[EdLUG] OpenLDAP slap client and/or syncrepl error
CAIRNEY Mark
Mark.Cairney at ed.ac.uk
Fri May 20 18:47:31 UTC 2022
Hi,
I think there are 2 issues at play
1. The certs/CA isn’t right on one of the servers (hence the TLS errors) do the syncrepl bind is failing.
2. It looks like SASL can’t find a password entry for the user in the bind attempt. Might be worth checking your SASL config to ensure the mechanisms you expect are available and your authzregexp is set up correctly.
Sent from my iPhone
On 20 May 2022, at 18:56, Tahir Hafiz <tahir.hafiz at gmail.com> wrote:
This email was sent to you by someone outside the University.
You should only click on links or attachments if you are certain that the email is genuine and the content is safe.
Hi,
We have two OpenLDAP servers (sso1 and sso2, ignore alpha - that one I think they decommissioned it years ago).
sso1 and sso2 are meant to be in mirror mode (sometimes called multi-master mode).
I had to switch sso1 off a while ago because it was no longer responding and didn't have much time to look at it back then.
I have now had some spare time to look at it, updated the web certs which had to be renewed and restarted the openldap server in question.
But I see the following error (and Google has not helped much on this one):
May 20 16:11:44 sso1 slapd[9008]: slapd starting
May 20 16:11:44 sso1 slapd[9008]: slap_client_connect: URI=ldaps://alpha.redacted.net/<http://alpha.redacted.net/> TLS context initialization failed (-1)
May 20 16:11:44 sso1 slapd[9008]: do_syncrepl: rid=003 rc -1 retrying (4 retries left)
May 20 16:11:44 sso1 slapd[9008]: slap_client_connect: URI=ldaps://sso2.redacted.net/<http://sso2.redacted.net/> TLS context initialization failed (-1)
May 20 16:11:44 sso1 slapd[9008]: do_syncrepl: rid=002 rc -1 retrying (4 retries left)
May 20 16:12:13 sso1 slapd[9008]: SASL [conn=1001] Failure: no secret in database
The weird thing is the OpenLDAP sso1 box is synching to sso2 ldap box, and I can connect to it with an ldap client on my home desktop and it now has the latest records so it is working as an ldap server but I'm not sure what the errors really mean.
Are there any avenues I can explore on this or has anyone seen something like this before (N.B. I am no ldap expert) ?
Thanking you in advance,
Tahir
--
EdLUG mailing list
EdLUG at mailman.lug.org.uk
https://lists.edlug.org.uk/mailman/listinfo/edlug
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20220520/5dbce145/attachment-0003.htm>
More information about the EdLUG
mailing list