[Date Prev][Date Next] [Chronological] [Thread] [Top]

Syncrepl authentication via GSSAPI/SASL/Kerberos

Hi,
I'm running a pair of OpenLDAP servers on a network which primarily uses kerberos for authentication. The two servers replicate data (via a simple syncrepl master-slave setup). Right now, they're using simple authentication. I'd like to move them to using kerberos authentication.
I've successfully gotten them to the point where the kerberos authentication (appears) to succeed. However, replication doesn't happen with the mysterious error "findbase failed! 32". I have found no mention of this error, other than a couple of permissions-related errors. I double-checked my permissions, so it's not that.
I've copied relevant portions of my slapd.conf below and would be happy to provide more if required. I also have a syslog excerpt below.
Does anyone know what I should be looking at next or have an example of a functional setup similar to what I've described? 

Thanks,
Steve

Functioning syncrepl config:
syncrepl rid=1
        provider=ldap://ldap1.pressers.name/
        type=refreshAndPersist
        retry="60 30 300 +"
        searchbase="dc=pressers,dc=name"i
       bindmethod=simple
       binddn="cn=repl,dc=pressers,dc=name"
       credentials="SOMEPASSWORD"

Config which fails mysteriously:
syncrepl rid=1
        provider=ldap://ldap1.pressers.name/
        type=refreshAndPersist
        retry="60 30 300 +"
        searchbase="dc=pressers,dc=name"i
        bindmethod=sasl
        saslmech=gssap
Finally, an excerpt for syslog on the master when the client attempts to connect: Sep 30 13:11:09 hawking slapd[1620]: conn=1005 fd=18 ACCEPT from IP=10.0.0.3:57149 (IP=0.0.0.0:389) 
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=0 BIND dn="" method=163
Sep 30 13:11:09 hawking slapd[1620]: GSSAPI server step 1
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: 
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=1 BIND dn="" method=163
Sep 30 13:11:09 hawking slapd[1620]: GSSAPI server step 2
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: 
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND dn="" method=163
Sep 30 13:11:09 hawking slapd[1620]: GSSAPI server step 3
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND authcid="ldap/mordor.pressers.name" authzid="ldap/mordor.pressers.name" Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND dn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56 Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 RESULT tag=97 err=0 text= Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=3 SRCH base="dc=pressers,dc=name" scope=2 deref=0 filter="(objectClass=*)" 
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=3 SRCH attr=* +
Sep 30 13:11:09 hawking slapd[1620]: findbase failed! 32
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text= 
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=4 UNBIND
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 fd=18 closed

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature