[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Antw: Re: any help on "ldap_sasl_bind_s failed (53)"
Hi!
You checked two of three compontents:
1) The DN you configured to read the data
2) The DN that exists in your database
3) The ACL allowing the DN to read the data
It should be obvious what you missed. Try lo log in manually (using ldapsearch to get all your database (as the replication would try). If you get it, replication should work; if not you know where you'll have to search for the bug.
Regards,
Ulrich
>>> wailok tam <wailoktam@yahoo.com> schrieb am 20.11.2014 um 09:11 in Nachricht
<281303881.1918305.1416471067218.JavaMail.yahoo@jws10080.mail.ne1.yahoo.com>:
> Hi, just a bit more information. It is about the bit that I do not
> understand.
> I come up with these config files as a step in changing from the old slurpd
> replication to the newer syncrepl replication.
> In the old config file for slurpd, there is a slurpd directive:
> replica uri=ldap://192.168.90.20
> binddn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple
> credentials=pwofslavereplogfile /var/lib/ldap/openldap-master-replog
> Of course, they get removed in the new config file. I suppose it means it
> uses the login details for the id: replicator to log inthe slave.
> But I can only find the "replicator" I create on the slave:
> ldapsearch -x -W -D 'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp'
> '(cn=replicator)'
> dn: cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jpuid: replicatorsn:
> replicatorcn: replicatorou: UsersobjectClass: personobjectClass:
> inetOrgPersonobjectClass: organizationalPersonuserPassword: pwofslave
> not the old "replicator".
> I create two new "replicator" account with the same pw on both the master
> and the slave. On the slave, it is used as the rootdn. Is there any
> difference between:
> 'cn=replicator, dc=ier,dc=hit-u,dc=ac,dc=jp' and
> 'cn=replicator, ou=Users, dc=ier,dc=hit-u,dc=ac,dc=jp'
>
> It may be a irrelevant question.
> As someone mentions typo, I wonder whether space and tab make any difference
> in the config file.
>
>
>
>
>
> From: wailok tam <wailoktam@yahoo.com>
> To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
> Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
> Sent: Thursday, November 20, 2014 3:55 PM
> Subject: Re: any help on "ldap_sasl_bind_s failed (53)"
>
> Hi, all,
> Thanks for your feedback. I summarize it and:
> 1. remove all the comment lines2. change the order of blocks a bit
> Now it ends up with:
> "ldap_sasl_bind_s failed (49)"
>
> notice the error code changes from 53 to 49
> Again, typing the following on slave:
> ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D
> 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=myownaccount)'
>
> works.
> I am posting the cleaned up config file. Any comment is appreciated.
> First the master:
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schemainclude
> /etc/openldap/schema/inetorgperson.schemainclude
> /etc/openldap/schema/nis.schemainclude
> /etc/openldap/schema/samba.schema
>
> # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
> pidfile /var/run/openldap/slapd.pidargsfile
> /var/run/openldap/slapd.args
>
> ########################################################################
> ldbm and/or bdb database
> definitions##################################################################
> #####
> database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
> "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofmasterdirectory
> /var/lib/ldap
>
> overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
>
> # Indices to maintain for this databaseindex objectClass
> eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex
> uidNumber,gidNumber,loginShell eq,presindex uid,memberUid
> eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex
> entryCSN,entryUUID eq idlcachesize 1000
>
> access to attrs=userPassword by self write by
> dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
> dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> anonymous auth by * none
>
>
> access to attrs=SambaLMPassword,SambaNTPassword by
> dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
> dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self
> read by anonymous auth by * none
> access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"
> write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
> by * read
> ****************************************************************************
> *****************************Next the slave:
> ### configuration for IER### writeen by T.Tanaka
> include /etc/openldap/schema/core.schemainclude
> /etc/openldap/schema/cosine.schemainclude
> /etc/openldap/schema/inetorgperson.schemainclude
> /etc/openldap/schema/nis.schemainclude
> /etc/openldap/schema/samba.schema
> # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
> # Do not enable referrals until AFTER you have a working directory# service
> AND an understanding of referrals.#referral ldap://root.openldap.org
> pidfile /var/run/openldap/slapd.pidargsfile
> /var/run/openldap/slapd.args
> ########################################################################
> ldbm and/or bdb database
> definitions##################################################################
> #####
> database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
> "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw pwofslavedirectory
> /var/lib/ldap
>
> # Replicas of this database
>
> # Indices to maintain for this databaseindex objectClass
> eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex
> uidNumber,gidNumber,loginShell eq,presindex uid,memberUid
> eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex
> entryCSN,entryUUID eq idlcachesize 1000
>
> #access to attrs=userPassword# by
> dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by
> anonymous auth# by * none
>
> #access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by
> self write# by * read
>
>
>
> #loglevel stats sync
> syncrepl rid=001
> provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist
> interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"
> binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"
> credentials=pwofslave
> ****
>
>
>
>
>
>
>
> From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
> To: wailok tam <wailoktam@yahoo.com>
> Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
> Sent: Wednesday, November 19, 2014 7:44 PM
> Subject: Re: any help on "ldap_sasl_bind_s failed (53)"
>
> On Wed, Nov 19, 2014 at 07:38:02AM +0000, wailok tam wrote:
>
>
>
>> Subject: any help on "ldap_sasl_bind_s failed (53)"
>
>> but I am getting the error given in the title when I start the slave with
>> "splad -d sync" . Replication does
>> not work.
>
>> sladp.conf of the slave:
>
>> syncrepl rid=001
>> provider=ldap://mail.ier.hit-u.ac.jp
>> type=refreshAndPersist
>> interval=00:00:05:00
>> searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"
>> binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"
>> bindmethod=simple
>> # bindmethod=sasl saslmech=DIGEST-MD5
>> # authcid=replicator
>> credentials=secretofreplicator
>
> The two comment lines are likely to be the problem. the manpage for
> slapd.conf says:
>
> If a line begins with white space, it is considered a continuation
> of the previous line. No physical line should be over 2000
> bytes long.
>
> Blank lines and comment lines beginning with a `#' character are
> ignored. Note: continuation lines are unwrapped before comment
> processing is applied.
>
> That says to me that comments inside an indented block are to be avoided.
>
> As an aside, you may not want to use DIGEST-MD5 anyway, as it requires
> the server to store the password in cleartext rather than hashed.
>
> Andrew
> --
> -----------------------------------------------------------------------
> | From Andrew Findlay, Skills 1st Ltd |
> | Consultant in large-scale systems, networks, and directory services |
> | http://www.skills-1st.co.uk/ +44 1628 782565 |
> -----------------------------------------------------------------------
>
>
>
>
>
>