Re: any help on "ldap_sasl_bind_s failed (53)"

[wailok tam <wailoktam@yahoo.com>]

Hi, just a bit more information. It is about the bit that I do not understand.

I come up with these config files as a step in changing from the old slurpd replication to the newer syncrepl replication.

In the old config file for slurpd, there is a slurpd directive:

replica uri=ldap://192.168.90.20

binddn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"

bindmethod=simple credentials=pwofslave

replogfile /var/lib/ldap/openldap-master-replog

Of course, they get removed in the new config file. I suppose it means it uses the login details for the id: replicator  to log in

the slave. 

But I can only find the "replicator" I create on the slave:

ldapsearch -x -W -D 'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp' '(cn=replicator)'

dn: cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp

uid: replicator

sn: replicator

cn: replicator

ou: Users

objectClass: person

objectClass: inetOrgPerson

objectClass: organizationalPerson

userPassword: pwofslave

not the old "replicator".

I create two new "replicator" account with the same pw on both the master and the slave. On the slave, it is used as the rootdn. Is there any difference between:

'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp' and

'cn=replicator, ou=Users, dc=ier,dc=hit-u,dc=ac,dc=jp'

It may be a irrelevant question. 

As someone mentions typo, I wonder whether space and tab make any difference in the config file.

---

From: wailok tam <wailoktam@yahoo.com>
To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Sent: Thursday, November 20, 2014 3:55 PM
Subject: Re: any help on "ldap_sasl_bind_s failed (53)"

Hi, all,

Thanks for your feedback. I summarize it and:

1. remove all the comment lines

2. change the order of blocks a bit

Now it ends up with:

"ldap_sasl_bind_s failed (49)"

notice the error code changes from 53 to 49

Again, typing the following on slave:

 ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp  -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=myownaccount)'

works.

I am posting the cleaned up config file. Any comment is appreciated.

First the master:

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

#######################################################################

# ldbm and/or bdb database definitions

#######################################################################

database        bdb

suffix          "dc=ier,dc=hit-u,dc=ac,dc=jp"

rootdn          "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"

rootpw    pwofmaster

directory       /var/lib/ldap

overlay syncprov

syncprov-checkpoint 50 10

syncprov-sessionlog 100   

# Indices to maintain for this database

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

index entryCSN,entryUUID     eq 

idlcachesize 1000

access to attrs=userPassword

  by self write

  by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write

  by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read

  by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read

  by anonymous auth

  by * none

access to attrs=SambaLMPassword,SambaNTPassword

  by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write

  by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read

  by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read

  by self read

  by anonymous auth

  by * none

access to *

  by self write

  by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write

  by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read

  by * read

*********************************************************************************************************

Next the slave:

###  configuration for IER

###  writeen by T.Tanaka

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.

allow bind_v2

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

#######################################################################

# ldbm and/or bdb database definitions

#######################################################################

database        bdb

suffix          "dc=ier,dc=hit-u,dc=ac,dc=jp"

rootdn          "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"

rootpw     pwofslave

directory       /var/lib/ldap

# Replicas of this database

# Indices to maintain for this database

index objectClass                       eq,pres

index ou,cn,mail,surname,givenname      eq,pres,sub

index uidNumber,gidNumber,loginShell    eq,pres

index uid,memberUid                     eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

index entryCSN,entryUUID     eq  

idlcachesize 1000

#access to attrs=userPassword

#  by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write

#  by self write

#  by anonymous auth

#  by * none

#access to * 

#  by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write

#  by self write

#  by * read

#loglevel stats sync

syncrepl rid=001                                   

    provider=ldap://mail.ier.hit-u.ac.jp      

    type=refreshAndPersist

    interval=00:00:05:00

    searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"          

    binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"

    credentials=pwofslave

****

---

From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
To: wailok tam <wailoktam@yahoo.com>
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Sent: Wednesday, November 19, 2014 7:44 PM
Subject: Re: any help on "ldap_sasl_bind_s failed (53)"

On Wed, Nov 19, 2014 at 07:38:02AM +0000, wailok tam wrote:

> Subject: any help on "ldap_sasl_bind_s failed (53)"

> but I am getting the error given in the title when I start the slave with
> "splad -d sync" . Replication does
> not work.

> sladp.conf of the slave:

> syncrepl rid=001                                 
>    provider=ldap://mail.ier.hit-u.ac.jp     
>    type=refreshAndPersist
>    interval=00:00:05:00
>    searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"         
>    binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"
>    bindmethod=simple
> #    bindmethod=sasl saslmech=DIGEST-MD5
> #    authcid=replicator
>    credentials=secretofreplicator

The two comment lines are likely to be the problem. the manpage for
slapd.conf says:

      If a line begins with white space, it is considered a continuation
      of the previous line.  No physical line should be over 2000
      bytes long.

      Blank lines and comment lines beginning with a `#' character are
      ignored.  Note: continuation lines are unwrapped before comment
      processing is applied.

That says to me that comments inside an indented block are to be avoided.

As an aside, you may not want to use DIGEST-MD5 anyway, as it requires
the server to store the password in cleartext rather than hashed.

Andrew
--
-----------------------------------------------------------------------
|                From Andrew Findlay, Skills 1st Ltd                |
| Consultant in large-scale systems, networks, and directory services |
|    http://www.skills-1st.co.uk/               +44 1628 782565    |

-----------------------------------------------------------------------