[Date Prev][Date Next]
Re: Using Replication Slave For Authentication
On 04/20/2010 06:12 AM, Ariel wrote:
I have inherited an openldap server (2.4.9) and have set about to making it a bit more fault tolerant. So I have added a syncrepl slave and everything seems to work fine. It pulls down the whole ldap tree and stays in sync in real time with type=refreshAndPersist. I can use command line tools to very that it has all the information from the original master server using a command like this:
ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D "cn=admin,dc=domain,dc=com" -W
My problem however is that when I try to authenticate users against the slave server, it does not work. All attempts fail. Also when I use ApacheDS (graphical LDAP browser) to view its contents, it only shows the Root DSE and none of the child objects like cn=config or any of the users or any of that. I can use ApacheDS fine to view and modify everything on the master server though.
The slapd.conf config files between the two are exactly the same (except one is declared as sync master and one as slave), the password hashes are successfully replicated to the slave as I can see with ldapsearch, but I have no idea how to debug why it won't authenticate users. For reference, here is my syncrepl config section (in slapd.conf) on the slave:
and on the master server:
syncprov-checkpoint 100 10
As a failover/backup server seems extremely prudent especially on the ancient hardware we have running these things, I really want to get this to work properly. Perhaps even later doing a round-robin style load balancing between the two or what have you.
I have no idea how to debug this, any help would be greatly appreciated!
If you can show ACL on master and slave it will help to understand why
you cannot auth users against slave. From what you described, it looks
like slave has either access restriction to userPassword and base DN for
users or access fails. I also never noticed any TLS certificates
Information Technology Services
University of Saskatchewan
phone: (306) 966-2762