LDAP密码信息更新失败:引用无法从副本更改密码

时间:2013-02-22 14:13:35

标签: openldap

我使用slapd.conf和slurpd配置了Master / Slave。

问题是如果主服务器停止,我无法从从服务器更改客户端密码。

主服务器 -

[root@lr5dir01 ~]# service ldap stop
Stopping slapd:                                            [  OK  ]
Stopping slurpd:                                           [  OK  ]
[root@lr5dir01 ~]#

奴隶服务器 -

[root@lr5dir02 ldap]# service ldap restart
Stopping slapd:                                            [  OK  ]
Checking configuration files for slapd:  config file testing succeeded
                                                           [  OK  ]
Starting slapd:                                            [  OK  ]
[root@lr5dir02 ldap]#

客户 -

[root@lr5dir02 ldap]# ssh ldaptest@10.40.109.94
ldaptest@10.40.109.94's password:
Last login: Tue Feb 19 21:14:27 2013 from lr5dir02.hk.intraxa
Could not chdir to home directory /home/ldaptest: No such file or directory
-bash-3.2$

-bash-3.2$ passwd
Changing password for user ldaptest.
Enter login(LDAP) password:
'New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Referral

passwd: Permission denied
-bash-3.2$

主服务器 - slapd.conf

access to attrs=shadowLastChange,userPassword
      by self write
      by * auth

access to *
      by * read

replica host=10.40.101.231:389
        binddn="cn=Manager,dc=hk,dc=intraxa"
        credentials=secret
        bindmethod=simple
        tls=no

Slave Server slapd.conf - 与Master only相同

updatedn "cn=Manager,dc=hk,dc=intraxa"
updateref ldap://10.40.101.230:389/

客户端Pam -

[root@lr6tst01 ~]# more /etc/pam.d/passwd
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth

[root@lr6tst01 ~]#


Log - Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: read active on 14
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=4 BIND dn="uid=ldaptest,ou=People,dc=hk,dc=intraxa" method=128
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=4 BIND dn="uid=ldaptest,ou=People,dc=hk,dc=intraxa" mech=SIMPLE ssf=0
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=4 RESULT tag=97 err=0 text=
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:54 lr5dir02 slapd[7147]:
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:54 lr5dir02 slapd[7147]:  14r
Feb 19 21:43:54 lr5dir02 slapd[7147]:
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: read active on 14
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:54 lr5dir02 slapd[7147]:
Feb 19 21:43:54 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=5 MOD dn="uid=ldaptest,ou=People,dc=hk,dc=intraxa"
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=5 MOD attr=userPassword
Feb 19 21:43:54 lr5dir02 slapd[7147]: conn=2 op=5 RESULT tag=103 err=10 text=
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:56 lr5dir02 slapd[7147]:  14r
Feb 19 21:43:56 lr5dir02 slapd[7147]:
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: read active on 14
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Feb 19 21:43:56 lr5dir02 slapd[7147]: connection_read(14): input error=-2 id=2, closing.
Feb 19 21:43:56 lr5dir02 slapd[7147]: conn=2 op=6 UNBIND
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: removing 14
Feb 19 21:43:56 lr5dir02 slapd[7147]: conn=2 fd=14 closed
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on 1 descriptor
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: activity on:
Feb 19 21:43:56 lr5dir02 slapd[7147]:
Feb 19 21:43:56 lr5dir02 slapd[7147]: daemon: epoll: listen=7 active_threads=0 tvp=NUL

1 个答案:

答案 0 :(得分:1)

如果您使用slurpd,则必须使用旧版本OpenLDAP - 支持的复制配置严格为单主机(RW),具有只读副本节点。不再支持slurpd,部分原因是它只支持此模式。

正在发生的事情是只读节点知道它不能接受写请求(除了来自主服务器),因此它向客户端提供推荐,发送到可写节点(即到配置中的updateref URI。

您应升级到OpenLDAP 2.4,并使用 syncrepl 协议进行复制。这允许三种复制方案:

  1. 单个RW主服务器,多个RO副本节点
  2. 完整的多主RW(有一些警告)
  3. mirrormode 混合(主动热备用),使用平衡器或代理
  4. 您可以将syncrepl与OpenLDAP 2.3一起使用,但我强烈建议升级(或者您可能会错过5年的增强功能和syncrepl补丁,具体取决于您使用的软件包以及是否有任何修复 - 移植)。

    当前设置的唯一选择是手动更改RO节点的配置,以便在主服务器脱机时将其提升为主服务器,因为您可以猜测这可能会有问题需要维护。