

The following two lines really need to be uncommented for replication to work.

> #updatedn cn=Replication Manager,dc=ijji,dc=com
>
> #updateref ldap://ca1xc115.ijji.com
>
> access to attrs=userPassword
>
>         by self write
>
>                 by anonymous auth
>
>                 by dn.base="cn=Manager,dc=ijji,dc=com" write
>
>                 by * none
>
> access to *
>
>                 by self write
>
>                 by dn.base="cn=Manager,dc=ijji,dc=com" write
>
>                 by * read
>
>

The following rule will not apply, as the target has already been matched, by 
the first rule.

>
> access to attrs=userPassword
>
>                 by self write
>
>                 by anonymous auth
>
>                 by dn.base="cn=Replication Manager,dc=ijji,dc=com" write
>
>                 by * none
>

The following rule will also not apply, for the same reason.

> access to *
>
>                 by self write
>
>                 by dn.base="cn=Replication Manager,dc=ijji,dc=com" write
>
>                 by * read
>



> # Replicas of this database
>
> replogfile /var/lib/ldap/openldap-master-replog
>
> replica host=ca1xc115.ijji.com:389
>
>         binddn="cn=Replication Manager,dc=ijji,dc=com"
>
>         bindmethod=simple credentials=skdltmwkq
>
> loglevel -1
>

Have you tested whether the account works correctly, e.g. using the OpenLDAP 
command line client utilities? E.g.:

$ ldapwhoami -x -h ca1xc115.ijji.com -D "cn=Replication 
Manager,dc=ijji,dc=com" -w skdltmwkq

(or, if you have a really old version that does not have ldapwhoami:

$ ldapsearch -x -h ca1xc115.ijji.com -D "cn=Replication 
Manager,dc=ijji,dc=com" -w skdltmwkq -s base -b '' namingContexts


Regards,
Buchan