[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can't replicate using updatedn

To: openldap-software@OpenLDAP.org
Subject: Can't replicate using updatedn
From: Peter Traub <peter@vindicia.com>
Date: Wed, 21 Jan 2004 14:50:45 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Hello,

I am using OpenLDAP 2.1.25 on RH9 and have been unable to get replication working if I tell the replica directive in the master slapd.conf to connect through the updatedn on the slave server. If I set the updatedn on the slave to the same dn as the rootdn and change the master replica directive accordingly, then it works. However, as the official docs say to avoid doing this, I am attempting to go through a unique updatedn instead. The critical directives from my master slapd.conf are below:

-------------------------------------

database    bdb

suffix        "dc=vindicia,dc=com"
rootdn        "cn=manager,dc=vindicia,dc=com"
rootpw        {SSHA}foo # encrypted
password-crypt-salt-format "$1$%.8s"
password-hash    {CRYPT}

# lock down passwords
access to attribute=userPassword
       by dn="cn=manager,dc=vindicia,dc=com" write
       by self write
       by anonymous auth
       by * none

# allow users to write some stuff
access to attribute=loginShell,shadowLastChange
       by dn="cn=manager,dc=vindicia,dc=com" write
       by self write
       by * read

# everything else is read-only
access to *
       by dn="cn=manager,dc=vindicia,dc=com" write
       by * read

replica     host=fs01.sm.vindicia.com:389
           binddn="cn=fs01_Replicator,dc=vindicia,dc=com"
           bindmethod=simple credentials=foo
           tls=yes

replogfile    /var/log/master_ldap_replog

-------------------------------------


slave slapd.conf:

------------------------------------- database bdb

suffix          "dc=vindicia,dc=com"
rootdn          "cn=manager,dc=vindicia,dc=com"
rootpw          secret
#rootpw         {SSHA}foo # encrypted, but same as master rootpw
updatedn        "cn=fs01_Replicator,dc=vindicia,dc=com"
#updatedn       "cn=manager,dc=vindicia,dc=com"

# saw a list email that said slave should have readonly turned on, but this apparently # prevented slurpd from updating it when it was using the rootdn to connect. readonly off

password-crypt-salt-format "$1$%.8s" password-hash {CRYPT}

# lock down passwords # also provides write access for updatedn, but not sure if that is necessary access to attribute=userPassword by dn="cn=manager,dc=vindicia,dc=com" write by dn="cn=fs01_Replicator,dc=vindicia,dc=com" write by self write by anonymous auth by * none

# allow users to write some stuff access to attribute=loginShell,shadowLastChange by dn="cn=manager,dc=vindicia,dc=com" write by self write by * read

# everything else is read-only
access to *
       by dn="cn=manager,dc=vindicia,dc=com" write
       by * read
-------------------------------------

It is my understandstanding that the credentials that the master uses for the updatedn are the same as the credentials/password for the rootdn on the slave server. however, in the replica directive, they are supposed to be given in the clear, even if the rootpw on the slave is encrypted. this is what i have tried, but continue to get the following error from slurpd:

bind to fs01.sm.vindicia.com:389 as cn=fs01_Replicator,dc=vindicia,dc=com (simple) request 1 done Error: ldap_simple_bind_s for fs01.sm.vindicia.com:389 failed: Invalid credentials

Also, after much reading and searching, I am still confused as to how the TLS directives on the slave should be configured, and what certs or keys, if any, need to be present on the slave for slurpd to work over TLS. I have TLS working successfully on the master server. Any and all help would be greatly appreciated. Many thanks.

Peter Traub

Follow-Ups:
- Re: Can't replicate using updatedn
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: "dynamic" acls
Next by Date: partial replication
Index(es):
- Chronological
- Thread