[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Failed replicating to Active Directory
Howard Chu wrote:
slurpd is an LDAP client. As such, it derives its basic LDAP
configuration information from the ldap.conf file, not slapd.conf. Set
the TLS_CACERT directive in /usr/local/openldap/ldap.conf and you should
be fine.
Thanks! I must admit to refer mostly to OpenLDAP admin guide, and thus
missed this information contained in man slurpd.
Mike is right as well - I put IP address in slapd.conf, and TLS
complained. So I put the AD server's hostname instead, and it connected
just fine.
No happy ending for me yet though; the replication attempt now ended
with the following error instead :
"Error: LDAP SASL for open-pri-dc.bcc.test:636 failed: Local error"
I have the following in ldap.conf:
---------
TLS_CACERT /etc/keys/cacert.pem
TLS_REQCERT demand
---------
Attached are contents of the replication file and output of slurpd.
Softerra LDAP Administrator confirmed that the change doesn't made it to
AD tree.
Unfortunately, I'm not aware of anyway to enable debugging on Active
Directory, so can't provide you with any information on that. (I'll ask
my colleague about it tomorrow)
Googled around, and only found 1 link with that error message, and it
was problem on the "server" (slave) - which means I should really debug
AD (but can't at the moment, or is it actually impossible to do ?)
In the meantime, any more hints are always welcome.
Thanks,
Harry
note:
I've updated my documentation accordingly.
===========================
### contents of the replica file
replica: open-pri-dc.bcc.test:636
time: 1100856154
dn: ou=testing3,ou=housing,dc=bcc,dc=test
changetype: add
ou: testing3
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 4a8d0a38-ce58-1028-8535-df4555169973
creatorsName: cn=administrator,cn=users,dc=bcc,dc=test
createTimestamp: 20041119092234Z
entryCSN: 20041119092234Z#000001#00#000000
modifiersName: cn=administrator,cn=users,dc=bcc,dc=test
modifyTimestamp: 20041119092234Z
==========================
output from: slurpd -d 65535 -o -r
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/emailAddress=harry_sufehmi@mydomain.com/C=US/ST=Midlands/L=Nham/O=BCC/OU=Testlab/CN=Testlab
BCC, issuer:
/emailAddress=harry_sufehmi@mydomain.com/C=US/ST=Midlands/L=Nham/O=BCC/OU=Testlab/CN=Testlab
BCC
TLS certificate verification: depth: 0, err: 0, subject:
/CN=open-pri-dc.bcc.test, issuer:
/emailAddress=harry_sufehmi@mydomain.com/C=US/ST=Midlands/L=Nham/O=BCC/OU=Testlab/CN=Testlab
BCC
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=194, written=194
0000: 16 03 01 00 07 0b 00 00 03 00 00 00 16 03 01 00
<<<---- hex output deleted ---->>>
00c0: 73 ab s.
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 20 ....
tls_read: want=32, got=32
0000: 41 59 21 84 c6 55 9d ec 47 b6 59 65 60 86 f7 ac
AY!..U..G.Ye`...
0010: 9d df b3 07 4c fe ef 9c e8 0e c7 2f 34 40 80 b8
....L....../4@..
TLS trace: SSL_connect:SSLv3 read finished A
ldap_int_sasl_open: host=open-pri-dc.bcc.test
ldap_err2string
Error: LDAP SASL for open-pri-dc.bcc.test:636 failed: Local error
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
0000: 30 05 02 01 01 42 00 0....B.
tls_write: want=28, written=28
0000: 17 03 01 00 17 4d 4f 9b a3 25 03 b8 b3 23 db 27
.....MO..%...#.'
0010: 67 62 75 5a 3f c9 13 41 83 db 17 64 gbuZ?..A...d
ldap_write: want=7, written=7
0000: 30 05 02 01 01 42 00 0....B.
ldap_free_connection: actually freed
tls_write: want=23, written=23