[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL replication - the continuing saga
Hello everyone,
I'm continuing my effort to successfully configure OpenLDAP and SASL. This
effort has thus far taken 40 hours of my time. I'm doing this in the hopes
that I will be able to have OpenLDAP replication use SASL authentication.
I had previously not been able to have the supportedSASLMechanisms attribute
report anything. After some further experimentation with SASL-SECPROPS and
SECURITY in slapd.conf, and /usr/lib/sasl/slapd.conf, it now reports PLAIN
and LOGIN. I can't get it to recognize DIGEST-MD5, which is what I'm hoping
to have it use.
As this is progress, I thought I'd try to use either PLAIN or LOGIN for
authentication. This DOES NOT work. I'm specifically concerned with these
lines in the slurpd output:
bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
ldap_interactive_sasl_bind_s: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
The "user selected: PLAIN" is either a poorly-written debug message or in
error. The user I've specified is repl.ldap.company.com.
Any assistance would be greatly appreciated. I hope to consolidate my efforts
into a FAQ or installation guide. This seems to be the most frequently asked
question on the list.
I'm including full output from the relevant items (ldapsearch,
sasldblistusers, slurpd, slapd.conf).
--- ldapsearch on server ---
[root@ldap openldap-2.0.11]# ldapsearch -x -b "" -s base -LLL
supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
--- ldapsearch on backup ---
[root@backup /root]# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
--- sasldblistusers on backup ---
[root@backup /root]# sasldblistusers
user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: PLAIN
user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: CRAM-MD5
user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: DIGEST-MD5
--- slurpd output ---
[root@ldap openldap-2.0.11]# /usr/local/libexec/slurpd -d 255
Config: opening config file "/usr/local/etc/openldap/slapd.conf"
Config: (include /usr/local/etc/openldap/schema/core.schema)
Config: (include /usr/local/etc/openldap/schema/cosine.schema)
Config: (include
/usr/local/etc/openldap/schema/inetorgperson.schema)
Config: (include /usr/local/etc/openldap/schema/local.schema)
Config: (pidfile /usr/local/var/slapd.pid)
Config: (argsfile /usr/local/var/slapd.args)
Config: (loglevel 0)
Config: (idletimeout 30)
Config: (sizelimit 100)
Config: (timelimit 120)
Config: (defaultsearchbase "dc=company,dc=com")
Config: (schemacheck on)
Config: (disallows bind_krbv4)
Config: (sasl-secprops noanonymous minssf=112)
Config: (security update_sasl=112 update_ssf=112)
Config: (database ldbm)
Config: (rootdn "cn=LDAProot,dc=company,dc=com")
Config: (rootpw {crypt}papAq5PwY/QQM)
Config: (suffix "dc=company,dc=com")
Config: (replogfile /usr/local/etc/openldap/replog/replog.log)
Config: (lastmod off)
Config: (replica host=backup.company.com:389
binddn="uid=repl.ldap.company.com" bindmethod=sasl saslmech=PLAIN
authcID="repl.ldap.company.com" authzID="repl.ldap.company.com"
realm=company.com credentials="password")
Config: ** successfully added replica "backup.company.com:389"
Config: (security update_ssf=112)
Config: (directory /usr/local/var/openldap-ldbm)
Config: (mode 0600)
Config: (index objectClass eq,pres)
Config: (index uid eq)
Config: (index cn eq,sub)
Config: (index mail eq,pres,sub)
Config: (index givenName eq,sub)
Config: (index sn eq,sub)
Config: (index o eq,sub)
Config: (access to attr=userPassword by dn="cn=LDAPRoot, dc=company,
dc=com" write by * none)
Config: (access to * by anonymous read by dn="cn=LDAPRoot,
dc=company, dc=com" write)
Config: (dbnolocking)
Config: (dbnosync)
Config: (cachesize 10000)
Config: (dbcachesize 100000)
Config: ** configuration file successfully read and parsed
Retrieved state information for backup.company.com:389 (timestamp 997309400.0)
begin replication thread for backup.company.com:389
Replica backup.company.com:389, skip repl record for
uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
Initializing session to backup.company.com:389
ldap_create
bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
ldap_interactive_sasl_bind_s: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 192.168.1.2:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: backup.company.com
ldap_err2string
Error: LDAP SASL for backup.company.com:389 failed: Unknown authentication
method
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
0000: 30 05 02 01 01 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 01 42 00 0....B.
ldap_free_connection: actually freed
fm: exiting
Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on
replica backup.company.com:389
end replication thread for backup.company.com:389
slurpd: terminated.
--- slapd.conf on server
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/local.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
loglevel 0
idletimeout 30
sizelimit 100
timelimit 120
defaultsearchbase "dc=company,dc=com"
schemacheck on
disallows bind_krbv4
sasl-secprops noanonymous minssf=112
security update_sasl=112 update_ssf=112
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
rootdn "cn=LDAProot,dc=company,dc=com"
rootpw {crypt}papAq5PwY/QQM
suffix "dc=company,dc=com"
replogfile /usr/local/etc/openldap/replog/replog.log
lastmod off
## REPLICATION OPTIONS
replica host=backup.company.com:389
binddn="uid=repl.ldap.company.com"
bindmethod=sasl
saslmech=PLAIN
authcID="repl.ldap.company.com"
authzID="repl.ldap.company.com"
realm=company.com
credentials="password"
security update_ssf=112
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-ldbm
mode 0600
# Indices to maintain
index objectClass eq,pres
index uid eq
index cn eq,sub
index mail eq,pres,sub
index givenName eq,sub
index sn eq,sub
index o eq,sub
#ldbm access control definitions
access to attr=userPassword
by dn="cn=LDAPRoot, dc=company, dc=com" write
by * none
access to *
by anonymous read
by dn="cn=LDAPRoot, dc=company, dc=com" write
dbnolocking
dbnosync
cachesize 10000
dbcachesize 100000
--- slapd.conf on backup ---
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43
kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/local.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
loglevel 0
idletimeout 30
sizelimit 100
timelimit 120
defaultsearchbase "dc=company,dc=com"
schemacheck on
disallows bind_krbv4
sasl-secprops noanonymous minssf=112
security update_sasl=112 update_ssf=112
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
rootdn "cn=LDAProot,dc=company,dc=com"
rootpw {crypt}papAq5PwY/QQM
suffix "dc=company,dc=com"
updatedn "UID=REPL.LDAP.COMPANY.COM+REALM=BACKUP.COMPANY.COM"
updateref ldap://ldap.company.com
security update_ssf=112
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-ldbm
mode 0600
# Indices to maintain
index objectClass eq,pres
index uid eq
index cn eq,sub
index mail eq,pres,sub
index givenName eq,sub
index sn eq,sub
index o eq,sub
#ldbm access control definitions
access to attr=userPassword
by dn="cn=LDAPRoot, dc=company, dc=com" write
by * none
access to *
by anonymous read
by dn="cn=LDAPRoot, dc=company, dc=com" write
dbnolocking
dbnosync
cachesize 10000
dbcachesize 100000