[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can't replicate using updatedn



Hello,

I am using OpenLDAP 2.1.25 on RH9 and have been unable to get replication working if I tell the replica directive in the master slapd.conf to connect through the updatedn on the slave server. If I set the updatedn on the slave to the same dn as the rootdn and change the master replica directive accordingly, then it works. However, as the official docs say to avoid doing this, I am attempting to go through a unique updatedn instead. The critical directives from my master slapd.conf are below:

-------------------------------------

database    bdb

suffix        "dc=vindicia,dc=com"
rootdn        "cn=manager,dc=vindicia,dc=com"
rootpw        {SSHA}foo # encrypted
password-crypt-salt-format "$1$%.8s"
password-hash    {CRYPT}

# lock down passwords
access to attribute=userPassword
       by dn="cn=manager,dc=vindicia,dc=com" write
       by self write
       by anonymous auth
       by * none

# allow users to write some stuff
access to attribute=loginShell,shadowLastChange
       by dn="cn=manager,dc=vindicia,dc=com" write
       by self write
       by * read

# everything else is read-only
access to *
       by dn="cn=manager,dc=vindicia,dc=com" write
       by * read

replica     host=fs01.sm.vindicia.com:389
           binddn="cn=fs01_Replicator,dc=vindicia,dc=com"
           bindmethod=simple credentials=foo
           tls=yes

replogfile    /var/log/master_ldap_replog

-------------------------------------


slave slapd.conf:


-------------------------------------
database bdb


suffix          "dc=vindicia,dc=com"
rootdn          "cn=manager,dc=vindicia,dc=com"
rootpw          secret
#rootpw         {SSHA}foo # encrypted, but same as master rootpw
updatedn        "cn=fs01_Replicator,dc=vindicia,dc=com"
#updatedn       "cn=manager,dc=vindicia,dc=com"

# saw a list email that said slave should have readonly turned on, but this apparently
# prevented slurpd from updating it when it was using the rootdn to connect.
readonly off


password-crypt-salt-format "$1$%.8s"
password-hash {CRYPT}




# lock down passwords
# also provides write access for updatedn, but not sure if that is necessary
access to attribute=userPassword
by dn="cn=manager,dc=vindicia,dc=com" write
by dn="cn=fs01_Replicator,dc=vindicia,dc=com" write
by self write
by anonymous auth
by * none


# allow users to write some stuff
access to attribute=loginShell,shadowLastChange
by dn="cn=manager,dc=vindicia,dc=com" write
by self write
by * read


# everything else is read-only
access to *
       by dn="cn=manager,dc=vindicia,dc=com" write
       by * read
-------------------------------------

It is my understandstanding that the credentials that the master uses for the updatedn are the same as the credentials/password for the rootdn on the slave server. however, in the replica directive, they are supposed to be given in the clear, even if the rootpw on the slave is encrypted. this is what i have tried, but continue to get the following error from slurpd:

bind to fs01.sm.vindicia.com:389 as cn=fs01_Replicator,dc=vindicia,dc=com (simple)
request 1 done
Error: ldap_simple_bind_s for fs01.sm.vindicia.com:389 failed: Invalid credentials


Also, after much reading and searching, I am still confused as to how the TLS directives on the slave should be configured, and what certs or keys, if any, need to be present on the slave for slurpd to work over TLS. I have TLS working successfully on the master server. Any and all help would be greatly appreciated. Many thanks.

Peter Traub