topic Re: LDAP Passwords Not Replicating in Operating System - Linux

LDAP Passwords Not Replicating

Steve Burt_1 — Sun, 12 Jul 2009 20:04:56 GMT

Hi Folks, I call to your learned experience once again..

I have an LDAP MASTER/SLAVE pair, and all of a sudden (Replication has worked quite fine for over a year), but now there are some password inconsistencies on the master when I change the password the slave authenticate fine but as i said the master is failing...

When I add a new user and set the password then i see the user within ldap but passwd works...

/etc/nsswitch is file ldap

i still have the local unix user in /etc/passwd as i convert the unix user into ldap..

Your help is appreciated

I have deleted the ldap user and added it back in and same issue slave authenticates where as the master does not.

RPM's
openldap-2.3.27-8.el5_1.3
openldap-servers-2.3.27-8.el5_1.3
openldap-clients-2.3.27-8.el5_1.3
openldap-devel-2.3.27-8.el5_1.3
openldap-2.3.27-8.el5_1.3

Re: LDAP Passwords Not Replicating

Steven E. Protter — Mon, 13 Jul 2009 05:27:14 GMT

Shalom,

There should be logs, /var/log/messages to start where you might find some evidence of the problem.

There has to be a problem with password replication and that is being recorded somewhere.

Have there been any recent changes, even system updates that correspond with when the problem arose? It would be helpful to know what preceded the problem.

SEP

Re: LDAP Passwords Not Replicating

Steve Burt_1 — Tue, 28 Jul 2009 06:28:16 GMT

Hi SEP just back from hols... sorry to keep you waiting, having thought more about this, my symptons are that My Slave LDA Server does not always seem to be replicating passwords.

I can tell this by the fact of the entryCSN for the same user is different on both nodes.

entryCSN: 20090722160653Z#000000#00#000000
entryCSN: 20090722160747Z#000000#00#000000

So I suppose what I am saying is how can I fix this.

When I do a ps -ef on the slave I notice that only slapd is running I thought slurpd should run as well for replication to take place..

[root@ECOFTPR02 ldap]# ps -ef | grep slapd
ldap 3353 1 0 Jul13 ? 01:22:08 /usr/sbin/slapd -h ldap:/// -u ldap

I am rapidily coming to the conclusion that this is not configured to a master/slave relationship.

--Steve

Re: LDAP Passwords Not Replicating

Steve Burt_1 — Tue, 28 Jul 2009 06:47:50 GMT

root@wibble# cat /etc/openldap/slapd.conf
#############################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#############################################################
allow bind_v2
#############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#############################################################
access to * by * read
#############################################################
database bdb
suffix "dc=wibble,dc=com"
rootdn "cn=Manager,dc=wibble,dc=com"
rootpw {SSHA}wTQhgpMdAnP6xJIuFMnHGrIL1/FbKiyD
directory /var/lib/ldap/wibble.com
#############################################################
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
#############################################################
replica uri=ldap://ldap2.wibble.com:389 suffix="dc=wibble,dc=com" binddn="cn=Manager,dc=wibble,dc=com" bindmethod=simple credentials=wibble
replogfile /var/lib/ldap/wibble.com/ldap1-replog

Slave
-----
[root@slave ldap]# cat /etc/openldap/slapd.conf
####################################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
####################################################################
allow bind_v2
####################################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
####################################################################
database bdb
suffix "dc=wibble,dc=com"
rootdn "cn=Manager,dc=wibble,dc=com"
rootpw {SSHA}wTQhgpMdAnP6xJIuFMnHGrIL1/FbKiyD
####################################################################
directory /var/lib/ldap/wibble.com
####################################################################
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
####################################################################
access to * by * read
####################################################################
updatedn cn=Manager,dc=wibble,dc=com
updateref ldap://ldap1.wibble.com
####################################################################
[root@slave ldap]#

Re: LDAP Passwords Not Replicating

Steve Burt_1 — Tue, 28 Jul 2009 07:21:48 GMT

Looking deeper into this my faux paux is that slurpd is running but on the provider, which in theory is where it is meant to be ( correct me if i am wrong)

Now Openldap 2.3 traditionally uses slurpd for replication but also has functionality for syncrep

Openldap 2.4 obsoletes slurpd for syncrep, and has the functionality of nway multimaster mode which wouuld be of great interest.

My question that I need to explore is what is the quickest way of syncing the my current master/slave solution

--Steve