[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
replication with "credential={crypt}xxxxxx"?
- To: maillist-openldap <openldap-software@OpenLDAP.org>
- Subject: replication with "credential={crypt}xxxxxx"?
- From: Susanne Benkert <benkerts@emt.iis.fhg.de>
- Date: Tue, 22 Jan 2002 14:39:53 +0100
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011120
Hi,
I'm running a master and a slave ldap-server (Openldap-2.0.19.) compiled
with tls-support. The replication itself works all right and uses tls.
To improve the level of security I'd like to use a {crypt}-password as
credentials in my replica-configurations, but this does'nt work. If I
try, I get the following error message (from debug):
....
Error: ldap_simple_bind_s for <my slave server:389> failed: Invalid
credentials
ldap_unbind
ldap_free_connection
....
With password in clear text it works all right. What did I wrong?
Is there a solution for my problem or is there no {crypt}-support for
replica-credentials at all?
For more information I attached my slapd.conf (master and slave) and a
part from the debug output.
Thank you for helping me. (I really hope anybody out there has a good idea.)
Greetings,
Susanne
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/testschema.schema
schemacheck off
loglevel 0
pidfile /var/slapd.pid
argsfile /var/slapd.args
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
# Load dynamic backend modules:
# modulepath /usr/local/openldap/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#TLS settings
TLSCertificateFile /usr/local/ssl/private/server.crt
TLSCertificateKeyFile /usr/local/ssl/private/server.key
TLSCACertificateFile /usr/local/ssl/private/ca.crt
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
cachesize 5000
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/openldap-ldbm
suffix "ou=myorganisation,c=de"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Admin,ou=myorganisation,c=de"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {crypt}xxxxx
#replication
replogfile /var/run/slapd.replog
replica host=myserver.myorganisation.de:389 tls=yes binddn="cn=Admin,ou=myorganisation,c=de" bindmethod=simple credentials={crypt}xxxxx
#access rights
defaultaccess read
access to attr=userPassword by self write by anonymous auth by * none
access to dn="cn=Admin,ou=myorganisation,c=de" by * none
access to * by * read
# Indices to maintain
index objectClass eq
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/testschema.schema
schemacheck off
loglevel 0
pidfile /var/slapd.pid
argsfile /var/slapd.args
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
# Load dynamic backend modules:
# modulepath /usr/local/openldap/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
TLSCertificateFile /usr/local/ssl/certs/il056.crt
TLSCertificateKeyFile /usr/local/ssl/certs/il056.key
TLSCACertificateFile /usr/local/ssl/certs/ca.crt
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
cachesize 5000
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/openldap-ldbm
suffix "ou=myorganisation,c=de"
#suffix "o=My Organization Name,c=US"
rootdn "cn=Admin,ou=myorganisation,c=de"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {crypt}xxxxxx
updatedn "cn=Admin,ou=myorganisation,c=de"
defaultaccess read
access to attr=userPassword by self read by anonymous auth by * none
access to dn="cn=Admin,ou=myorganisation,c=de" by * none
access to * by * read
# Indices to maintain
index objectClass eq
more messages from debug with -d 127:
bind to myserver.myorganisation.de:389 as cn=admin,ou=myorganisation,c=de (simple)
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 62 bytes to sd 5
....
tls_write: want=93, written=93
.....
ldap_write: want=62, written=62
.....
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
** Connections:
* host: myserver.myorganisation.de port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Jan 22 11:05:14 2002
** Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
do_ldap_select
read1msg: msgid 2, all 1
ber_get_next
tls_read: want=5, got=5
0000: 17 03 01 00 28 ....(
tls_read: want=40, got=40
0000: 2e 44 ee 26 9f ed d4 d2 f3 7b 43 83 2d 1e 21 0b .Dî&?íÔÒó{C?-.!.
0010: 13 5b 51 39 6a 99 ef bc 36 8b 10 41 f6 23 25 2c .[Q9j?ï¼6?.Aö#%,
0020: bc a0 18 99 59 0f 2a b5 ¼ .?Y.*µ
ldap_read: want=1, got=1
0000: 30 0
ldap_read: want=1, got=1
0000: 0c .
ldap_read: want=12, got=12
0000: 02 01 02 61 07 0a 01 31 04 00 04 00 ...a...1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x140075c80 ptr=0x140075c80 end=0x140075c8c len=12
0000: 02 01 02 61 07 0a 01 31 04 00 04 00 ...a...1....
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x140075c80 ptr=0x140075c83 end=0x140075c8c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
read1msg: 0 new referrals
read1msg: mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x140075c80 ptr=0x140075c83 end=0x140075c8c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x140075c80 ptr=0x140075c8c end=0x140075c8c len=0
ldap_msgfree
ldap_err2string
Error: ldap_simple_bind_s for myserver.myorganisation.de:389 failed: Invalid credentials
ldap_unbind
ldap_free_connection
ldap_send_unbind