any help on "ldap_sasl_bind_s failed (53)"
Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up
replication but I am getting the error given in the title when I start the
slave with "splad -d sync" . Replication does not work.
**
slapd.conf of the Master:
include /etc/openldap/schema/core.schemainclude
/etc/openldap/schema/cosine.schemainclude
/etc/openldap/schema/inetorgperson.schemainclude
/etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
#modulepath /usr/lib/openldap#moduleload syncprov.la
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
# Do not enable referrals until AFTER you have a working directory# service AND
an understanding of referrals.#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pidargsfile
/var/run/openldap/slapd.args
#sasl-realm ier.hit-u.ac.jp#sasl-host localhost#authz-regexp
uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth
cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp
ldbm
and/or bdb database
definitions###
database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
"cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw
{MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secret#password-hash {MD5}directory
/var/lib/ldap
TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile
/usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile
/usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
# Indices to maintain for this databaseindex objectClass
eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex
uidNumber,gidNumber,loginShell eq,presindex uid,memberUid
eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex
entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by
dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by
dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self
read by anonymous auth by * none
access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write
by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
*
sladp.conf of the slave:
include /etc/openldap/schema/core.schemainclude
/etc/openldap/schema/cosine.schemainclude
/etc/openldap/schema/inetorgperson.schemainclude
/etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
# Do not enable referrals until AFTER you have a working directory# service AND
an understanding of referrals.#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pidargsfile
/var/run/openldap/slapd.args
ldbm
and/or bdb database
definitions###
database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"#rootdn
"cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
"cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp"#rootpw
{MD5}x1Ktlhm0p7RPnl/G01rhTQ==rootpw secretofreplicator
#password-hash {MD5}directory /var/lib/ldap#TLSCACertificateFile
/usr/share/ssl/certs/nii-odca2.crt#TLSCertificateFile
/usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt#TLSCertificateKeyFile
/usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
# Replicas of this database#updatedn
cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp#updateref uri=ldap://192.168.84.22
# Indices to maintain for this databaseindex objectClass
eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex
uidNumber,gidNumber,loginShell eq,presindex uid,memberUid
eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex
entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword# by
dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by self write# by
anonymous auth# by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write# by
self write# by * read
#loglevel stats sync
syncrepl rid=001
provider=ldap://mail.ier.
Re: make test failure due to libsasl2.so.3 not found
--On November 18, 2014 at 12:46:39 PM -0500 Guruprasad Kulkarni wrote: I am using ubuntu 12.04.5 LTS I installed cyrus-sasl-2.1.26 (created symlink from /usr/lib/sasl2 to /usr/local/lib/sasl2) I set LDFLAGS="-L/usr/local/lib -L/usr/local/lib/sasl2" Yes, I already pointed you at the relevant information. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
make test failure due to libsasl2.so.3 not found
I am using ubuntu 12.04.5 LTS I installed cyrus-sasl-2.1.26 (created symlink from /usr/lib/sasl2 to /usr/local/lib/sasl2) I used the following options for configuration: --enable-debug --enable-hdb --enable-ppolicy --enable-syncprov --with-cyrus-sasl Configuration, make depend and make were successful. I then proceeded to "make test" and I got the error: ../clients/tools/ldapsearch: error while loading shared libraries: libsasl2.so.3: cannot open shared object file: No such file or directory The file libsasl2.so.3 is present in /usr/local/lib I set LDFLAGS="-L/usr/local/lib -L/usr/local/lib/sasl2" Do I need to set some other flags to make the tests work? -Guruprasad
Re: debugging OpenLDAP client
Well, I raised this subject stating that -1 does not do what I need. On Tuesday, November 18, 2014, Aaron Richton wrote: > On Tue, 18 Nov 2014, Igor Shmukler wrote: > > Well, the question is what log level will print out ASNs? >> > > I don't know what you're looking to "print out." OpenLDAP doesn't include > an ASN.1 debugging / network analysis / etc. suite; it's not like you're > going to see BNF in your syslogs. You will get hex dumps and more than a > few hints. > > So start big, try -d -1, see if it's what you're looking for or not... > > On Tuesday, November 18, 2014, Aaron Richton >> wrote: >> On Tue, 18 Nov 2014, Igor Shmukler wrote: >> >> Dieter, >> >> I understand that if strace(1) is available, it can be used. >> I want to learn how to lift the relevant debug information from the >> OpenLDAP server. Specially, I would love to see >> decoded requests and responses. It can be quite helpful in >> realizing whether the client author messed up the request, or the >> unexpected response is due to its' decoding error. >> >> >> Compile with --enable-debug (if this default was overridden) and >> set an appropriate olcLogLevel to get the messages. This is often >> accomplished in practice using the -d command line argument, >> rather than a permanent config change. If your server is under live >> load, trying this from the client (e.g. ldapsearch(1)) may be a wise >> approach. >> >> See Table 6.1 in the OpenLDAP 2.4 Administrator's Guide for the >> available levels (please note that some levels are only relevant in >> slapd(8) context). >> >> Sincerely, >> >> Igor Shmukler >> >> >> On Tue, Nov 18, 2014 at 2:01 PM, Dieter Kl?nter < >> die...@dkluenter.de> wrote: >> Am Tue, 18 Nov 2014 12:39:42 +0200 >> schrieb Igor Shmukler : >> >> Hello, >> >> I wrote a client to make RFC 2696 (paged results) >> requests. My client >> gets results fine, yet size and cookie values are >> always 0, "" - this >> should not be the case. I tried with >> ldapsearch(1) and it does paging >> fine. Hence, it makes sense to assume that the >> server is OK and >> opaque/cookie must not be empty. At the same >> time, format of my ASN >> object is fine. >> I need to understand where exactly, I messed up. >> >> [...] >> >> depending on your programming language, you may run >> your client with >> strace or similar tools. >> >> -Dieter >> >> -- >> Dieter Kl?nter | Systemberatung >> http://sys4.de >> GPG Key ID: E9ED159B >> 53?37'09,95"N >> 10?08'02,42"E >> >> >> >> >> >>
Re: debugging OpenLDAP client
On Tue, 18 Nov 2014, Igor Shmukler wrote: Well, the question is what log level will print out ASNs? I don't know what you're looking to "print out." OpenLDAP doesn't include an ASN.1 debugging / network analysis / etc. suite; it's not like you're going to see BNF in your syslogs. You will get hex dumps and more than a few hints. So start big, try -d -1, see if it's what you're looking for or not... On Tuesday, November 18, 2014, Aaron Richton wrote: On Tue, 18 Nov 2014, Igor Shmukler wrote: Dieter, I understand that if strace(1) is available, it can be used. I want to learn how to lift the relevant debug information from the OpenLDAP server. Specially, I would love to see decoded requests and responses. It can be quite helpful in realizing whether the client author messed up the request, or the unexpected response is due to its' decoding error. Compile with --enable-debug (if this default was overridden) and set an appropriate olcLogLevel to get the messages. This is often accomplished in practice using the -d command line argument, rather than a permanent config change. If your server is under live load, trying this from the client (e.g. ldapsearch(1)) may be a wise approach. See Table 6.1 in the OpenLDAP 2.4 Administrator's Guide for the available levels (please note that some levels are only relevant in slapd(8) context). Sincerely, Igor Shmukler On Tue, Nov 18, 2014 at 2:01 PM, Dieter Kl?nter wrote: Am Tue, 18 Nov 2014 12:39:42 +0200 schrieb Igor Shmukler : Hello, I wrote a client to make RFC 2696 (paged results) requests. My client gets results fine, yet size and cookie values are always 0, "" - this should not be the case. I tried with ldapsearch(1) and it does paging fine. Hence, it makes sense to assume that the server is OK and opaque/cookie must not be empty. At the same time, format of my ASN object is fine. I need to understand where exactly, I messed up. [...] depending on your programming language, you may run your client with strace or similar tools. -Dieter -- Dieter Kl?nter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
Re: debugging OpenLDAP client
Well, the question is what log level will print out ASNs? On Tuesday, November 18, 2014, Aaron Richton wrote: > On Tue, 18 Nov 2014, Igor Shmukler wrote: > > Dieter, >> >> I understand that if strace(1) is available, it can be used. I want to >> learn how to lift the relevant debug information from the OpenLDAP server. >> Specially, I would love to see decoded requests and responses. It can be >> quite helpful in realizing whether the client author messed up the request, >> or the unexpected response is due to its' decoding error. >> > > Compile with --enable-debug (if this default was overridden) and set an > appropriate olcLogLevel to get the messages. This is often accomplished in > practice using the -d command line argument, rather than a permanent config > change. If your server is under live load, trying this from the client > (e.g. ldapsearch(1)) may be a wise approach. > > See Table 6.1 in the OpenLDAP 2.4 Administrator's Guide for the available > levels (please note that some levels are only relevant in slapd(8) context). > > Sincerely, >> >> Igor Shmukler >> >> >> On Tue, Nov 18, 2014 at 2:01 PM, Dieter Kl?nter >> wrote: >> >>> Am Tue, 18 Nov 2014 12:39:42 +0200 >>> schrieb Igor Shmukler : >>> >>> Hello, I wrote a client to make RFC 2696 (paged results) requests. My client gets results fine, yet size and cookie values are always 0, "" - this should not be the case. I tried with ldapsearch(1) and it does paging fine. Hence, it makes sense to assume that the server is OK and opaque/cookie must not be empty. At the same time, format of my ASN object is fine. I need to understand where exactly, I messed up. >>> [...] >>> >>> depending on your programming language, you may run your client with >>> strace or similar tools. >>> >>> -Dieter >>> >>> -- >>> Dieter Kl?nter | Systemberatung >>> http://sys4.de >>> GPG Key ID: E9ED159B >>> 53?37'09,95"N >>> 10?08'02,42"E >>> >>> >> >>
Re: debugging OpenLDAP client
On Tue, 18 Nov 2014, Igor Shmukler wrote: Dieter, I understand that if strace(1) is available, it can be used. I want to learn how to lift the relevant debug information from the OpenLDAP server. Specially, I would love to see decoded requests and responses. It can be quite helpful in realizing whether the client author messed up the request, or the unexpected response is due to its' decoding error. Compile with --enable-debug (if this default was overridden) and set an appropriate olcLogLevel to get the messages. This is often accomplished in practice using the -d command line argument, rather than a permanent config change. If your server is under live load, trying this from the client (e.g. ldapsearch(1)) may be a wise approach. See Table 6.1 in the OpenLDAP 2.4 Administrator's Guide for the available levels (please note that some levels are only relevant in slapd(8) context). Sincerely, Igor Shmukler On Tue, Nov 18, 2014 at 2:01 PM, Dieter Kl?nter wrote: Am Tue, 18 Nov 2014 12:39:42 +0200 schrieb Igor Shmukler : Hello, I wrote a client to make RFC 2696 (paged results) requests. My client gets results fine, yet size and cookie values are always 0, "" - this should not be the case. I tried with ldapsearch(1) and it does paging fine. Hence, it makes sense to assume that the server is OK and opaque/cookie must not be empty. At the same time, format of my ASN object is fine. I need to understand where exactly, I messed up. [...] depending on your programming language, you may run your client with strace or similar tools. -Dieter -- Dieter Kl?nter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53?37'09,95"N 10?08'02,42"E
Re: debugging OpenLDAP client
Dieter, I understand that if strace(1) is available, it can be used. I want to learn how to lift the relevant debug information from the OpenLDAP server. Specially, I would love to see decoded requests and responses. It can be quite helpful in realizing whether the client author messed up the request, or the unexpected response is due to its' decoding error. Sincerely, Igor Shmukler On Tue, Nov 18, 2014 at 2:01 PM, Dieter Klünter wrote: > Am Tue, 18 Nov 2014 12:39:42 +0200 > schrieb Igor Shmukler : > >> Hello, >> >> I wrote a client to make RFC 2696 (paged results) requests. My client >> gets results fine, yet size and cookie values are always 0, "" - this >> should not be the case. I tried with ldapsearch(1) and it does paging >> fine. Hence, it makes sense to assume that the server is OK and >> opaque/cookie must not be empty. At the same time, format of my ASN >> object is fine. >> I need to understand where exactly, I messed up. > [...] > > depending on your programming language, you may run your client with > strace or similar tools. > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53°37'09,95"N > 10°08'02,42"E >
Re: debugging OpenLDAP client
Am Tue, 18 Nov 2014 12:39:42 +0200 schrieb Igor Shmukler : > Hello, > > I wrote a client to make RFC 2696 (paged results) requests. My client > gets results fine, yet size and cookie values are always 0, "" - this > should not be the case. I tried with ldapsearch(1) and it does paging > fine. Hence, it makes sense to assume that the server is OK and > opaque/cookie must not be empty. At the same time, format of my ASN > object is fine. > I need to understand where exactly, I messed up. [...] depending on your programming language, you may run your client with strace or similar tools. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
debugging OpenLDAP client
Hello, I wrote a client to make RFC 2696 (paged results) requests. My client gets results fine, yet size and cookie values are always 0, "" - this should not be the case. I tried with ldapsearch(1) and it does paging fine. Hence, it makes sense to assume that the server is OK and opaque/cookie must not be empty. At the same time, format of my ASN object is fine. I need to understand where exactly, I messed up. In order to debug this, I added a logging LDIF and set debug to -1 any. It shows quite a lot of information, but I did not notice size and cookie values being dumped into syslog(3). Is there a way to have separate values that go into the packets printed out? I see that there is an option for BER 0x10 and parse 0x800 as well as others. Thank you, Igor Shmukler
