[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: any help on "ldap_sasl_bind_s failed (53)"
hello,
well, if the replicator account is
cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp yes that is the dn
you have to use in the slave configuration.
you see, replication is just a particular search that is done by the
slave from the master.
you have to make sure the replicator account used to connect to the
master is able to read all attributes that you want to replicate
(hence the acls)
2014-11-19 13:41 GMT+04:00 wailok tam <wailoktam@yahoo.com>:
>
>
> thx for your reply.
>
> do i put in the slave conf file the same thing as the following command?
>
>> ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D > 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
>
> ------------------------------
> On Wed, Nov 19, 2014 9:25 AM GMT Jephte Clain wrote:
>
>>hello,
>>
>>I would say, try to understand the meaning of what you do. The
>>openldap admin guide is a good place to start.
>>
>>- for instance, on the slave, you bind to the master with dn
>>uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp and password
>>secretofreplicator
>>does this objet exist *on the master*? with the right password? does
>>this account have the right acl to read everything on the master
>>(i.e., on the master, the acl is defined for cn=replicator,... which
>>is not the same as uid=replicator,...)
>>- also, why would you use the replicator dn as the rootdn for the slave?
>>
>>one last thing: I advise you change the password of both the master
>>and slave. posting the file with the hash password of the root dn on
>>the internet is not a good idea :-)
>>
>>good luck
>>
>>
>>2014-11-19 11:38 GMT+04:00 wailok tam <wailoktam@yahoo.com>:
>>> Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up
>>> replication
>>> but I am getting the error given in the title when I start the slave with
>>> "splad -d sync" . Replication does
>>> not work.
>>>
>>> ******************************************************************************************************
>>>
>>> slapd.conf of the Master:
>>>
>>> include /etc/openldap/schema/core.schema
>>> include /etc/openldap/schema/cosine.schema
>>> include /etc/openldap/schema/inetorgperson.schema
>>> include /etc/openldap/schema/nis.schema
>>> include /etc/openldap/schema/samba.schema
>>>
>>>
>>> #modulepath /usr/lib/openldap
>>> #moduleload syncprov.la
>>>
>>> # Allow LDAPv2 client connections. This is NOT the default.
>>> allow bind_v2
>>>
>>> # Do not enable referrals until AFTER you have a working directory
>>> # service AND an understanding of referrals.
>>> #referral ldap://root.openldap.org
>>>
>>> pidfile /var/run/openldap/slapd.pid
>>> argsfile /var/run/openldap/slapd.args
>>>
>>> #sasl-realm ier.hit-u.ac.jp
>>> #sasl-host localhost
>>> #authz-regexp uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth
>>> cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp
>>>
>>> #######################################################################
>>> # ldbm and/or bdb database definitions
>>> #######################################################################
>>>
>>> database bdb
>>> suffix "dc=ier,dc=hit-u,dc=ac,dc=jp"
>>> rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"
>>> #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ==
>>> rootpw secret
>>> #password-hash {MD5}
>>> directory /var/lib/ldap
>>>
>>> TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt
>>> TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt
>>> TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
>>>
>>> overlay syncprov
>>> syncprov-checkpoint 50 10
>>> syncprov-sessionlog 100
>>>
>>> # Indices to maintain for this database
>>> index objectClass eq,pres
>>> index ou,cn,mail,surname,givenname eq,pres,sub
>>> index uidNumber,gidNumber,loginShell eq,pres
>>> index uid,memberUid eq,pres,sub
>>> index nisMapName,nisMapEntry eq,pres,sub
>>> index entryCSN,entryUUID eq
>>> idlcachesize 1000
>>>
>>>
>>> access to attrs=userPassword
>>> by self write
>>> by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write
>>> by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read
>>> by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
>>> by anonymous auth
>>> by * none
>>>
>>>
>>>
>>> access to attrs=SambaLMPassword,SambaNTPassword
>>> by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write
>>> by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read
>>> by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
>>> by self read
>>> by anonymous auth
>>> by * none
>>>
>>> access to *
>>> by self write
>>> by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write
>>> by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
>>> by * read
>>>
>>> *****************************************************************************************************
>>>
>>> sladp.conf of the slave:
>>>
>>> include /etc/openldap/schema/core.schema
>>> include /etc/openldap/schema/cosine.schema
>>> include /etc/openldap/schema/inetorgperson.schema
>>> include /etc/openldap/schema/nis.schema
>>> include /etc/openldap/schema/samba.schema
>>>
>>> # Allow LDAPv2 client connections. This is NOT the default.
>>> allow bind_v2
>>>
>>> # Do not enable referrals until AFTER you have a working directory
>>> # service AND an understanding of referrals.
>>> #referral ldap://root.openldap.org
>>>
>>> pidfile /var/run/openldap/slapd.pid
>>> argsfile /var/run/openldap/slapd.args
>>>
>>> #######################################################################
>>> # ldbm and/or bdb database definitions
>>> #######################################################################
>>>
>>> database bdb
>>> suffix "dc=ier,dc=hit-u,dc=ac,dc=jp"
>>> #rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"
>>> rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"
>>> #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ==
>>> rootpw secretofreplicator
>>> #password-hash {MD5}
>>> directory /var/lib/ldap
>>> #TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt
>>> #TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt
>>> #TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
>>>
>>>
>>> # Replicas of this database
>>> #updatedn cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp
>>> #updateref uri=ldap://192.168.84.22
>>>
>>> # Indices to maintain for this database
>>> index objectClass eq,pres
>>> index ou,cn,mail,surname,givenname eq,pres,sub
>>> index uidNumber,gidNumber,loginShell eq,pres
>>> index uid,memberUid eq,pres,sub
>>> index nisMapName,nisMapEntry eq,pres,sub
>>> index entryCSN,entryUUID eq
>>> idlcachesize 1000
>>>
>>>
>>> #access to attrs=userPassword
>>> # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write
>>> # by self write
>>> # by anonymous auth
>>> # by * none
>>>
>>>
>>> #access to *
>>> # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write
>>> # by self write
>>> # by * read
>>>
>>>
>>>
>>>
>>> #loglevel stats sync
>>>
>>> syncrepl rid=001
>>> provider=ldap://mail.ier.hit-u.ac.jp
>>> type=refreshAndPersist
>>> interval=00:00:05:00
>>> searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"
>>> binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"
>>> bindmethod=simple
>>> # bindmethod=sasl saslmech=DIGEST-MD5
>>> # authcid=replicator
>>> credentials=secretofreplicator
>>>
>>> updateref ldap://mail.ier.hit-u.ac.jp/
>>>
>>>
>>> *****************************************************************************************
>>> what puzzles me is that:
>>>
>>> I try on the slave to access the master with
>>> ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D
>>> 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
>>>
>>> and it works.
>>>
>>> What is wrong? I really need your help.
>>>
>>>
>>
>>
>>
>>--
>>cordialement,
>>Jephté Clain
>>Direction des Systèmes d'Information
>>et des Usages Numériques - 2IG
>>Tél. 0262 93 86 31
>>Fax. 0262 93 81 06
>>
>
--
cordialement,
Jephté Clain
Direction des Systèmes d'Information
et des Usages Numériques - 2IG
Tél. 0262 93 86 31
Fax. 0262 93 81 06