[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Setting up syncrepl, replicated LDAP doesn't work
On my working master server openldap-2.3.27-8 under CentOS 5, I added:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
On the slave server openldap-2.3.27-8.el5_2.4 under CentOS 5.2, I added:
syncrepl rid=123
provider=ldaps://primary-ldap-server:636
type=refreshOnly
interval=01:00:00:00
searchbase="dc=mydomain,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=syncuser,dc=mydomain,dc=com"
credentials=mysecret
ldap started on the slave server OK, and /var/lib/ldap has all of the
database files. On that server, from the command line, I can:
[root@ldap2 ~]# ldapsearch -xLLL -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
dn: uid=joliver,ou=People,dc=mydomain,dc=com
givenName: John
sn: Oliver
cn: John Oliver
But when I point another machine at that slave server, it won't
authenticate:
Jul 23 03:06:28 localhost login(pam_unix)[9475]: check pass; user
unknown
Jul 23 03:06:28 localhost login(pam_unix)[9475]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jul 23 03:06:28 localhost login[9475]: pam_ldap: ldap_search_s No such
object
Jul 23 03:06:30 localhost login[9475]: FAILED LOGIN 1 FROM (null) FOR
joliver, Authentication failure
[root@localhost ~]# ldapsearch -H
ldaps://ldap2.mydomain.com -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[root@localhost ~]# ldapsearch -H
ldap://ldap2.mydomain.com -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in
database
When using just ldap:// with ldapsearch, I don't know what password it's
asking for. My LDAP password doesn't work, the LDAP admin password
doesn't work, the local root password doesn't work...
Here's the odd thing. When I started setting this up, the machine
that's the primary (and working) LDAP server now was running fedora-ds.
I set up OpenLDAP on what is now the slave server, and it worked
perfectly. I slapcat'ed it, installed OpenLDAP on the primary server,
and slapadded the db. I never generated any certificates on it at all,
and it works perfectly. I just regenerated the cert on the slave
server, but no joy.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************