Re: Syncrepl and problem with ldap_sasl_bind_s failed?

["Eivind Olsen" <eivind@aminor.no>]

Michael Ströder wrote:

> 49 is "invalidCredentials".
> Likely either one of the following reasons are causing this:
> - entry cn=replicator,ou=admins,ou=internal,o=aminor does not exist
> - the password is wrong
> - some ACLs reject authentication

That's what puzzles me. I can from both nodes do ldapsearch as the
replication user to both nodes, and that part behaves as I'd expect it to
(I get a connection with answers, and if I try to connect with the wrong
password I get "ldap_bind: Invalid credentials (49)").

> Try from ldap02-testing.aminor.no:
> ldapwhoami -H ldap://ldap01-testing.aminor.no -x \
>   -D "cn=replicator,ou=admins,ou=internal,o=aminor" -w <password>

[root@ldap02-testing ~]# ldapwhoami -H ldap://ldap01-testing.aminor.no -x
-D "cn=replicator,ou=admins,ou=internal,o=aminor" -w <a_password>
dn:cn=replicator,ou=admins,ou=internal,o=aminor

> For further questions you should post your config.

I will. At the risk of someone going "OMG, why the h... are you doing it
like this?" :)

Here's the contents of cn=config (minus all the stuff under
cn=schema,cn=config - since that would have added over 2000 lines). I have
hidden the passwords. I have done a diff on the output from cn=config on
both servers and it's identical.

[root@ldap01-testing ~]# ldapsearch -x -b "cn=config" -D
"cn=admin,cn=config" -w <CONFIG-password> -h ldap01-testing.aminor.no -LLL
dn: cn=config
objectClass: olcGlobal
cn: config
olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf
olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d
olcArgsFile: /usr/local/openldap/var/run/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 0
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcListenerThreads: 1
olcLocalSSF: 71
olcLogLevel: 0
olcPidFile: /usr/local/openldap/var/run/slapd.pid
olcReadOnly: FALSE
olcSaslSecProps: noplain,noanonymous
olcServerID: 101 ldap://ldap01-testing.aminor.no
olcServerID: 201 ldap://ldap02-testing.aminor.no
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcTLSCRLCheck: none
olcTLSVerifyClient: never
olcTLSProtocolMin: 0.0
olcToolThreads: 1
olcWriteTimeout: 0

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}syncprov.la

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base=""  by * read
olcAccess: {1}to dn.base="cn=subschema"  by * read
olcAccess: {2}to *  by self write  by users read  by anonymous auth
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 0
olcReadOnly: FALSE
olcSchemaDN: cn=Subschema
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
 l,cn=auth" manage  by * +0 break
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=admin,cn=config
olcRootPW: <CONFIG-password>
olcSyncUseSubentry: FALSE
olcSyncrepl: {0}rid=001 provider=ldap://ldap01-testing.aminor.no binddn
 ="cn=admin,cn=config" bindmethod=simple  credentials=<CONFIG-password>
searchbase="cn=co
 nfig" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldap://ldap02-testing.aminor.no binddn
 ="cn=admin,cn=config" bindmethod=simple  credentials=<CONFIG-password>
searchbase="cn=co
 nfig" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
olcMonitoring: FALSE

dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to *  by dn.base="cn=admin,cn=config" read  by * none
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE

dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /usr/local/openldap/var/openldap-data/internal
olcSuffix: ou=internal,o=aminor
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
dn.chil
 dren="ou=admins,ou=internal,o=aminor" write  by * none
olcAccess: {1}to * by self write by dn.children="ou=admins,ou=internal,o=ami
 nor" write by * read
olcLimits: {0}dn.exact="cn=Manager,ou=internal,o=aminor" time.soft=unlimit
 ed time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcRootDN: cn=Manager,ou=internal,o=aminor
olcRootPW: <MANAGER-password>
olcSyncrepl: {0}rid=003 provider=ldap://ldap01-testing.aminor.no binddn
 ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple  creden
 tials=<REPLICATOR-password> searchbase="ou=internal,o=aminor"
type=refreshAndPersist
 retry="5 5 5 +" timeout=3
olcSyncrepl: {1}rid=004 provider=ldap://ldap02-testing.aminor.no binddn
 ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple  creden
 tials=<REPLICATOR-password> searchbase="ou=internal,o=aminor"
type=refreshAndPersist
 retry="5 5 5 +" timeout=3
olcMirrorMode: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 10
olcDbConfig: {0}set_cachesize 0 10485760 0
olcDbConfig: {1}set_lg_bsize 2097152
olcDbConfig: {2}set_lg_dir /usr/local/berkeleydb/openldap-logs/internal
olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE
olcDbIDLcacheSize: 3000
olcDbIndex: uid pres,eq,sub
olcDbIndex: cn,sn,displayName pres,eq,approx,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID pres,eq
olcDbIndex: entryCSN pres,eq

dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

dn: olcDatabase={3}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {3}hdb
olcDbDirectory: /usr/local/openldap/var/openldap-data/radius
olcSuffix: ou=radius,ou=no,o=aminor
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
dn.chil
 dren="ou=admins,ou=radius,ou=no,o=aminor" write  by * none
olcAccess: {1}to * by self write by dn.children="ou=admins,ou=internal,o=ami
 nor" write by group.exact="cn=radius write,ou=groups,ou=internal,o=amin
 or" write by group.exact="cn=radius read,ou=groups,ou=internal,o=aminor"
 read by * read
olcLimits: {0}dn.exact="cn=Manager,ou=radius,ou=no,o=aminor" time.soft=unl
 imited time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcRootDN: cn=Manager,ou=radius,ou=no,o=aminor
olcRootPW: <MANAGER-password>
olcSyncrepl: {0}rid=005 provider=ldap://ldap01-testing.aminor.no binddn
 ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple credent
 ials=<REPLICATOR-password> searchbase="ou=radius,ou=no,o=aminor"
type=refreshAndPersis
 t retry="5 5 5 +" timeout=3
olcSyncrepl: {1}rid=006 provider=ldap://ldap02-testing.aminor.no binddn
 ="cn=replicator,ou=admins,ou=internal,o=aminor" bindmethod=simple credent
 ials=<REPLICATOR-password> searchbase="ou=radius,ou=no,o=aminor"
type=refreshAndPersi
 st retry="5 5 5 +" timeout=3
olcMirrorMode: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 10
olcDbConfig: {0}set_cachesize 0 10485760 0
olcDbConfig: {1}set_lg_bsize 2097152
olcDbConfig: {2}set_lg_dir /usr/local/berkeleydb/openldap-logs/radius
olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE
olcDbIDLcacheSize: 3000
olcDbIndex: uid pres,eq,sub
olcDbIndex: cn,sn,displayName pres,eq,approx,sub
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID pres,eq
olcDbIndex: entryCSN pres,eq
olcDbIndex: amiCustomerId pres,eq,sub
olcDbIndex: amipppProfileType pres,eq
olcDbIndex: amiLineId pres,eq,sub

dn: olcOverlay={0}syncprov,olcDatabase={3}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov




Here is the contents of ou=internal,o=aminor (I also verified that this
looks the same on both servers):

dn: ou=internal,o=aminor
objectClass: top
objectClass: organizationalUnit
ou: internal

dn: ou=groups,ou=internal,o=aminor
objectClass: organizationalUnit
ou: groups
description: generic groups branch

dn: cn=radius read,ou=groups,ou=internal,o=aminor
objectClass: groupOfNames
cn: radius read
description: read permission to radius tree
member: cn=radius app user,ou=applications,ou=internal,o=aminor

dn: cn=radius write,ou=groups,ou=internal,o=aminor
objectClass: groupOfNames
cn: radius write
description: write permission to radius tree
member: cn=radius app user,ou=applications,ou=internal,o=aminor

dn: ou=people,ou=internal,o=aminor
objectClass: organizationalUnit
ou: people
description: generic people branch

dn: ou=admins,ou=internal,o=aminor
objectClass: organizationalUnit
ou: admins
description: administrative accounts

dn: cn=replicator,ou=admins,ou=internal,o=aminor
cn: replicator
sn: user
objectClass: person
userPassword: <REPLICATOR-password>

dn: ou=applications,ou=internal,o=aminor
objectClass: organizationalUnit
ou: applications
description: application users

dn: cn=radius app user,ou=applications,ou=internal,o=aminor
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: radius app user
sn: radius app user
userPassword: <RADIUS-password>


Regards
Eivind Olsen