[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problem with SASL replication
- To: openldap-software@OpenLDAP.org
- Subject: Problem with SASL replication
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 16 Aug 2002 20:05:23 +0200
- Organization: LDAP/Kerberos expert wannabe
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
A friend started to question me about a problem he had with
replication. He (as I do) uses SASL (with a Kerberos V keytab)
to authenticate to the slave.
/etc/ldap/slapd.conf (master slapd.conf)
----- s n i p -----
replica host=<FQDN OF LDAP HOST>:3030
tls=critical
bindmethod=sasl
saslmech=GSSAPI
replogfile /var/lib/ldap/replog
----- s n i p -----
/etc/ldap/slapd.conf.backup (slave slapd.conf)
----- s n i p -----
include /etc/ldap/slapd.access.backup
readonly off
updatedn "uid=replicator.\+realm=BAYOUR.COM"
----- s n i p -----
/etc/ldap/slapd.access.backup (ACL for the slave)
----- s n i p -----
access to attr=cn,givenName,sn,krbName,krb5PrincipalName,loginShell,gecos,mail,mailAlternateAddress,mailHost,mailQuota,trustModel,accessTo,uidNumber,gidNumber,homeDirectory,homePostalAddress,mobile,labeledURI,homePhone,userPassword,ldapPassword,clearTextPassword
by dn="uid=turbo.+\+realm=BAYOUR.COM" read
by dn="uid=replicator.+\+realm=BAYOUR.COM" write
by dn="uid=replicator.+\+realm=SWE.NET" write
by users read
by * none
access to *
by dn="uid=turbo.+\+realm=BAYOUR.COM" read
by dn="uid=replicator.+\+realm=BAYOUR.COM" write
by dn="uid=replicator.+\+realm=SWE.NET" write
by * read
----- s n i p -----
(Yes, that's it. nothing more in there!)
/etc/init.d/slapd (master init script)
----- s n i p -----
# Start replica?
replicas=`grep ^replica /etc/ldap/slapd.conf`
if [ ! -z "$replicas" ]; then
echo -n "Getting ticket for replicator: "
kinit -k -t /etc/krb5.keytab.slurpd replicator@BAYOUR.COM
echo "done."
echo -n "Starting LDAP replication daemon: "
start-stop-daemon --start --quiet --name slurpd --exec $SLURPD
echo "done."
fi
----- s n i p -----
<FQDN OF LDAP HOST>:3030.rej (rejects file)
----- s n i p -----
ERROR: No such object
replica: <FQDN OF LDAP HOST>:3030
time: 1029519085.0
dn: uid=khaan,ou=People,dc=bayour,dc=com
changetype: modify
replace: initials
initials: AG
-
replace: modifiersName
modifiersName: uid=turbo + realm=BAYOUR.COM
-
replace: modifyTimestamp
modifyTimestamp: 20020816173124Z
----- s n i p -----
LDAP searches (with my own ticket, I have READ access on the slave)
----- s n i p -----
[localhost.pts/3]$ ldapsearch -ZZ -h <FQDN OF LDAP HOST> -p 3030 -LLL uid=khaan modifiersName modifyTimestamp initials 2> /dev/null
dn: uid=khaan,ou=People,dc=bayour,dc=com
initials: MiddleName
modifiersName: uid=turbo + realm=BAYOUR.COM
modifyTimestamp: 20020617131958Z
[localhost.pts/3]$ ldapsearch -ZZ -h <FQDN OF LDAP HOST> -p 389 -LLL uid=khaan modifiersName modifyTimestamp initials 2> /dev/null
dn: uid=khaan,ou=People,dc=bayour,dc=com
initials: AG
modifiersName: uid=turbo + realm=BAYOUR.COM
modifyTimestamp: 20020816173124Z
----- s n i p -----
(so, since ZZ works, it shouldn't be a problem with SSL cert)
I get the rejects file when trying to run the command
slurpd -o -r ../../ldap/replog
Before this, I naturaly got a ticket for 'replicator@BAYOUR.COM'...
----- s n i p -----
[localhost.root]# klist
Ticket cache: FILE:/var/run/slapd.krbenv
Default principal: replicator@BAYOUR.COM
Valid starting Expires Service principal
08/16/02 19:37:00 08/16/02 23:37:00 krbtgt/BAYOUR.COM@BAYOUR.COM
08/16/02 19:39:42 08/16/02 23:37:00 ldap/<FQDN OF HOST>@BAYOUR.COM
----- s n i p -----
Now. Two things is 'obvious' to me right now (I don't know if it
matters though).
In the ticket I have the 'real' FQDN (what my machine resolves as),
and in the slapd.conf I have the alias to it. I'm running both the
master and slave on the same machine, only different ports. The SSL
certificate have the 'FQDN OF LDAP HOST' in it...
The other thing is that in the rejects file, it's _MY_ 'dn' that's
in there (not 'replicator') and that it contains spaces.
Note: '<FQDN OF LDAP HOST>' is censored, as is 'localhost'...