[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL Replication problem, need your help



Hi,

I am trying to get replication over SASL working, but got stuck somewhere. I nee
d your help.


Here is my setting: Redhat 8.0, OpenLDAP 2.1.12, Cyrus-SASL 2.1.10, BDB 4.1.25.

On master ldap, slapd.conf includes:

replogfile     /usr/local/openldap/var/openldap-slurp/replica/replog.log

replica host=slave.sample.com:389
       binddn="uid=REPL.SAMPLE.COM"
       bindmethod=sasl
       saslmech=DIGEST-MD5
       authcID="REPL.SAMPLE.COM"
       authzID="REPL.SAMPLE.COM"
       realm="slave.sample.com"
       credentials="qwaszx"


On slave ldap, slapd.conf inclues:

access to attr=userPassword,lmPassword,ntPassword
      by dn="cn=manager,dc=sample,dc=com" write
      by dn="UID=REPL.SAMPLE.COM" write
      by anonymous auth
      by self read
      by * none

access to *
      by dn="cn=manager,dc=sample,dc=com" write
      by dn="UID=REPL.SAMPLE.COM" write
      by * read

updatedn       "UID=REPL.SAMPLE.COM@REALM=slave.sample.com"
updateref      ldaps://master.sample.com:636


The replication user, REPL.SAMPLE.COM, is added to /etc/sasldb2. And Slapd.conf in /usr/lib/sasl2 specifies using:

pwcheck_method: sasldb2


Testing SASL set up on both master and slave looks normal:

> ldapsearch -x -b '' -s base '(objectclass=*)' '+' '*'

dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
namingContexts: dc=sample,dc=com
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.2
supportedControl: 1.2.826.0.1.334810.2.3
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 2
supportedLDAPVersion: 3
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: OTP
subschemaSubentry: cn=Subschema


Also, I can bind to slave ldap both from master and slave with:

> ldapsearch -Y DIGEST-MD5 -U REPL.SAMPLE.COM -b dc=sample,dc=com \
 'uid=joe' -H ldap://slave.sample.com
SASL/DIGEST-MD5 authentication started
Please enter your password:

This will retrieve the information being requestd.

However, once updates being pushed to the slave, the following error ocurred:

Error: ldap_modify_s failed modifying "No such object": uid=joe,ou=people,dc=sample,dc=com


It seemed to me that REPL.SAMPLE.COM did not acutally bind to the slave, but how should I set up replca section to make right binding for the right user?

Can you see anything wrong with my settings?

Thanks.

Simon Gao