[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slurpd -d9 --- Invalid credentials
- To: openLDAP software <openldap-software@OpenLDAP.org>
- Subject: slurpd -d9 --- Invalid credentials
- From: Steven Wong <slqwong@yahoo.com>
- Date: Sat, 15 Jul 2006 00:27:10 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=O4RJ9p4mCI+HIE0xMT5g2pjtzlBHWQpijAPAQXtnCqGn+0u7ZRBT5/G3MjNnylH7i8S/ng5Dn3+pWm1FkPOIBvkAGSIsz0OJIupLBE4LZDIEnfsCsLNGqQKow2RKF6Hl5K+jB8/Qt0qr0U5rrx+dV7lfplGBVpAfHSWyTHKdV/0= ;
I'm not sure if I am missing anything or configured something wrong.
Here is the setup I have 3 LDAP servers
1 LDAP master (server1) - RH 7.3 OpenLDAP (openldap-servers-2.0.27-2.7.)
1 LDAP slave (server2) - RH 7.3 OpenLDAP (openldap-servers-2.0.27-2.7.)
1 LDAP slave (server3) - FC 5 (openldap-servers-2.3.19-4)
1 LDAP client RH 7.3 (client1)
1 LDAP client FC5 (client2)
Using SSL/TLS. Each LDAP server sign it's own CA cert
"su - bmodi" or ldapsearch, all appears to work, whether I put which ldap server in the /etc/ldap.conf and /etc/openldap/ldap.conf file on any of the LDAP server itself.
examples ( only 1 LDAP server is in the ldap.conf file at a time )
server1 is client of server2 or server3 or itself
server2 is client of server1 or server3 or itself
server3 is client of server1 or server2 or itself
client1 or client2 are clients of either of the LDAP servers ( one at a time )
( ldapserach command ran - ldapsearch -D "cn=manager,dc=pro-unlimited,dc=com" -W -x -H ldaps://<server1 or server2 or server3> )
Some config layout info
/etc/openldap/cacerts/cacert.pem have all three LDAP server's certificate in it
/etc/openldap/server/ contains servercrt.pem and serverkey.pem
/etc/openldap/client/ contains clientcrt.pem and clientkey.pem
/etc/ldap.secret contains the passwd of the rootdn user
/root/.ldaprc contains the following ( on master or client )
TLS_CERT /etc/openldap/client/clientcrt.pem
TLS_KEY /etc/openldap/client/clientkey.pem
TLS_REQCERT demand
On server1
--------------------- /etc/openLDAP/slapd.conf -------------------------
TLSCipherSuite HIGH:MEDIUM:!LOW:+TLSv1:+SSLv3:!SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/server/servercrt.pem
TLSCertificateKeyFile /etc/openldap/server/serverkey.pem
replica host=<server2>:389
suffix="dc=pro-unlimited,dc=com"
binddn="uid=replicator,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com"
credentials={MD5}$1$ghofW1$RazQvsgWa/7dtiphrRRPe0
bindmethod=simple
tls=yes
replica host=<server3>:389
suffix="dc=pro-unlimited,dc=com"
binddn="uid=replicator,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com"
credentials={MD5}$1$ghofW1$RazQvsgWa/7dtiphrRRPe0
bindmethod=simple
tls=yes
---------------------- end of slapd.conf -----------------
---------------------- /etc/ldap.conf ----------------
host <server1>
base dc=pro-unlimited,dc=com
binddn uid=proxyuser,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com
bindpw proxypasswd
rootbinddn uid=sysadmin,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com
scope sub
some other omited settings..
TLS_CACERTFILE /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/client/clientcrt.pem
TLS_KEY /etc/openldap/client/clientkey.pem
TLS_REQCERT demand
---------------------- end of /etc/ldap.conf -----------------
---------------------- /etc/openldap/ldap.conf ----------------
HOST <server1>
BASE dc=pro-unlimited,dc=com
TLS_CACERTFILE /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/client/clientcrt.pem
TLS_KEY /etc/openldap/client/clientkey.pem
TLS_REQCERT demand
---------------------- end of /etc/openldap/ldap.conf -----------------
Yet the problem appears to be with slurpd now, where I get the following while running "/usr/sbin/slurpd -d9" on the LDAP master (server1)
---------------- from stdout of slurpd -d9 -------------------
[root@<server1>openldap]# /usr/sbin/slurpd -d9 ( some parts omitted.. since too long )
.............
.....
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: <server3>
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying <server3 - IP>:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: host=<server3>
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 6
ldap_result msgid 1
......
.....
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: <server3> port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jul 14 17:23:30 2006
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
.....
....
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, subject: /C=US/ST=California/O=Pro Unlimited, Inc./OU=IT Department/CN=<server3>/Email=<e-mail>, issuer: /C=US/ST=California/O=Pro Unlimited, Inc./OU=IT Department/CN=<server3>/Email=<e-mail>
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 111 bytes to sd 6
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
........
......
...
ldap_read: message type bind msgid 2, original id 2
ber_scanf fmt ({iaa) ber:
read1msg: 0 new referrals
read1msg: mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
Error: ldap_simple_bind_s for <server3>:389 failed: Invalid credentials
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify
Retrying operation for DN uid=bmodi,ou=people,dc=pro-unlimited,dc=com on replica ks.pro-unlimited.com:389
slurpd: terminated.
-------------------- end of stdout of slurpd -d9 -------------------
Can someone point me in a direction or suggestions as to how to move forward?
If any additional info is needed, please let me know!