[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP syncrepl using SASL - GSSAPI



Hi!

I'm trying to implement a Kerberos server using an OpenLdap backend on a server called ldap1.vm and replicate those on an other called ldap2.vm.

My first server is working fine. Each kerberos principal is stored in his own ldap entry (with the krbPrincipalName attribut).
For exemple :
    user1@EXEMPLE.COM --> uid=user1,ou=people,dc=exemple,dc=com
    ldap/ldap2.vm.exemple.com@EXEMPLE.COM --> cn=ldap2.vm,ou=ldap,dc=exemple,dc=com

I wish to replicate either the cn=config DIT and the dc=exemple,dc=com DIT to my second server.


So in my cn=config DIT on ldap1.vm I have the following configuration :


==========================================================
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcAuthzRegexp: {0}uid=admin,cn=exemple.com,cn=gssapi,cn=auth
                                 cn=admin,dc=exemple,dc=com
olcAuthzRegexp: {1}uid=ldap\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth
                                 cn=$1,ou=ldap,dc=exemple,dc=com
olcAuthzRegexp: {2}uid=host\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth
                                 cn=$1,ou=hosts,dc=exemple,dc=com
olcAuthzRegexp: {3}uid=(.*),cn=exemple.com,cn=gssapi,cn=auth
                                 uid=$1,ou=people,dc=exemple,dc=com
olcSaslRealm: EXEMPLE.COM
olcServerID: 1 ldap://ldap1.vm.exemple.com/
olcServerID: 2 ldap://ldap2.vm.exemple.com/
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov

dn: olcBackend={0}hdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}hdb

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcRootDN: cn=admin,cn=config

dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=exemple,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange
                by dn="cn=admin,dc=exemple,dc=com" write
                by dn. read
                by anonymous auth by * none
olcAccess: {1}to dn.subtree="dc=exemple,dc=com"
                by dn="cn=adm-srv,ou=krb5,dc=exemple,dc=com" write
                by dn="cn=kdc-srv,ou=krb5,dc=exemple,dc=com" read
                by dn="cn=admin,dc=exemple,dc=com" write
                by dn. read
olcAccess: {2}to attrs=loginShell
                by self write
                by users read
                by * none
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to * by users read by * none
olcAccess: {5}to dn="cn=config" by dn. write
olcLastMod: TRUE
olcRootDN: cn=admin,dc=exemple,dc=com
olcRootPW: {SSHA}7JR5Gh0ZUbw9U4cVytBrChBjXuPAdLKh
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: krbPrincipalName eq,pres,sub
olcDbIndex: krbPwdPolicyReference eq

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
==========================================================


And on the ldap2.vm i wanna replicate the cn=config DIT first:


==========================================================
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
olcSyncrepl: {0}rid=001
                provider="ldap://ldap1.vm.exemple.com/"
                type=refreshAndPersist
                retry="10 30 30 +"
                searchbase="cn=config"
                bindmethod=sasl
                saslmech=gssapi
==========================================================


There is no olcMirrorMode attributes because I wanna add other provider directives later.

Every 10 secondes, i see those logs:


==========================================================
 conn=1001 fd=13 ACCEPT from IP=192.168.x.x:57695 (IP=0.0.0.0:389)
 conn=1001 op=0 BIND dn="" method=163
 conn=1001 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
 conn=1001 op=1 BIND dn="" method=163
 conn=1001 op=1 RESULT tag=97 err=14 text=SASL(0): successful result:
 conn=1001 op=2 BIND dn="" method=163
 conn=1001 op=2 BIND authcid="ldap/ldap2.vm.exemple.com@EXEMPLE.COM" authzid="ldap/ldap2.vm.exemple.com@EXEMPLE.COM"
 conn=1001 op=2 BIND dn="cn=ldap2.vm,ou=ldap,dc=exemple,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56
 conn=1001 op=2 RESULT tag=97 err=0 text=
 conn=1001 op=3 SRCH base="cn=config" scope=2 deref=0 filter="(objectClass=*)"
 conn=1001 op=3 SRCH attr=* +
 findbase failed! 32
 conn=1001 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
 conn=1001 op=4 UNBIND
 conn=1001 fd=13 closed
==========================================================


We see that the olcAuthzRegexp do is job, indeed, the authcid="ldap/ldap2.vm.exemple.com@EXEMPLE.COM" from the ticket (I use Kstart to obtain it) become dn="cn=ldap2.vm,ou=ldap,dc=exemple,dc=com".

But it fail to find the cn=config DIT.

Here is the entry on my ldap database:


==========================================================
dn: cn=ldap2.vm,ou=ldap,dc=exemple,dc=com
objectClass: ipHost
objectClass: device
objectClass: top
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: ldap2.vm
ipHostNumber: 192.168.x.x
structuralObjectClass: device
entryUUID: afe9a32a-81a3-1032-85b7-7976b72b0c24
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20130715140754Z
krbPrincipalName: ldap/ldap2.vm.exemple.com@EXEMPLE.COM
krbLoginFailedCount: 0
krbPrincipalKey:: [...]
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20130715140838Z
krbExtraData:: AAJmAuRRYWRtaW5ASU5URVJORS5PQlNFUlZBVE9JUkVERVNNQVJRVUVTLkZSAA=
 =
krbExtraData:: AAgBAA==
authzTo: {0}dn.regex:cn=admin,cn=config
entryCSN: 20130716154135.008692Z#000000#001#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20130716154135Z
==========================================================


The authzTo directive  allow, i think, this entry to act as cn=admin,cn=config and to see the cn=config DIT, am I wrong? How can I do what I want?
This configuration works well when I try to synchronise the dc=exemple,dc=com DIT.


Regards,
Quentin