-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My apologies. Problem solved.
I straced the slapd process and noticed that there were all sorts of SELINUX policies preventing the process from reading /tmp. I've enabled /tmp access and all works now. Thanks! Kris. PGP Key: 4CC63A18 PGP Server: pool.sks-keyservers.net On 2010-03-31, at 6:20 PM, Kristian Kostecky wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi guys, > > I have a configuration that consists of 3 ldap servers. One is the provider > and there are 2 consumers. I am using syncrepl to do the synchronization. > simple and anonymous binds are totally disabled and Kerberos must be used via > SASL (GSSAPI) and TLS to connect to the LDAP server. > > distro: centos 5.4 > openldap 2.3.43 > cyrus-sasl 2.1.22 > > Other things: > - - clocks are all in sync > - - hostnames all have forward and reverse mappings and all dns servers in > /etc/resolv.conf respond with proper entries on the consumer and both > providers. > > Here's the catch, the two providers are configured the same (except for > hostnames/ips) and the first one works perfect. What is really frustrating > is the lack of logging that is available to tell me what the problem is. > I've tried loglevel -1 and it gave me even less info in regards to the SASL > authentication than leaving it off. > > The affected consumer is giving me: > > Mar 31 22:41:00 ZZZ slapd[2442]: slapd starting > Mar 31 22:41:02 ZZZ slapd[2442]: do_syncrep1: rid 010 > ldap_sasl_interactive_bind_s failed (-2) > Mar 31 22:41:02 ZZZ slapd[2442]: do_syncrepl: rid 010 quitting > > On the "Provider": > > Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 ACCEPT from > IP=10.130.1.230:60288 (IP=0.0.0.0:389) > Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=0 STARTTLS > Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=0 RESULT oid= err=0 text= > Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 TLS established tls_ssf=256 > ssf=256 > Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=1 UNBIND > Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 closed > > This is what's REALLY weird - from the affected/broken box, ZZZ, after I > kinit, I can do an LDAP search or ldapwhoami, no problems! So, kerberos and > GSSAPI via SASL is working fine. ie: > > ldapsearch -H ldaps://XXX/ -Y GSSAPI -> will dump the entries. > or > ldapwhoami -H ldaps://XXX/ -Y GSSAPI -> shows me that proper creds > > If I destroy the credentials, it doesn't work as would be expected. > > ON the working consumer, the behaviour is that I can ldapsearch and > ldapwhoami properly after I kinit and when I start ldap it will authenticate > properly with the provider via SASL GSSAPI and replicates the DB. If I > kdestroy the credentials and start it, I get the same error that I'm > struggling with on the box that doesn't work ->ldap_sasl_interactive_bind_s > failed (-2) This behaviour leads me to believe that for some reason the ldap > server on the box that doesn't work is having problems transmitting the > kerberos credentials to the provider, whereas the ldapsearch and ldapwhoami > binaries are not having problems. > > There are some suspicious differences between the consumer that works and the > broken one. The provider and consumer that works both have TLDs that match - > '.com' and the consumer whose synrepl process won't authenticate is part of > the .eu TLD. However, as you can see below in the krb5.conf files, the .com > and .eu TLDS are always mapped to the same authentication realm. PLUS, > again, ldapsearch and ldapwhoami WORK. It's just the syncrepl process that > isn't quite getting the auth right. > > This is the provider's pertinent configs: > > slapd.conf: > overlay syncprov > syncprov-checkpoint 100 10 > syncprov-sessionlog 100 > > This is the consumer's pertinent configs (WORKS ON one, not on the other) > slapd.conf: > syncrepl rid=10 > provider=ldap://xxx.XXX.com > starttls=yes > type=refreshOnly > interval=00:00:01:00 > searchbase="dc=XXX,dc=com" > schemachecking=off > bindmethod=sasl > saslmech=GSSAPI > > krb5.conf [same as provider and kerb server]: > [libdefaults] > default_realm = BOUNCE.AAA.COM > encrypt = true > allow_weak_crypto = false > clockskew = 600 > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 8h > forwardable = no > proxiable = no > > [realms] > BOUNCE.AAA.COM = { > kdc = XXX.com > kdc = YYY.com > kdc = ZZZ.eu > admin_server = XXX.com > } > > [domain_realm] > .com = BOUNCE.AAA.COM > .eu = BOUNCE.AAA.COM > > > All help is greatly appreciated! This has been going on for days and I've > already yanked out most of my hair. Thank you. > > Kris. > > PGP Key: 4CC63A18 > PGP Server: pool.sks-keyservers.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > iEYEARECAAYFAkuzyroACgkQ2C/J5/UUQWEuUACdH/BhiZgTXFWbNMXS7Q99k8Rg > VY8An3YWKcpnkxVYvZMlelkT0TIpYuAP > =O9KI > -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkuz1IUACgkQ2C/J5/UUQWGp0gCeKr1Un8cdvtnIPz8VK6IXdDhw FqAAnjtrNZ9ZBJfNNbfTDN4+fNUP49YE =U705 -----END PGP SIGNATURE-----
