[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd -d9 --- Invalid credentials



Steven,

I tried once to use the MD5 hashing in the format you are using and it did not work, i.e. {MD5}$1$23r8j92hf23hf23f etc. I was creating the MD5 hash by changing my root password on a linux box, then looking in /etc/shadow and copying that hash to my LDAP credentials= lines. It didn't seem to work.

I ended up making a MD5 password USING OpenLDAP in the sense that I used my user account to make a password, looked at that hash, then copied that hash over to the credentials= line in slapd.conf (or rootpw line for that matter). The formatting was different, something like {MD5}3ij3ijoir2je2o3== (note there are no '$' characters in it, and there are always 2 '=' characters at the end).

Not sure if this is the crux of your problem but it could be....

ciao, erich

Steven Wong wrote:
I'm not sure if I am missing anything or configured something wrong.

Here is the setup I have  3 LDAP servers
1 LDAP master (server1) - RH 7.3 OpenLDAP (openldap-servers-2.0.27-2.7.)
1 LDAP slave (server2) - RH 7.3 OpenLDAP (openldap-servers-2.0.27-2.7.)
1 LDAP slave (server3) - FC 5 (openldap-servers-2.3.19-4)
1 LDAP client RH 7.3 (client1)
1 LDAP client FC5 (client2)

Using SSL/TLS. Each LDAP server sign it's own CA cert
"su - bmodi" or ldapsearch, all appears to work, whether I put which ldap server in the /etc/ldap.conf and /etc/openldap/ldap.conf file on any of the LDAP server itself.
examples ( only 1 LDAP server is in the ldap.conf file at a time )
server1 is client of server2 or server3 or itself server2 is client of server1 or server3 or itself
server3 is client of server1 or server2 or itself
client1 or client2 are clients of either of the LDAP servers ( one at a time )
( ldapserach command ran - ldapsearch -D "cn=manager,dc=pro-unlimited,dc=com" -W -x -H ldaps://<server1 or server2 or server3> )


Some config layout info
/etc/openldap/cacerts/cacert.pem have all three LDAP server's certificate in it
/etc/openldap/server/ contains servercrt.pem and serverkey.pem
/etc/openldap/client/ contains clientcrt.pem and clientkey.pem
/etc/ldap.secret contains the passwd of the rootdn user
/root/.ldaprc contains the following ( on master or client  )
TLS_CERT        /etc/openldap/client/clientcrt.pem
TLS_KEY         /etc/openldap/client/clientkey.pem
TLS_REQCERT demand

On server1
---------------------    /etc/openLDAP/slapd.conf  -------------------------
TLSCipherSuite  HIGH:MEDIUM:!LOW:+TLSv1:+SSLv3:!SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/server/servercrt.pem
TLSCertificateKeyFile /etc/openldap/server/serverkey.pem

replica host=<server2>:389
        suffix="dc=pro-unlimited,dc=com"
        binddn="uid=replicator,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com"
        credentials={MD5}$1$ghofW1$RazQvsgWa/7dtiphrRRPe0
        bindmethod=simple
        tls=yes
 replica host=<server3>:389
         suffix="dc=pro-unlimited,dc=com"
         binddn="uid=replicator,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com"
         credentials={MD5}$1$ghofW1$RazQvsgWa/7dtiphrRRPe0
         bindmethod=simple
         tls=yes
---------------------- end of slapd.conf   -----------------

---------------------- /etc/ldap.conf ----------------
host <server1>
base dc=pro-unlimited,dc=com
binddn uid=proxyuser,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com
bindpw proxypasswd
rootbinddn uid=sysadmin,ou=ldapbods,ou=people,dc=pro-unlimited,dc=com
scope sub
some other omited settings..


TLS_CACERTFILE /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/client/clientcrt.pem
TLS_KEY /etc/openldap/client/clientkey.pem
TLS_REQCERT demand
---------------------- end of /etc/ldap.conf -----------------
---------------------- /etc/openldap/ldap.conf ----------------
HOST <server1>
BASE dc=pro-unlimited,dc=com
TLS_CACERTFILE /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/client/clientcrt.pem
TLS_KEY /etc/openldap/client/clientkey.pem
TLS_REQCERT demand
---------------------- end of /etc/openldap/ldap.conf -----------------



Yet the problem appears to be with slurpd now, where I get the following while running "/usr/sbin/slurpd -d9" on the LDAP master (server1)

----------------  from stdout of slurpd -d9 -------------------
[root@<server1>openldap]# /usr/sbin/slurpd -d9    ( some parts omitted.. since too long )
.............
.....
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: <server3>
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying <server3 - IP>:389
ldap_connect_timeout: fd: 6 tm: -1 async: 0
ldap_ndelay_on: 6
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_int_sasl_open: host=<server3>
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 31 bytes to sd 6
ldap_result msgid 1
......
.....
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: <server3>  port: 389  (default)
  refcnt:  2  status: Connected
  last used: Fri Jul 14 17:23:30 2006

** Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** Response Queue:
   Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
do_ldap_select
.....
....
read1msg:  mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({iaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace:  SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, subject: /C=US/ST=California/O=Pro Unlimited, Inc./OU=IT Department/CN=<server3>/Email=<e-mail>, issuer: /C=US/ST=California/O=Pro Unlimited, Inc./OU=IT Department/CN=<server3>/Email=<e-mail>
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush  data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_flush: 111 bytes to sd 6
ldap_result msgid 2
ldap_chkResponseList for msgid=2, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 2
wait4msg continue, msgid 2, all 1
........
......
...
ldap_read: message type bind msgid 2, original id  2
ber_scanf fmt ({iaa) ber:
read1msg:  0 new referrals
read1msg:  mark request completed, id = 2
request 2 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
Error: ldap_simple_bind_s for <server3>:389 failed: Invalid credentials
ldap_unbind
ldap_free_connection
ldap_send_unbind
ber_flush: 7 bytes to sd 6
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify
Retrying operation for DN uid=bmodi,ou=people,dc=pro-unlimited,dc=com on replica ks.pro-unlimited.com:389
slurpd: terminated.
--------------------   end of stdout of slurpd -d9  -------------------


Can someone point me in a direction or suggestions as to how to move forward? If any additional info is needed, please let me know!