I have inherited an openldap server (2.4.9) and have set about to making it a
bit more fault tolerant. So I have added a syncrepl slave and everything seems
to work fine. It pulls down the whole ldap tree and stays in sync in real time
with type=refreshAndPersist. I can use command line tools to very that it has
all the information from the original master server using a command like this:
ldapsearch -xLL -H ldaps://ldap2.domain.com/ -b "dc=domain,dc=com" -D
"cn=admin,dc=domain,dc=com" -W
My problem however is that when I try to authenticate users against the slave
server, it does not work. All attempts fail. Also when I use ApacheDS
(graphical LDAP browser) to view its contents, it only shows the Root DSE and
none of the child objects like cn=config or any of the users or any of that. I
can use ApacheDS fine to view and modify everything on the master server though.
The slapd.conf config files between the two are exactly the same (except one is
declared as sync master and one as slave), the password hashes are successfully
replicated to the slave as I can see with ldapsearch, but I have no idea how to
debug why it won't authenticate users. For reference, here is my syncrepl
config section (in slapd.conf) on the slave:
syncrepl rid=123
provider=ldaps://ldap1.domain.com:636
type=refreshAndPersist
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=syncuser,ou=People,dc=domain,dc=com"
credentials=syncpassword
and on the master server:
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
As a failover/backup server seems extremely prudent especially on the ancient
hardware we have running these things, I really want to get this to work
properly. Perhaps even later doing a round-robin style load balancing between
the two or what have you.
I have no idea how to debug this, any help would be greatly appreciated!
-a
