[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[solved] Re: replication and referral madness
Nevermind...I got it working (finally)
It sure is a shame that each different piece that integrates into ldap
is like another piece to the puzzle requires it's own unique solution.
Craig
On Sat, 2004-01-31 at 21:33, Craig White wrote:
> pulling my hair out trying to get everything to work - I guess there's
> something not clicking - anyway, RH AS 3 / ldap 2.0.27-11 on two
> machines - let's call them thing 1 and thing 2
>
> thing 1 - ldap master - everything works
> thing 2 - ldap slave - it seems like everything works but rej file keeps
> growing...
>
> What is the way to configure?
>
> Thing 2 ACL's - the slave...
>
> access to dn=".*,ou=People,o=Domain,c=US"
> attr=userPassword,sambaNTPassword,sambaLMPassword
> by dn="cn=root,o=Domain,c=US" read
> by dn="cn=admin,o=Domain,c=US" write
> by * auth
>
> access to dn=".*,ou=People,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" read
> by dn="cn=admin,o=Domain,c=US" write
> by * read
>
> access to dn=".*,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" read
> by dn="cn=admin,o=Domain,c=US" write
> by * read
>
> where cn=admin,o=Domain,c=US is the binddn in the replica section of the
> master.
>
> If I use it as per above (and I recognize that the line for
> dn="cn=root..." read would be handled 2 steps below but I find it easier
> to change to 'write' for testing purposes) - changes made to the master
> or slave are indeed made but I get listings in the
> /var/lib/ldap/replica/server_port.rej file anyway.
>
> If I change the above 'reads' to 'write' for the dn="cn=root...", then I
> don't get rejections
>
> What I am figuring - is that this setup on thing 2 allows me to have the
> local nsswitch/ldap.conf use the rootdn which is only allowed read
> access per acl and thus should follow the updateref to the ldap master
> for write operations. Samba 3.0 does exactly that - it works. The unix
> command of 'passwd some_ldap_user' is where things get goofy and the
> updates are obviously tracking the updateref server but still getting
> into the rejections. It's making me crazy.
>
> my ldap.conf is included here because it's small and gives some
> completeness but I can't see that it's important unless someone wants to
> tell me why my logic is faulty...
>
> host linserv1.Domain.com
> base o=Domain,c=US
> binddn o=Domain,c=US
> rootbinddn cn=root,o=Domain,c=US
> scope sub
> pam_login_attribute uid
> pam_filter objectclass=posixaccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password md5
> nss_base_passwd ou=People,o=Domain,c=US?one
> nss_base_shadow ou=People,o=Domain,c=US?one
> nss_base_group ou=Groups,o=Domain,c=US?one
> nss_base_hosts ou=Hosts,o=Domain,c=US?one
> TLS_REQCERT allow
> ssl start_tls
>
> Thanks,
>
> Craig
>
> ps, I was thinking that since this really is a setup problem with
> referrals and replication, that this was a fair question to ask.