Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

OpenLdap replication with kerberos problem

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
vinss95
Posts: 1
Joined: 2018-07-11 16:11

OpenLdap replication with kerberos problem

#1 Post by vinss95 »

Hello,

I try to configure syncrepl with my ldap. Configuring correctly my master but impossible to replicate consumer...
I follow this tutorial http://www.rjsystems.nl/en/2100-d6-open ... rberos.php but not success.. I'm with debian 8.8

My error on my slave is :

Jul 11 18:11:40 sldap04 slapd[8179]: slap_client_connect: URI=ldap://ldap01.example.com:389/ ldap_sasl_interactive_bind_s failed (-2)
Jul 11 18:11:40 sldap04 slapd[8179]: do_syncrepl: rid=004 rc -2 retrying (4 retries left)


In the tutorial, they said we must configure kstart with /etc/inittab, so i installed sysvinit and try to add :

KS:2345:respawn:/usr/bin/k5start -U -f /etc/krb5.keytab -K 10 -l 24h -k /tmp/krb5cc_2002 -o openldap
Nothing happened after that..

The UID here is the openldap account of the master ldap tree, not the local account. I still test with the local account it does not work.

I think that since my slave can not get the TGT tickets, he can not replicate the base. Except that I can not make everything work.

So a quick search for data on my ldap slave gives:


ldapsearch -H ldap://ldap02.example.com

SASL/GSSAPI authentication started
SASL username: admin@LAINE.FR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=laine,dc=fr> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 4
result: 32 No such object

# numResponses: 1

No such object...
I tried to launch the order by hand without success.

Someone would have any idea ?

For info here is my Slave Database file


dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: bc8f001a-1899-1038-8436-5db4e409c09b
creatorsName: cn=admin,cn=config
createTimestamp: 20180710143154Z
olcAccess: {0}to * by users read by * none
olcRootDN: cn=admin,dc=laine,dc=fr
olcSuffix: dc=laine,dc=fr
olcUpdateRef: "ldap://ldap01.example.com:389/"
olcSyncrepl: {0}rid=004 provider="ldap://ldap01.example.com:389/" type=refresh
AndPersist retry="60 30 300 +" searchbase="dc=laine,dc=fr" bindmethod=sasl
saslmech=gssapi
entryCSN: 20180710182425.191328Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180710182425Z

And the master
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=laine,dc=fr
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 47922790-1896-1038-9dc8-bbdd7d61784e
creatorsName: cn=admin,cn=config
createTimestamp: 20180710140709Z
olcAccess: {0}to attrs=userPassword,shadowLastChange by * none
olcAccess: {1}to attrs=loginShell by self write by users read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by users read by * none
olcRootDN: uid=admin,ou=people,dc=laine,dc=fr
entryCSN: 20180710143558.027662Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180710143558Z

cn=config of master :
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 c19b38ef
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 4791b530-1896-1038-9dbe-bbdd7d61784e
creatorsName: cn=config
createTimestamp: 20180710140709Z
olcAuthzRegexp: {0}uid=([^,]+),cn=laine.fr,cn=gssapi,cn=auth uid=$1,ou=peopl
e,dc=laine,dc=fr
olcAuthzRegexp: {1}uid=admin,cn=laine.fr,cn=gssapi,cn=auth uid=admin,dc=lain
e,dc=fr
olcSaslRealm: LAINE.FR
olcLogLevel: 256
olcServerID: 005
entryCSN: 20180711152503.776159Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180711152503Z

And of the slave:
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: bc8e8a90-1899-1038-842c-5db4e409c09b
creatorsName: cn=config
createTimestamp: 20180710143154Z
olcAuthzRegexp: {0}uid=([^,]+),cn=laine.fr,cn=gssapi,cn=auth uid=$1,ou=peopl
e,dc=laine,dc=fr
olcAuthzRegexp: {1}uid=admin,cn=laine.fr,cn=gssapi,cn=auth uid=admin,dc=lain
e,dc=fr
olcSaslRealm: LAINE.FR
olcSaslHost: ldap02.example.com
olcLogLevel: 256
entryCSN: 20180710194203.790280Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180710194203Z
~

Thanks in advance :)
Vincent

Post Reply