# [SOLVED] OpenLDAP replica authentication failed

## rvasquez

Hi,

I have two Gentoo servers running OpenLDAP, one is configured as master and one is its replica. The replication works using syncrepl and it has been successful  so far.

I have two Astaro firewall devices that use LDAP as user's authentication method, all the settings and the authentication test work if I run it against the Master server, but if I try to run the test against the replica it returns "Access Denied" and in the Log:

slapd[27442]: conn=15 op=0 BIND dn="cn=Manager,dc=organization,dc=org" method=128

slapd[27442]: conn=15 op=0 BIND dn="cn=Manager,dc=organization,dc=org" mech=SIMPLE ssf=0

slapd[27442]: conn=15 op=0 RESULT tag=97 err=0 text=

slapd[27442]: conn=15 op=1 SRCH base="dc=organization,dc=org" scope=2 deref=0 filter="(&(objectClass=*)(uid=myuser))"

slapd[27442]: conn=15 op=1 SRCH attr=mail email emailAddress

slapd[27442]: conn=15 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

slapd[27442]: conn=15 op=2 BIND anonymous mech=implicit ssf=0

slapd[27442]: conn=15 op=2 BIND dn="uid=myuser,ou=Users,dc=organization,dc=org" method=128

slapd[27442]: conn=15 op=2 RESULT tag=97 err=49 text=

slapd[27442]: conn=15 fd=16 closed (connection lost)

I have to mention that the Manager can be authenticated successfully.

Both slapd.conf have the setting password-hash   {md5}

I also should mention that the user creation process in the Master is made using the samba ldap tools, specifically with smbldap-useradd

I'll appreciate any help.Last edited by rvasquez on Wed Feb 23, 2011 2:17 pm; edited 1 time in total

----------

## hika

Is your replica read-write or readonly. I have for a year now a configuration running with two replicating read-write masters.

If your replica is read-only it has to redirect writes to the master. If for instance last login or something else is written on login?

Hika

----------

## rvasquez

I actually have seen that the problem is that the replica is not copying the userPassword attribute which of course is necessary for the authentication.

I am using the Manager dn to access to the master and I have tested the synchronization with

attrs="*"

attrs="*,+"

no attrs

But nothing seems to work.   :Sad: 

Has anybody an idea??

Thanks

----------

## hika

This probably means that the synchronization user has no rights to this attribute. Do you have access restriction on passwords other then their own?

In my slapd.conf:

```
access to attrs=userPassword,sambaLMPassword,sambaNTPassword 

  by dn.base="cn=syncuser,ou=ldapRoles,dc=home" manage

  by self write 

  by * auth

```

As you see I have a dedicated syncuser that has manage rights

Hika

----------

## rvasquez

Thanks Hika, I have modified the user permissions for the userPassword attr to manage without any results.

This is my syncrepl config in the replica server

```
syncrepl        rid=1

                provider=ldap://ldapmaster

                type=refreshAndPersist

                interval 00:00:02:00

                searchbase="dc=organization,dc=org"

                #attrs="*"

                schemachecking=on

                # The following directives are relative to accounts on the master server

                # binddn is who syncrepl should authenticate as on the master, and credentials is the account's password

                bindmethod=simple

                binddn="cn=Manager,dc=organization,dc=org"

                credentials="mypassword"                

updateref ldap://ldapmaster

```

If anybody sees something wrong I'll appreciate the hints  :Smile: 

----------

## hika

I see, among others, a difference with mine, namely the credentials. Without going into the manual I don't know what this exactly matters. Here is mine:

```
syncrepl rid=003 

    provider="ldap://gentooserver.home.dkw" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="dc=home"

    type=refreshandpersist

    retry="5 5 300 5"

    timeout=1

syncrepl rid=004 

    provider="ldap://ultra2.home.trev" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="dc=home" 

    type=refreshandpersist 

    retry="5 5 300 5" 

    timeout=1
```

Hika

----------

## hika

Oh and to be on the save side, change these on both servers!

Hika

----------

## hika

I was thinking further. Are you syncing both your config and your tree?

Just to help you think here is my complete slapd.conf. It could be it is not completely up to date since I exported it to the more modern tree structure in the slapd.d directory, but I always try to keep it up to date for rebuilds. You see no rootDN password for for security I have it in ldap itself.

```
#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include      /etc/openldap/schema/core.schema

include      /etc/openldap/schema/cosine.schema

include      /etc/openldap/schema/inetorgperson.schema

include      /etc/openldap/schema/nis.schema

include      /etc/openldap/schema/samba.schema

include      /etc/openldap/schema/authldap.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral   ldap://root.openldap.org

serverID   1 ldap://gentooserver.home.dkw

serverID   2 ldap://ultra2.home.trev

pidfile      /var/run/openldap/slapd.pid

argsfile   /var/run/openldap/slapd.args

logfile    /var/log/slapd.log

loglevel   stats conns trace

# Load dynamic backend modules:

modulepath   /usr/lib/openldap/openldap

# moduleload   back_sql.so

# moduleload   back_sock.so

# moduleload   back_shell.so

# moduleload   back_relay.so

# moduleload   back_perl.so

# moduleload   back_passwd.so

# moduleload   back_null.so

moduleload   back_monitor.so

# moduleload   back_meta.so

# moduleload   back_ldap.so

# moduleload   back_dnssrv.so

defaultSearchBase    "dc=home"

# TLSCACertificateFile    /etc/openldap/ssl/cacert.pem

# TLSCertificateFile    /etc/openldap/ssl/servercrt.pem

# TLSCertificateKeyFile    /etc/openldap/ssl/serverkey.pem

TLSCACertificateFile    /etc/openldap/ssl/server.pem

TLSCertificateFile    /etc/openldap/ssl/server.pem

TLSCertificateKeyFile    /etc/openldap/ssl/server.pem

TLSVerifyClient      never

# Sample security restrictions

#   Require integrity protection (prevent hijacking)

#   Require 112-bit (3DES or better) encryption for updates

#   Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#   Root DSE: allow anyone to read it

#   Subschema (sub)entry DSE: allow anyone to read it

#   Other DSEs:

#      Allow self write access

#      Allow authenticated users read access

#      Allow anonymous users to authenticate

#   Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#   by self write

#   by users read

#   by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

#######################################################################

# HDB database definitions

#######################################################################

backend      config

backend      monitor

backend      hdb

database   config

rootdn      "cn=Admin,dc=home"

monitoring   on

access to dn.subtree="cn=config" 

  by group.exact="cn=ldapAdmins,ou=ldapRoles,dc=home" manage 

  by group/organizationalRole/roleOccupant="cn=ldapReaders,ou=ldapRoles,dc=home" 

     read 

  by users read

  by * none

syncrepl rid=001 

    provider="ldap://gentooserver.home.dkw" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="cn=config"

    type=refreshandpersist

    retry="5 5 300 5"

    timeout=1

syncrepl rid=002 

    provider="ldap://ultra2.home.trev" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="cn=config" 

    type=refreshandpersist 

    retry="5 5 300 5" 

    timeout=1

mirrormode   on

database   hdb

idletimeout   30

suffix      "dc=home"

checkpoint   32 5

cachesize   1000

monitoring   on

rootdn      "cn=Admin,dc=home"

directory   /var/lib/openldap-data/home

access to dn.base="cn=syncuser,ou=ldapRoles,dc=home"

  by self manage

  by peername.regex=127\.0\.0\.1 auth 

  by peername.regex=192\.168\.222\.7 auth 

  by peername.regex=192\.168\.222\.8 auth 

  by peername.regex=192\.168\.249\.250 auth 

  by peername.regex=192\.168\.222\.49 auth 

  by users none 

  by * none 

access to dn.base="cn=Admin,dc=home"

  by dn.base="cn=syncuser,ou=ldapRoles,dc=home" manage

  by self manage

  by peername.regex=127\.0\.0\.1 auth 

  by peername.regex=192\.168\.222\..* auth 

  by peername.regex=192\.168\.249\..* auth 

  by peername.regex=192\.168\.253\..* auth 

  by users none 

  by * none 

access to dn.base="" 

  by dn.base="cn=syncuser,ou=ldapRoles,dc=home" manage

  by self write 

  by * auth

access to attrs=userPassword,sambaLMPassword,sambaNTPassword 

  by dn.base="cn=syncuser,ou=ldapRoles,dc=home" manage

  by self write 

  by * auth

access to attrs=shadowLastChange 

  by dn.base="cn=syncuser,ou=ldapRoles,dc=home" manage

  by self write 

  by * read

  by * none

access to dn.subtree="dc=home" 

  by group.exact="cn=ldapAdmins,ou=ldapRoles,dc=home" manage 

  by group/organizationalRole/roleOccupant="cn=ldapReaders,ou=ldapRoles,dc=home" 

     read 

  by peername.regex=127\.0\.0\.1 read 

  by peername.regex=192\.168\.222\..* read 

  by peername.regex=192\.168\.249\..* read 

  by peername.regex=192\.168\.253\..* read 

  by users search 

  by anonymous auth 

  by * none

index      objectClass      eq

index      cn         pres,sub,eq

index      sn         pres,sub,eq

index      uid         pres,sub,eq

index      uidNumber      eq

index      gidNumber      eq

index      memberUID      eq

index      sambaSID      eq

index      sambaPrimaryGroupSID   eq

index      sambaDomainName      eq

index      default         sub

syncrepl rid=003 

    provider="ldap://gentooserver.home.dkw" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="dc=home"

    type=refreshandpersist

    retry="5 5 300 5"

    timeout=1

syncrepl rid=004 

    provider="ldap://ultra2.home.trev" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="dc=home" 

    type=refreshandpersist 

    retry="5 5 300 5" 

    timeout=1

mirrormode   on

database   hdb

idletimeout   30

suffix      "ou=Adresses"

checkpoint   32 5

cachesize   1000

monitoring   on

rootdn      "cn=Admin,dc=home"

directory   /var/lib/openldap-data/adresses

access to dn.base="" 

  by dn.base="cn=syncuser,ou=ldapRoles,dc=home" manage 

  by self write 

  by * auth

access to dn.subtree="ou=Adresses" 

  by group.exact="cn=ldapAdmins,ou=ldapRoles,dc=home" manage 

  by group/organizationalRole/roleOccupant="cn=ldapReaders,ou=ldapRoles,dc=home" 

     read 

  by users read 

  by anonymous auth 

  by * none

index      objectClass      eq

index      cn         pres,sub,eq

index      sn         pres,sub,eq

index      default         sub

syncrepl rid=005 

    provider="ldap://gentooserver.home.dkw" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="ou=adresses"

    type=refreshandpersist

    retry="5 5 300 5"

    timeout=1

syncrepl rid=006 

    provider="ldap://ultra2.home.trev" 

    binddn="cn=syncuser,ou=ldapRoles,dc=home"

    bindmethod=simple

    credentials=syncrequest

    searchbase="ou=adresses" 

    type=refreshandpersist 

    retry="5 5 300 5" 

    timeout=1

mirrormode   on

database   monitor

idletimeout   30

rootdn      "cn=Admin,dc=home"

monitoring   on

access to dn.subtree="cn=Monitor"

  by group.exact="cn=ldapAdmins,ou=ldapRoles,dc=home" manage 

  by group/organizationalRole/roleOccupant="cn=ldapReaders,ou=ldapRoles,dc=home" read 

  by * none

#         <kbyte> <min>

#checkpoint   32   30 

#rootdn      "cn=Manager,dc=my-domain,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

#rootpw      secret

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

#directory   /var/lib/openldap-data

# Indices to maintain

#index   objectClass   eq

```

Hika

----------

## hika

Oops that was my syncuser password. I build it over a year ago. Good reason to change, as should be done now and then.

----------

## rvasquez

Ups! All my tree is gone! I was browsing with Apache Directory Studio and now I always get a "No such object" error :/

By the way, before that I've changed everything to look like yours but no success at all.

Thanks for your time and help. I'll try this weekend to create the same at home  :Smile: 

----------

## hika

Just some handy scripts for the future and while testing

these are a daily backup I run every night

ldap-backup.sh

```
#!/bin/bash

cp -rp /etc/openldap/slapd.d/* /root/ldap/slapd.d/

cp -p /etc/openldap/slapd.conf /root/ldap/slapd.conf

mv /root/ldap/ldap-backup0.ldif /root/ldap/ldap-backup0.ldif.bak

slapcat -F /etc/openldap/slapd.d -n 0 -l /root/ldap/ldap-backup0.ldif 

mv /root/ldap/ldap-backup1.ldif /root/ldap/ldap-backup1.ldif.bak

slapcat -F /etc/openldap/slapd.d -n 1 -l /root/ldap/ldap-backup1.ldif 

mv /root/ldap/ldap-backup2.ldif /root/ldap/ldap-backup2.ldif.bak

slapcat -F /etc/openldap/slapd.d -n 2 -l /root/ldap/ldap-backup2.ldif 

```

tdb-backup.sh

```
#!/bin/bash

tdbbackup -v /var/cache/samba/*.tdb

tdbbackup -s .bak /var/cache/samba/*.tdb

mv -f /root/tdb/account_policy.tdb /root/tdb/account_policy.tdb.bak

mv -f /var/cache/samba/account_policy.tdb.bak /root/tdb/account_policy.tdb

mv -f /root/tdb/group_mapping.tdb /root/tdb/group_mapping.tdb.bak

mv -f /var/cache/samba/group_mapping.tdb.bak /root/tdb/group_mapping.tdb

mv -f /root/tdb/ntdrivers.tdb /root/tdb/ntdrivers.tdb.bak

mv -f /var/cache/samba/ntdrivers.tdb.bak /root/tdb/ntdrivers.tdb

mv -f /root/tdb/ntforms.tdb /root/tdb/ntforms.tdb.bak

mv -f /var/cache/samba/ntforms.tdb.bak /root/tdb/ntforms.tdb

mv -f /root/tdb/ntprinters.tdb /root/tdb/ntprinters.tdb.bak

mv -f /var/cache/samba/ntprinters.tdb.bak /root/tdb/ntprinters.tdb

mv -f /root/tdb/registry.tdb /root/tdb/registry.tdb.bak

mv -f /var/cache/samba/registry.tdb.bak /root/tdb/registry.tdb

mv -f /root/tdb/share_info.tdb /root/tdb/share_info.tdb.bak

mv -f /var/cache/samba/share_info.tdb.bak /root/tdb/share_info.tdb

mv -f /root/tdb/wins.tdb /root/tdb/wins.tdb.bak

mv -f /var/cache/samba/wins.tdb.bak /root/tdb/wins.tdb

# mv -f /root/tdb/winbindd_idmap.tdb /root/tdb/winbindd_idmap.tdb.bak

# mv -f /var/cache/samba/winbindd_idmap.tdb.bak /root/tdb/winbindd_idmap.tdb

# mv -f /root/tdb/lang_en.tdb /root/tdb/lang_en.tdb.bak

# mv -f /var/cache/samba/lang_en.tdb.bak /root/tdb/lang_en.tdb

# mv -f /root/tdb/netsamlogon_cache.tdb /root/tdb/netsamlogon_cache.tdb.bak

# mv -f /var/cache/samba/netsamlogon_cache.tdb.bak /root/tdb/netsamlogon_cache.tdb

tdbbackup -v /var/cache/samba/printing/*.tdb

tdbbackup -s .bak /var/cache/samba/printing/*.tdb

mv -f /root/tdb/printing/printers.tdb /root/tdb/printing/printers.tdb.bak

mv -f /var/cache/samba/printing/printers.tdb.bak /root/tdb/printing/printers.tdb

# mv -f /root/tdb/printing/* /root/tdb/printing/*.bak

# mv -f /var/cache/samba/printing/*.bak /root/tdb/printing/*

tdbbackup -v /var/lib/samba/private/*.tdb

tdbbackup -s .bak /var/lib/samba/private/*.tdb

mv -f /root/tdb/private/secrets.tdb /root/tdb/private/secrets.tdb.bak

mv -f /var/lib/samba/private/secrets.tdb.bak /root/tdb/private/secrets.tdb

mv -f /root/tdb/private/schannel_store.tdb /root/tdb/private/schannel_store.tdb.bak

mv -f /var/lib/samba/private/schannel_store.tdb.bak /root/tdb/private/schannel_store.tdb

# mv -f /root/tdb/private/passdb.tdb /root/tdb/private/passdb.tdb.bak

# mv -f /var/lib/samba/private/passdb.tdb.bak /root/tdb/private/passdb.tdb

```

And to restore ldap after clearing the tree

ldap-restore.sh

```
#!/bin/bash

slapadd -F /etc/openldap/slapd.d -n 1 -l /root/ldap/ldap-backup1.ldif 

slapadd -F /etc/openldap/slapd.d -n 2 -l /root/ldap/ldap-backup2.ldif 

```

This script I use for testing ldap. The logging goes to your screen. If you're satisfied quit it with Ctrl-C and start ldap the regular way.

test-ldap.sh

```
#!/bin/bash

/usr/lib/openldap/slapd -u ldap -g ldap -F /etc/openldap/slapd.d -h ldaps:// ldap:// -d 4294967295
```

If you use slapd.conf instead of the slapd.d directory use -f /etc/openldap/slapd.conf in place of -F ...

if you don't use tls remove the ldaps://

the number behind -d gives what to log. If I'm right this number says everything. 

-1 	any 	enable all debugging

0 	  	no debugging

1 	(0x1 trace) 	trace function calls

2 	(0x2 packets) 	debug packet handling

4 	(0x4 args) 	heavy trace debugging

8 	(0x8 conns) 	connection management

16 	(0x10 BER) 	print out packets sent and received

32 	(0x20 filter) 	search filter processing

64 	(0x40 config) 	configuration processing

128 	(0x80 ACL) 	access control list processing

256 	(0x100 stats) 	stats log connections/operations/results

512 	(0x200 stats2) 	stats log entries sent

1024 	(0x400 shell) 	print communication with shell backends

2048 	(0x800 parse) 	print entry parsing debugging

16384 	(0x4000 sync) 	syncrepl consumer processing

32768 	(0x8000 none) 	only messages that get logged whatever log level is set 

Hika

----------

## rvasquez

Hika and all:

The problem is solved now, I removed all the DB files, set ldap:// instead of ldaps:// and restarted OpenLDAP on both servers, now I can pass all the authentication tests.

Thank you for all  :Smile: 

----------

## hika

Good to hear. I also had a lot of trouble december over a year ago, when I started setting it up.

If you want to use tls always when possible use starttls in stead of pure tls and turn client checking off. For instance 

```
TLSVerifyClient      never
```

 in slapd.conf. With synchronization I haven't had it working. 

Everywhere you read openldap is allergic to self signed certificates.

The best way I found is:

```
$ openssl req -newkey rsa:1024 -keyout server.pem -nodes -x509 -days 365 -out server.pem

```

It creates an all in one certificate, that you fill in in all three positions.

Better is an official certificate, but I haven't come to trying that.

There is an australian site for free-ware certificate signing that should work.

http://www.cacert.org/

hika

----------

