[EdLUG] OpenLDAP slap client and/or syncrepl error

Tahir Hafiz tahir.hafiz at gmail.com
Fri May 20 19:48:11 UTC 2022 

Thanks Mark, I realised I never restarted slapd on the sso2 ldap box when I
renewed the certs there and this what I see upon restarting the slapd
service:

May 20 19:35:36 sso2 slapd[17605]: slapd starting
May 20 19:35:36 sso2 slapd[17605]: slap_client_connect: URI=ldaps://
sso1.redacted.net/ TLS context initialization failed (-1)
May 20 19:35:36 sso2 slapd[17605]: do_syncrepl: rid=001 rc -1 retrying (4
retries left)
May 20 19:35:36 sso2 slapd[17605]: slap_client_connect: URI=ldaps://
sso1.redacted.net/ DN="cn=admin,dc=redacted,dc=net" ldap_sasl_bind_s failed
(-1)
May 20 19:35:36 sso2 slapd[17605]: do_syncrepl: rid=004 rc -1 retrying (4
retries left)

And on the sso1 ldap box I still see this upon restarting slapd there:

May 20 19:36:26 sso1 slapd[16803]: slapd starting
May 20 19:36:26 sso1 slapd[16803]: slap_client_connect: URI=ldaps://
sso2.redacted.net/ TLS context initialization failed (-1)
May 20 19:36:26 sso1 slapd[16803]: do_syncrepl: rid=002 rc -1 retrying (4
retries left)
May 20 19:36:32 sso1 slapd[16803]: SASL [conn=1001] Failure: no secret in
database

So sso2 ldap box seems to be doing a bit better (one less error).
Is there a way I can troubleshoot which certificates in the chain are
causing the issue - like some interesting commands?
I will try and look at the SASL config too to see where the secret is
missing.

Unfortunately, these seem to be quite dated Ubuntu 14 boxes.

Thank you!

On Fri, May 20, 2022 at 7:49 PM CAIRNEY Mark <Mark.Cairney at ed.ac.uk> wrote:

> Hi,
> I think there are 2 issues at play
> 1. The certs/CA isn’t right on one of the servers (hence the TLS errors)
> do the syncrepl bind is failing.
> 2. It looks like SASL can’t find a password entry for the user in the bind
> attempt. Might be worth checking your SASL config to ensure the mechanisms
> you expect are available and your authzregexp is set up correctly.
>
> Sent from my iPhone
>
> On 20 May 2022, at 18:56, Tahir Hafiz <tahir.hafiz at gmail.com> wrote:
>
> 
> This email was sent to you by someone outside the University.
> You should only click on links or attachments if you are certain that the
> email is genuine and the content is safe.
> Hi,
>
> We have two OpenLDAP servers (sso1 and sso2, ignore alpha - that one I
> think they decommissioned it years ago).
> sso1 and sso2 are meant to be in mirror mode (sometimes called
> multi-master mode).
> I had to switch sso1 off a while ago because it was no longer responding
> and didn't have much time to look at it back then.
>
> I have now had some spare time to look at it, updated the web certs which
> had to be renewed and restarted the openldap server in question.
> But I see the following error (and Google has not helped much on this one):
>
> May 20 16:11:44 sso1 slapd[9008]: slapd starting
> May 20 16:11:44 sso1 slapd[9008]: slap_client_connect: URI=ldaps://
> alpha.redacted.net/ TLS context initialization failed (-1)
> May 20 16:11:44 sso1 slapd[9008]: do_syncrepl: rid=003 rc -1 retrying (4
> retries left)
> May 20 16:11:44 sso1 slapd[9008]: slap_client_connect: URI=ldaps://
> sso2.redacted.net/ TLS context initialization failed (-1)
> May 20 16:11:44 sso1 slapd[9008]: do_syncrepl: rid=002 rc -1 retrying (4
> retries left)
> May 20 16:12:13 sso1 slapd[9008]: SASL [conn=1001] Failure: no secret in
> database
>
> The weird thing is the OpenLDAP sso1 box is synching to sso2 ldap box, and
> I can connect to it with an ldap client on my home desktop and it now has
> the latest records so it is working as an ldap server but I'm not sure what
> the errors really mean.
> Are there any avenues I can explore on this or has anyone seen something
> like this before (N.B. I am no ldap expert) ?
>
> Thanking you in advance,
> Tahir
> --
> EdLUG mailing list
> EdLUG at mailman.lug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
> The University of Edinburgh is a charitable body, registered in Scotland,
> with registration number SC005336. Is e buidheann carthannais a th’ ann an
> Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
> --
> EdLUG mailing list
> EdLUG at mailman.lug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20220520/bc3e7dc2/attachment-0003.htm>

More information about the EdLUG mailing list