[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Can't replicate using updatedn
Hello,
I am using OpenLDAP 2.1.25 on RH9 and have been unable to get
replication working if I tell the replica directive in the master
slapd.conf to connect through the updatedn on the slave server. If I set
the updatedn on the slave to the same dn as the rootdn and change the
master replica directive accordingly, then it works. However, as the
official docs say to avoid doing this, I am attempting to go through a
unique updatedn instead. The critical directives from my master
slapd.conf are below:
-------------------------------------
database bdb
suffix "dc=vindicia,dc=com"
rootdn "cn=manager,dc=vindicia,dc=com"
rootpw {SSHA}foo # encrypted
password-crypt-salt-format "$1$%.8s"
password-hash {CRYPT}
# lock down passwords
access to attribute=userPassword
by dn="cn=manager,dc=vindicia,dc=com" write
by self write
by anonymous auth
by * none
# allow users to write some stuff
access to attribute=loginShell,shadowLastChange
by dn="cn=manager,dc=vindicia,dc=com" write
by self write
by * read
# everything else is read-only
access to *
by dn="cn=manager,dc=vindicia,dc=com" write
by * read
replica host=fs01.sm.vindicia.com:389
binddn="cn=fs01_Replicator,dc=vindicia,dc=com"
bindmethod=simple credentials=foo
tls=yes
replogfile /var/log/master_ldap_replog
-------------------------------------
slave slapd.conf:
-------------------------------------
database bdb
suffix "dc=vindicia,dc=com"
rootdn "cn=manager,dc=vindicia,dc=com"
rootpw secret
#rootpw {SSHA}foo # encrypted, but same as master rootpw
updatedn "cn=fs01_Replicator,dc=vindicia,dc=com"
#updatedn "cn=manager,dc=vindicia,dc=com"
# saw a list email that said slave should have readonly turned on, but
this apparently
# prevented slurpd from updating it when it was using the rootdn to connect.
readonly off
password-crypt-salt-format "$1$%.8s"
password-hash {CRYPT}
# lock down passwords
# also provides write access for updatedn, but not sure if that is necessary
access to attribute=userPassword
by dn="cn=manager,dc=vindicia,dc=com" write
by dn="cn=fs01_Replicator,dc=vindicia,dc=com" write
by self write
by anonymous auth
by * none
# allow users to write some stuff
access to attribute=loginShell,shadowLastChange
by dn="cn=manager,dc=vindicia,dc=com" write
by self write
by * read
# everything else is read-only
access to *
by dn="cn=manager,dc=vindicia,dc=com" write
by * read
-------------------------------------
It is my understandstanding that the credentials that the master uses
for the updatedn are the same as the credentials/password for the rootdn
on the slave server. however, in the replica directive, they are
supposed to be given in the clear, even if the rootpw on the slave is
encrypted. this is what i have tried, but continue to get the following
error from slurpd:
bind to fs01.sm.vindicia.com:389 as
cn=fs01_Replicator,dc=vindicia,dc=com (simple)
request 1 done
Error: ldap_simple_bind_s for fs01.sm.vindicia.com:389 failed: Invalid
credentials
Also, after much reading and searching, I am still confused as to how
the TLS directives on the slave should be configured, and what certs or
keys, if any, need to be present on the slave for slurpd to work over
TLS. I have TLS working successfully on the master server. Any and all
help would be greatly appreciated. Many thanks.
Peter Traub