[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAPS Multi-master replication
- To: Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.ru>
- Subject: Re: LDAPS Multi-master replication
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Tue, 28 Jan 2020 13:06:16 -0800
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-filter: OpenDKIM Filter v2.10.3 zmcc-2-mta-1.zmailcloud.com 4BF11CF53E
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symas.com; s=37C7994C-28CA-11EA-A30F-68F90BB9D764; t=1580245575; bh=u8F37p8ZT3/udOWcCnxexASFzmBVeXdwOVca6YKn7XA=; h=Date:From:To:Message-ID:MIME-Version; b=M8w/Gc2K2QfAIoUSrKJhAQRjE8/Uzi8F+37HoUaAo1Z7F2GDtRUBmQoqS7ZPCrCCu 5WmMdRfS4qJwPyfoTVyWk1ifrUHjYpsYAphczVL38T/WnFtHQHsuYswgmn800Q9YeO +zOixLApAdHOhOaXKae7lgQ7YmQVbWQopFXXlWj89Kg0IGviXJczoep1zAgOHPLPtN uCAcQEsL3vANfYe01qnoBg6mNMzAM9pOI1kU3kF45aittSvSI3+mP3PdcKHvyWI7bb D6c/e/zi+QJnHH61c9ye8phuguBrv//roOHxQkGxWaDfxFDVOH3yan1gdwzM1tZ7Vq B5udmbQQIBX8g==
- In-reply-to: <7424ED6F-A2AE-492C-A689-282035F8E084@wildberries.ru>
- References: <F9C7D881-F948-4570-BF1E-114BFAC84933@wildberries.ru> <CFE59327F194E4866308C40F@[192.168.1.144]> <7424ED6F-A2AE-492C-A689-282035F8E084@wildberries.ru>
Hello,
Please keep replies on the list.
--On Tuesday, January 28, 2020 8:06 AM +0000 Клеусов
Владимир Сергеевич <Kleusov.Vladimir@wildberries.ru> wrote:
Fixed
Not sure what you're saying was fixed. There was not really any errors
discussed in your prior email, simply a note that the replication you were
configurating would only replicate the cn=config database. Your
modification appears to keep that behavior.
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl: rid=001 provider=ldaps://infra-ldap-m9.wb.ru
searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2
binddn="cn=admin,cn=config" starttls=no
tls_cert="/etc/ldap/sasl2/wb.ru.crt" tls_key="/etc/ldap/sasl2/wb.ru.key"
tls_cacert="/etc/ldap/sasl2/commercial_ca.crt" tls_reqcert=allow
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldaps://infra-ldap.dl.wb.ru
searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2
binddn="cn=admin,cn=config" credentials=5fX?BLR2 starttls=no
tls_cert="/etc/ldap/sasl2/w.ru.crt" tls_key="/etc/ldap/sasl2/wb.ru.key"
tls_cacert="/etc/ldap/sasl2/commercial_ca.crt" tls_reqcert=allow
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=ldaps://infra-ldap.dp.wb.ru
searchbase="cn=config" bindmethod=simple credentials=5fX?BLR2
binddn="cn=admin,cn=config" starttls=no
tls_cert="/etc/ldap/sasl2/wb.ru.crt"
tls_key="/etc/ldap/sasl2/wb.ru.key"tls_cacert="/etc/ldap/sasl2/commercial
_ca.crt" tls_reqcert=allow type=refreshAndPersist retry="5 5 300 5"
timeout=1
Your above configuration seems very odd. You are not doing client cert
authentication via SASL EXTERNAL, and yet you've specified a client cert
and key. I would expect the only TLS configuration bits to be for the CA
cert.
But in logs on each server
slap_client_connect: URI=ldaps://infra-ldap.dl.wb.ru
DN="cn=admin,cn=config" ldap_sasl_bind_s failed
So it's not able to bind with the configuration to the other server.
openssl s_client -connect infra-ldap.dp.wb.ru:636
Verify return code: 0 (ok)
Do I need to specify port 636 in steps 5 and 7 ? For example, it was
ldaps:/ / infra-ldap-m9.wb. ru and will become ldaps://infra-ldap-m9.wb.
ru:636
No, port 636 is the default for ldaps.
And how else can you figure out what's wrong ?
I would use the ldapwhoami utility to ensure you can bind with the
specified identity to each server.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>