[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: any help on "ldap_sasl_bind_s failed (53)"
Am Wed, 19 Nov 2014 07:38:02 +0000 (UTC)
schrieb wailok tam <wailoktam@yahoo.com>:
> Hi, I am new to ldap. I am following the book "Mastering Openldap" to
> set up replication but I am getting the error given in the title when
> I start the slave with "splad -d sync" . Replication does not work.
> ******************************************************************************************************
> slapd.conf of the Master: include
> /etc/openldap/schema/core.schemainclude
> /etc/openldap/schema/cosine.schemainclude
> /etc/openldap/schema/inetorgperson.schemainclude
> /etc/openldap/schema/nis.schemainclude
> /etc/openldap/schema/samba.schema
>
> #modulepath /usr/lib/openldap#moduleload syncprov.la
> # Allow LDAPv2 client connections. This is NOT the default.allow
> bind_v2 # Do not enable referrals until AFTER you have a working
> directory# service AND an understanding of referrals.#referral
> ldap://root.openldap.org pidfile
> /var/run/openldap/slapd.pidargsfile
> /var/run/openldap/slapd.args #sasl-realm ier.hit-u.ac.jp#sasl-host
> localhost#authz-regexp
> uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth
> cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp
> ########################################################################
> ldbm and/or bdb database
> definitions#######################################################################
> database bdbsuffix
> "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
> "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw
> {MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secret#password-hash
> {MD5}directory /var/lib/ldap
> TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
> overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100 #
> Indices to maintain for this databaseindex objectClass
> eq,presindex ou,cn,mail,surname,givenname
> eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex
> uid,memberUid eq,pres,subindex
> nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID
> eq idlcachesize 1000
>
> access to attrs=userPassword by self write by
> dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
> dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
> by anonymous auth by * none
>
>
> access to attrs=SambaLMPassword,SambaNTPassword by
> dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
> dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
> by self read by anonymous auth by * none access to * by self
> write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
> dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
> by * read
> *****************************************************************************************************
> sladp.conf of the slave: include
> /etc/openldap/schema/core.schemainclude
> /etc/openldap/schema/cosine.schemainclude
> /etc/openldap/schema/inetorgperson.schemainclude
> /etc/openldap/schema/nis.schemainclude
> /etc/openldap/schema/samba.schema # Allow LDAPv2 client
> connections. This is NOT the default.allow bind_v2 # Do not enable
> referrals until AFTER you have a working directory# service AND an
> understanding of referrals.#referral ldap://root.openldap.org
> pidfile /var/run/openldap/slapd.pidargsfile
> /var/run/openldap/slapd.args
> ########################################################################
> ldbm and/or bdb database
> definitions#######################################################################
> database bdbsuffix
> "dc=ier,dc=hit-u,dc=ac,dc=jp"#rootdn
> "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
> "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw
> {MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secretofreplicator
> #password-hash {MD5}directory
> /var/lib/ldap#TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt#TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt#TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
>
>
> # Replicas of this database#updatedn
> cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp#updateref
> uri=ldap://192.168.84.22 # Indices to maintain for this databaseindex
> objectClass eq,presindex
> ou,cn,mail,surname,givenname eq,pres,subindex
> uidNumber,gidNumber,loginShell eq,presindex uid,memberUid
> eq,pres,subindex nisMapName,nisMapEntry
> eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
>
> #access to attrs=userPassword# by
> dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write#
> by anonymous auth# by * none
>
> #access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"
> write# by self write# by * read
>
>
>
> #loglevel stats sync
> syncrepl rid=001
> provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist
> interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"
> binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"
> bindmethod=simple# bindmethod=sasl saslmech=DIGEST-MD5#
> authcid=replicator credentials=secretofreplicator updateref
> ldap://mail.ier.hit-u.ac.jp/
>
> *****************************************************************************************what
> puzzles me is that: I try on the slave to access the master
> withldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D
> 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
> and it works. What is wrong? I really need your help.
The master configuration is wrong. Configuration of slapd.conf has to
follow a defined order, that is:
- global configuration parameters
- global specific overlays parameters
- first database specific configuration parameters
- first database specific overlays configuration parameters
- second database specific configuration parameters
- second database specific overlays configuration parameters
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E