LDAP Configuration - Master & Slave

[kral]

Hello,

I've been trying for a long time to have this configuration running and i can't get it to work.

This is what i have done.

The master ldap don't have any module that needs users and groups.

On the Slave i'll have a Mail server and maybe a VPN server, either modules are disabled.

On the Slave and on the Master I've enabled ldap in Firewall.

I can ping the too hosts, i can see the slave on the master in ldap configuration but i can't sync when i create a new user i simply don't sync... What am i missing here?

Regards,
Kral

[jsalamero]

Check master can resolve slave hostname (use DNS or /etc/hosts) and can connect to its webadmin port.

[kral]

Hi, jsalamero

Tks for your reply, yes the master can resolve slave hostname and i have rules in FWs that allows any traffic between slave and master.

Regards,

[jsalamero]

From slave try to read master LDAP tree with ldapsearch and from master try to connect to slave port with openssl s_client -connect hostname:port. Also install and enable NTP on both.

[kral]

When i try to read master ldap with ldapsearch it wants a password? it's the master password, correct? When i try openssl it says there's no certificate.

HELP!!!!!!!!

[christian]

Could you please post here your ldapsearch syntax?

[kral]

sysadmin@Hermod:~$ ldapsearch
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database
sysadmin@Hermod:~$

i used sysadmin password.

[christian]

Do not look further but read first ldapsearch syntax 

You should try something like:
ldapsearch -x -h your.ldap.server -b "dc=host,dc=domain,dc=com" -s sub objectclass=*

obviously, replace ldap.server and domain with your values  and give a try.

[kral]

Tks guys!

Here it is:

sysadmin@Hermod:~$ ldapsearch -x -h thor -b "dc=thor,dc=myn3twork" -s sub objectclass=*
# extended LDIF
#
# LDAPv3
# base <dc=thor,dc=myn3twork> with scope subtree
# filter: objectclass=*
# requesting: ALL
#

# Thor.myn3twork
dn: dc=Thor,dc=myn3twork
objectClass: organization
objectClass: dcObject
objectClass: top
dc: Thor
o: Thor

# Users, Thor.myn3twork
dn: ou=Users,dc=Thor,dc=myn3twork
objectClass: organizationalUnit
ou: Users

# Groups, Thor.myn3twork
dn: ou=Groups,dc=Thor,dc=myn3twork
objectClass: organizationalUnit
ou: Groups

# slaves, Thor.myn3twork
dn: ou=slaves,dc=Thor,dc=myn3twork
objectClass: organizationalUnit
ou: slaves

# ebox, Thor.myn3twork
dn: cn=ebox,dc=Thor,dc=myn3twork
objectClass: organizationalRole
objectClass: simpleSecurityObject
description: eBox admin account
cn: ebox

# __USERS__, Groups, Thor.myn3twork
dn: cn=__USERS__,ou=Groups,dc=Thor,dc=myn3twork
cn: __USERS__
gidNumber: 1901
objectClass: posixGroup
description: All users

# master, Thor.myn3twork
dn: cn=master,dc=Thor,dc=myn3twork
objectClass: masterHost
masterCertificate:: LS0tL***************************
masterCACertificate:: LS0tL*************************
masterLDAPCACertificate:: LS0tL*********************
cn: master

# Hermod, slaves, Thor.myn3twork
dn: hostname=Hermod,ou=slaves,dc=Thor,dc=myn3twork
objectClass: slaveHost
hostname: Hermod
port: 443

# 1, Users, Thor.myn3twork
dn: uid=1,ou=Users,dc=Thor,dc=myn3twork
cn: 1 11
uid: 1
sn: 11
loginShell: /usr/sbin/nologin
uidNumber: 2001
gidNumber: 1901
homeDirectory: /home/1
quota: 100
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: systemQuotas
givenName: 1

# search result
search: 2
result: 0 Success

# numResponses: 10
# numEntries: 9

[christian]

So much easy once you read man page or doc 

Then you can improve it a bit setting the right LDAP filter in your search command although thios is not your initial goal 

We have just desmontrated that access to LDAP from outside works.
Go back to your Zentyal GUI and check whenever replicaiton works fine now: create or modify an account on master and see what appens on slave...

BTW, posting here your certificate is maybe not the best thing. You should edit your post 

[kral]

So much easy once you read man page or doc 

Then you can improve it a bit setting the right LDAP filter in your search command although thios is not your initial goal 

We have just desmontrated that access to LDAP from outside works.
Go back to your Zentyal GUI and check whenever replicaiton works fine now: create or modify an account on master and see what appens on slave...

BTW, posting here your certificate is maybe not the best thing. You should edit your post 

Tks for the advise Christian, 

LDAP it's kinda new thing for me.... eheheh


Still won't work... cannot sync with slave...

[kral]

This is what i have in my LDAP Settings in Master:
Base DN:    dc=Thor,dc=myn3twork
Root DN:    cn=ebox,dc=Thor,dc=myn3twork
Password:    ******************
Users DN:    ou=Users,dc=Thor,dc=myn3twork
Groups DN:    ou=Groups,dc=Thor,dc=myn3twork

The Root DN is it correct?

Another thing, when i do ldapsearch -xLLL -b "dc=thor,dc=myn3twork" uid=1 sn givenName cn

This is the result:

nName cn
dn: uid=1,ou=Users,dc=Thor,dc=myn3twork
cn: 1 11
sn: 11
givenName: 1

It's ok.... But when i do it from slave.... nothing...

sysadmin@Hermod:~$ ldapsearch -xLLL -b "dc=thor,dc=myn3twork" uid=1 sn givenName cn
sysadmin@Hermod:~$ ldapsearch -xLLL -b "dc=thor,dc=myn3twork" uid=1 sn givenName cn
sysadmin@Hermod:~$
sysadmin@Hermod:~$

[christian]

I thought from previous posts that ldapsearch from slave was working. It looks like it doesn't... So what I wrote before (because of misunderstanding from my side) is wrong  We have no evidence that FW rules are OK.

From slave,  what if you telnet ldap master on port 389? If it doesn't work then look again at FW and ensure you have authorized this flow.
Please test using both IP address and fqdn just to isolate potential issue with DNS 

[kral]

I thought from previous posts that ldapsearch from slave was working. It looks like it doesn't... So what I wrote before (because of misunderstanding from my side) is wrong  We have no evidence that FW rules are OK.

From slave,  what if you telnet ldap master on port 389? If it doesn't work then look again at FW and ensure you have authorized this flow.
Please test using both IP address and fqdn just to isolate potential issue with DNS 

Tks for your availability christian

Here's the result of the telnet:

sysadmin@Hermod:~$ telnet 172.16.10.11 389
Trying 172.16.10.11...
Connected to 172.16.10.11.
Escape character is '^]'.

sysadmin@Hermod:~$ telnet thor  389
Trying 172.16.10.11...
Connected to thor.myn3twork.
Escape character is '^]'.

In FW of Slave and Master i've allowed any traffic coming from "object" in slave from master and vice-versa.

[christian]

Cool.
I read your previous post a bit too quickly and notice now that with previous ldapsearch command, you didn't specify "-h" option for host 
In such case, you are looking at local ldap server on 127.0.0.1 that is maybe not up and running.
from slave, if you want to check master ldap visibility and status, you must specify host attribute.

Your tests with telnet are showing that remote (master) ldap server is visible.
Now replication require slave server to run too  did you check status on slave side?
- is port 389 up and ldap process running etc...
- what's about slave status in Zentyal
- there is also one aspect with certificate that may require your attention. did you pay attention to this during slave installation? (I definitely need to install LDAP slave again with 2.0  )