[Date Prev][Date Next] [Chronological] [Thread] [Top]

need serious help on replication over ssl - getting do_syncrep1: rid 001 ldap_sasl_bind_s failed (-1)



Hi, I would really be grateful if a nice guy would appear and save me with this one. Simple bind replication over ldaps port does not work. I don't have a clue. There are very few guides on setting  up replication over ldaps on the  web or on prints. I am following this one as I am using RH:

Technical blurb about Oracle Engineered Systems: Configuring OpenLDAP for High Availability. (Master/Slave or Provider/Consumer configuration) [Part 3 of 4]

Some of the suspicious bit are:

1. Concatenating the master CA cert and the original slave CA  cert to make a new CA cert for use with the slave. But the server cert and key in the slave was signed with the original slave CA without the concatenation.
2. the following line:
tls_cert=

in the slave replication directive seems to be suggesting the location of the master server certificate in the guide but there is no clear mention. I put the location of the master server certificate in this line.

A billion thanks in advance. 

First the master slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema


# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=ier,dc=hit-u,dc=ac,dc=jp"
rootdn          "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"
rootpw             sameforall
directory       /var/lib/ldap


TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt
TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt
TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key


overlay syncprov
syncprov-checkpoint 50 10
syncprov-sessionlog 100   




# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID eq 
idlcachesize 1000


access to attrs=userPassword
  by self write
  by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write
  by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read
  by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
  by anonymous auth
  by * none



access to attrs=SambaLMPassword,SambaNTPassword
  by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write
  by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read
  by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
  by self read
  by anonymous auth
  by * none

access to *
  by self write
  by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write
  by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
  by * read

loglevel stats args trace sync


************************************************************************************************************************
Next, the slapd.conf of the slave:

###  configuration for IER
###  writeen by T.Tanaka

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args


#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=ier,dc=hit-u,dc=ac,dc=jp"
rootdn          "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"
rootpw         sameforall
directory       /var/lib/ldap

TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/misc/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/misc/clearkey.pem


# Replicas of this database


# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID eq  
idlcachesize 1000


access to attrs=userPassword
  by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write
  by self write
  by anonymous auth
  by * none


access to * 
  by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write
  by self write
  by * read




loglevel stats args trace sync

syncrepl rid=001                                   
    provider=ldaps://mail.ier.hit-u.ac.jp:636      
    type=refreshOnly
    interval=00:00:05:00
    bindmethod=simple
    searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"          
    binddn="uid=root,dc=ier,dc=hit-u,dc=ac,dc=jp"
    credentials=sameforall
    tls_cert=/usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt

mirrormode on
updateref ldaps://mail.ier.hit-u.ac.jp


**************************************************************************************************************************