[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with SASL replication



A friend started to question me about a problem he had with
replication. He (as I do) uses SASL (with a Kerberos V keytab)
to authenticate to the slave.

/etc/ldap/slapd.conf (master slapd.conf)
----- s n i p -----
replica                 host=<FQDN OF LDAP HOST>:3030
                        tls=critical
                        bindmethod=sasl
                        saslmech=GSSAPI
replogfile              /var/lib/ldap/replog
----- s n i p -----

/etc/ldap/slapd.conf.backup (slave slapd.conf)
----- s n i p -----
include                 /etc/ldap/slapd.access.backup
readonly                off
updatedn                "uid=replicator.\+realm=BAYOUR.COM"
----- s n i p -----

/etc/ldap/slapd.access.backup (ACL for the slave)
----- s n i p -----
access to attr=cn,givenName,sn,krbName,krb5PrincipalName,loginShell,gecos,mail,mailAlternateAddress,mailHost,mailQuota,trustModel,accessTo,uidNumber,gidNumber,homeDirectory,homePostalAddress,mobile,labeledURI,homePhone,userPassword,ldapPassword,clearTextPassword
        by dn="uid=turbo.+\+realm=BAYOUR.COM" read
        by dn="uid=replicator.+\+realm=BAYOUR.COM" write
        by dn="uid=replicator.+\+realm=SWE.NET" write
        by users read
        by * none

access to *
        by dn="uid=turbo.+\+realm=BAYOUR.COM" read
        by dn="uid=replicator.+\+realm=BAYOUR.COM" write
        by dn="uid=replicator.+\+realm=SWE.NET" write
        by * read
----- s n i p -----
(Yes, that's it. nothing more in there!)

/etc/init.d/slapd       (master init script)
----- s n i p -----
    # Start replica?
    replicas=`grep ^replica /etc/ldap/slapd.conf`
    if [ ! -z "$replicas" ]; then
        echo -n "Getting ticket for replicator: "
        kinit -k -t /etc/krb5.keytab.slurpd replicator@BAYOUR.COM
        echo "done."

        echo -n "Starting LDAP replication daemon: "
        start-stop-daemon --start --quiet --name slurpd --exec $SLURPD
        echo "done."
    fi
----- s n i p -----

<FQDN OF LDAP HOST>:3030.rej       (rejects file)
----- s n i p -----
ERROR: No such object
replica: <FQDN OF LDAP HOST>:3030
time: 1029519085.0
dn: uid=khaan,ou=People,dc=bayour,dc=com
changetype: modify
replace: initials
initials: AG
-
replace: modifiersName
modifiersName: uid=turbo + realm=BAYOUR.COM
-
replace: modifyTimestamp
modifyTimestamp: 20020816173124Z
----- s n i p -----

LDAP searches (with my own ticket, I have READ access on the slave)
----- s n i p -----
[localhost.pts/3]$ ldapsearch -ZZ -h <FQDN OF LDAP HOST> -p 3030 -LLL uid=khaan modifiersName modifyTimestamp initials 2> /dev/null
dn: uid=khaan,ou=People,dc=bayour,dc=com
initials: MiddleName
modifiersName: uid=turbo + realm=BAYOUR.COM
modifyTimestamp: 20020617131958Z

[localhost.pts/3]$ ldapsearch -ZZ -h <FQDN OF LDAP HOST> -p 389 -LLL uid=khaan modifiersName modifyTimestamp initials 2> /dev/null
dn: uid=khaan,ou=People,dc=bayour,dc=com
initials: AG
modifiersName: uid=turbo + realm=BAYOUR.COM
modifyTimestamp: 20020816173124Z
----- s n i p -----
(so, since ZZ works, it shouldn't be a problem with SSL cert)



I get the rejects file when trying to run the command
        slurpd -o -r ../../ldap/replog

Before this, I naturaly got a ticket for 'replicator@BAYOUR.COM'...
----- s n i p -----
[localhost.root]# klist
Ticket cache: FILE:/var/run/slapd.krbenv
Default principal: replicator@BAYOUR.COM

Valid starting     Expires            Service principal
08/16/02 19:37:00  08/16/02 23:37:00  krbtgt/BAYOUR.COM@BAYOUR.COM
08/16/02 19:39:42  08/16/02 23:37:00  ldap/<FQDN OF HOST>@BAYOUR.COM
----- s n i p -----



Now. Two things is 'obvious' to me right now (I don't know if it
matters though).

In the ticket I have the 'real' FQDN (what my machine resolves as),
and in the slapd.conf I have the alias to it. I'm running both the
master and slave on the same machine, only different ports. The SSL
certificate have the 'FQDN OF LDAP HOST' in it...


The other thing is that in the rejects file, it's _MY_ 'dn' that's
in there (not 'replicator') and that it contains spaces.



Note: '<FQDN OF LDAP HOST>' is censored, as is 'localhost'...