[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: Authentication issue with syncrepl consumer



Title: FW: Authentication issue with syncrepl consumer
I noticed my email hasn’t been posted to the list yet.  This issue seems to have been fixed by doing a slapd_db_recover on the provider, taking a slapcat of that and starting from scratch with that on the consumer.

Thanks,
Dan

Daniel Finn
Linux/Storage Administrator
P: 801.553.4587
M: 801.683.9147
 

“Improving Oral Health Globally”

------ Forwarded Message
From: Dan Finn <dan.finn@ultradent.com>
Date: Wed, 30 Mar 2011 15:49:15 -0600
To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Authentication issue with syncrepl consumer

I’ve got a strange issue going on which I believe just started happening but it’s hard to say for sure.  I’ve got a small environment with a syncrepl provider and a syncrepl consumer which is placed in our DMZ.  The provider is used for authentication for all of our internal linux servers and the consumer is used for authentication for all of our DMZ servers.  The environment is less than 50 servers and maybe about 25 users.  Both of these ldap servers are running OpenLDAP 2.3.43-12 provided by CentOS.  I put this all into place about 2 months ago and everything has been working fine up until now.

I’m seeing authentication failures for servers using the consumer but it’s not for all users, for example my personal user is able to authenticate fine which is what makes it hard to say when this started happening.  For the most part I’m the only one logging into these servers on a regular basis.  One of our web developers today let me know that he was unable to log into any servers that authenticate against the consumer but that he could log into all of the rest of our servers.  I changed his password, noticed that syncrepl saw the change on the consumer and I still wasn’t able to log in as that user.  I then created a new user, saw that syncrepl saw that on the consumer, and also was not able to log in as that user.  Both of these users can still log into any server authenticating against the provider.

On the consumer, I shut down ldap, deleted everything from under /var/lib/ldap and started from scratch using slapadd to import an ldiff that was dumped from the provider.  This still didn’t fix the authentication issues.

I’m not exactly sure what the relevant info is from the log so I captured a complete log that includes a failed authentication attempt with the loglevel set at 1.  It can be seen here:

http://pastebin.com/KY9m0CN4

The only thing I see in there that jumps out at me is:
“<= bdb_index_read: failed (-30989)”

It looks like I’m seeing that for every authentication failure.  I found a couple old mailing posts regarding that error saything that it could either be BDB corruption or that it could just mean it’s searching for something that doesn’t exist.  I was assuming that if it was BDB, that starting from scratch with the slapadd would fix it but it did not.

I also did a diff against the dumps from both the provider and the consumer and when comparing the entries for a user who is failing authentication on the consumer, the only difference was the entryCSN and the modifyTimestamp.

Any help would be really appreciated.

Thanks,
Dan

Daniel Finn
Linux/Storage Administrator
P: 801.553.4587
M: 801.683.9147
 

“Improving Oral Health Globally”


------ End of Forwarded Message

Email Policy - Unauthorized review, use, disclosure, or distribution of this e-mail is strictly prohibited. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, is intended solely for the individual or individuals to whom it is specifically addressed. If the recipient of this email is not the intended recipient, do not read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return email or by telephone 801.572.4200.