[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl only partially working

To: Joshua Schaeffer <jschaeffer0922@gmail.com>
Subject: Re: Syncrepl only partially working
From: Ryan Tandy <ryan@nardis.ca>
Date: Fri, 28 Oct 2016 22:22:23 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=4ngRMuUcjMf69ZhQcQG1UMg/n2ClkEeHPQekKeEVM9E=; b=byUyhFkG91Q+7jF7+GmjxL5mALdV1L8MSGM38IX2JL+mfRqRBCrCBhVqosrDEQDnhM GerLuNIsjdcmZyGxaRn1IwAEjcYz4aDrkCnrr7S6B2D0Rocp6sVDYjQcqrSYg+U7oKN0 1ptt3CXkRszgBYmw4vz9YR44zOe8ZzeqcwPHE=
In-reply-to: <6aade255-646f-cf1a-d602-e3f9d2cb1e92@gmail.com>
Mail-followup-to: Joshua Schaeffer <jschaeffer0922@gmail.com>, openldap-technical@openldap.org
References: <6aade255-646f-cf1a-d602-e3f9d2cb1e92@gmail.com>
User-agent: Mutt/1.5.23 (2014-03-12)

On Fri, Oct 28, 2016 at 09:50:30PM -0600, Joshua Schaeffer wrote:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=harmonywave,dc=com
-
replace: olcRootDN
olcRootDN: cn=admin,dc=harmonywave,dc=com

You may have done this - I didn't see it - but if you change the suffixthis way when there are existing entries in that database, and you don'tclear them out, you risk exposing yourself to issues such as<https://bugs.debian.org/546368>. If you change your suffix this way,after you do it, consider initializing a new, empty database: stopslapd, rm /var/lib/ldap/*, and start it again. I'm bringing this upbecause it looks like you're using the Debian/Ubuntu package, which doesindeed add a couple of entries to the default database during setup.

Oct 28 21:39:02 baneling slapd[12540]: conn=4421 fd=36 TLS established tls_ssf=128 ssf=128

As I understand it, using Kerberos with OpenLDAP already gets you anencrypted transport - I believe using TLS on top of that is redundant.

Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 BIND authcid="ldap/koprulu.harmonywave.com@HARMONYWAVE.COM" authzid="ldap/koprulu.harmonywave.com@HARMONYWAVE.COM"
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 BIND dn="uid=ldap/koprulu.harmonywave.com,cn=harmonywave.com,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=128
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 RESULT tag=97 err=0 text=


That looks fine, the GSSAPI bind seems to have succeeded.

So at this point, based on your ACLs above, I'd expect it to be able toread all of your data (to * by * read), except for the userPassword andshadowLastChange attributes.

Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=4 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=4 SRCH attr=* +
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=5 UNBIND
Oct 28 21:39:02 baneling slapd[12540]: conn=4421 fd=36 closed

Odd - I was expecting to see a RESULT line there. Not sure what thatmeans. I guess something goes wrong on the client and it aborts early?

It would be interesting to see logs from the syncrepl consumer, atloglevel 'sync', when you bring it up with an empty database.

If you do an ldapsearch against the provider as anonymous, or doing aGSSAPI bind using that sevice ticket, do you see all the data returnedthat you expected?

If you want a decent example config to compare your work against, Iwould suggest rjsystems' articles:


http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php
http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php

It's a little dated, but not too badly. (For example, most or all of thebugs he mentions have since been fixed; and the hdb backend isdeprecated now in favour of mdb.)

Follow-Ups:
- Re: Syncrepl only partially working
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

References:
- Syncrepl only partially working
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

Prev by Date: Syncrepl only partially working
Next by Date: Re: Syncrepl only partially working
Index(es):
- Chronological
- Thread