Hi,
I am new to Openldap + Keberos project. I am setting up slurpd from ldap1(master) to ldap2(replica). I am hopping someone can give me some suggestion to troubleshoot this. I ran into this error when slurpd attempt to add new DN to ldap2.
This is the error when I run slurpd -d 4
begin replication thread for ldap2.test.domain:389
Initializing session to ldap2.test.domain:389
request done: ld 0x9b27778 msgid 1
bind to
ldap2.test.domain as host/krbmaster.test.domain@TEST.DOMAIN via GSSAPI (SASL)
request done: ld 0x9b27778 msgid 2
request done: ld 0x9b27778 msgid 3
request done: ld 0x9b27778 msgid 4
replica ldap2.test.domain:389 - add dn "uid=ppham4,ou=people,dc=test,dc=domain"
request done: ld 0x9b27778 msgid 5
Error: ldap_add_s failed adding DN "uid=ppham4,ou=people,dc=test,dc=domain": Referral
Error: ldap operation failed, data written to
"/var/lib/ldap/replica/ldap2.test.domain:389.rej
Here's the slapd.conf on ldap1(master)
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
disallow bind_simple
#security tls=1
#require authc
# Create a replication log in
/var/lib/ldap for use by slurpd.
# REPLICA: Comment this out on the replicas
replogfile /var/lib/ldap/master-slapd.replog
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd1-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd1.key
sasl-secprops noanonymous,noplain,noactive
# Map SASL authentication DNs to LDAP
DNs
# This leaves "username/admin" principals untouched
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain
# This should be a ^ plus, not a star, but slapd won't accept it
# REPLICA:
# On replica servers replace the first line of each section below (the
# line that allows /admin principals to write to things) with the
# following line (allowing
the primary server to write instead). Thus
# admins can make changes on the primary server, and the primary
# server can push changes to the replicas.
#by dn.exact="uid=host/foo.example.com,cn=GSSAPI,cn=auth" write
# Users with /admin principals can change anything
# Users can change their shell, anyone else can see it
access to attrs=loginShell
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self write
by * read
# Only the user can see their employeeNumber
access to attrs=employeeNumber
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self read
by * none
# Default read access for everything else
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by * read
sizelimit 5000
threads 8
loglevel 256
# Allow LDAPv2 for Mozilla's address book
#allow bind_v2
database bdb
suffix
"dc=test,dc=domain"
cachesize 10000
checkpoint 256 15
# Uncomment these only for the initial load, then comment them back
# out and restart slapd.
rootdn "cn=Manager,dc=test,dc=domain"
rootpw Secret!
# The database directory MUST exist prior to running slapd
AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# REPLICA: Comment this out on replicas
replica host=ldap2.test.domain:389 tls=critical
bindmethod=sasl saslmech=GSSAPI
authcId=host/krbmaster.test.domain@TEST.DOMAIN
Here's the copy of my slapd.conf on replica ldap2 server:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#referral ldap://root.openldap.org
#pidfile /var/run/slapd.pid
#argsfile /var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
# REPLICA: Comment this out on the replicas
#replogfile /var/lib/ldap/master-slapd.replog
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd1-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd1.key
sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain
access to attrs=loginShell
by
dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
by self write
by * read
# Only the user can see their employeeNumber
access to attrs=employeeNumber
by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
by self read
by * none
# Default read access for everything else
access to *
by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
sizelimit 5000
threads 8
idletimeout 14400
loglevel 256
# Allow LDAPv2 for Mozilla's address book
allow bind_v2
database bdb
suffix "dc=test,dc=domain"
# Increase the size of slapd's entry cache. Note that this is a
cachesize 10000
checkpoint 256 15
# Uncomment these only for the initial load, then comment them back
# out and restart slapd.
rootdn "cn=Manager,dc=test,dc=domain"
rootpw Secret!
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index
cn,mail,surname,givenname eq,subinitial
# The purpose of the updatedn is to tell slapd not to send the updateref
# if that DN tries to make changes. Any other user which attempts to
# submit a change will be refered to the master LDAP server found in
# updateref.
# REPLICA: Uncomment these on replicas
updatedn "uid=host/krbmaster.test.domain"
updateref ldaps://ldap1.test.domain/
Greatly appreciate any help.
Thanks
Phil