OpenLdap replication with kerberos problem

Kernels & Hardware, configuring network, installing services

OpenLdap replication with kerberos problem

Postby vinss95 » 2018-07-11 16:14

Hello,

I try to configure syncrepl with my ldap. Configuring correctly my master but impossible to replicate consumer...
I follow this tutorial http://www.rjsystems.nl/en/2100-d6-open ... rberos.php but not success.. I'm with debian 8.8

My error on my slave is :

Jul 11 18:11:40 sldap04 slapd[8179]: slap_client_connect: URI=ldap://ldap01.example.com:389/ ldap_sasl_interactive_bind_s failed (-2)
Jul 11 18:11:40 sldap04 slapd[8179]: do_syncrepl: rid=004 rc -2 retrying (4 retries left)


In the tutorial, they said we must configure kstart with /etc/inittab, so i installed sysvinit and try to add :

KS:2345:respawn:/usr/bin/k5start -U -f /etc/krb5.keytab -K 10 -l 24h -k /tmp/krb5cc_2002 -o openldap
Nothing happened after that..

The UID here is the openldap account of the master ldap tree, not the local account. I still test with the local account it does not work.

I think that since my slave can not get the TGT tickets, he can not replicate the base. Except that I can not make everything work.

So a quick search for data on my ldap slave gives:


ldapsearch -H ldap://ldap02.example.com

SASL/GSSAPI authentication started
SASL username: admin@LAINE.FR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=laine,dc=fr> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 4
result: 32 No such object

# numResponses: 1

No such object...
I tried to launch the order by hand without success.

Someone would have any idea ?

For info here is my Slave Database file


dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: bc8f001a-1899-1038-8436-5db4e409c09b
creatorsName: cn=admin,cn=config
createTimestamp: 20180710143154Z
olcAccess: {0}to * by users read by * none
olcRootDN: cn=admin,dc=laine,dc=fr
olcSuffix: dc=laine,dc=fr
olcUpdateRef: "ldap://ldap01.example.com:389/"
olcSyncrepl: {0}rid=004 provider="ldap://ldap01.example.com:389/" type=refresh
AndPersist retry="60 30 300 +" searchbase="dc=laine,dc=fr" bindmethod=sasl
saslmech=gssapi
entryCSN: 20180710182425.191328Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180710182425Z

And the master
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=laine,dc=fr
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 47922790-1896-1038-9dc8-bbdd7d61784e
creatorsName: cn=admin,cn=config
createTimestamp: 20180710140709Z
olcAccess: {0}to attrs=userPassword,shadowLastChange by * none
olcAccess: {1}to attrs=loginShell by self write by users read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by users read by * none
olcRootDN: uid=admin,ou=people,dc=laine,dc=fr
entryCSN: 20180710143558.027662Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180710143558Z

cn=config of master :
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 c19b38ef
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 4791b530-1896-1038-9dbe-bbdd7d61784e
creatorsName: cn=config
createTimestamp: 20180710140709Z
olcAuthzRegexp: {0}uid=([^,]+),cn=laine.fr,cn=gssapi,cn=auth uid=$1,ou=peopl
e,dc=laine,dc=fr
olcAuthzRegexp: {1}uid=admin,cn=laine.fr,cn=gssapi,cn=auth uid=admin,dc=lain
e,dc=fr
olcSaslRealm: LAINE.FR
olcLogLevel: 256
olcServerID: 005
entryCSN: 20180711152503.776159Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180711152503Z

And of the slave:
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: bc8e8a90-1899-1038-842c-5db4e409c09b
creatorsName: cn=config
createTimestamp: 20180710143154Z
olcAuthzRegexp: {0}uid=([^,]+),cn=laine.fr,cn=gssapi,cn=auth uid=$1,ou=peopl
e,dc=laine,dc=fr
olcAuthzRegexp: {1}uid=admin,cn=laine.fr,cn=gssapi,cn=auth uid=admin,dc=lain
e,dc=fr
olcSaslRealm: LAINE.FR
olcSaslHost: ldap02.example.com
olcLogLevel: 256
entryCSN: 20180710194203.790280Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180710194203Z
~

Thanks in advance :)
Vincent
vinss95
 
Posts: 1
Joined: 2018-07-11 16:11

Return to System configuration

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable