[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Replication Problem
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Leonard Tulipan wrote:
| Hi!
|
| First of: I am a relative LDAP Newbie, so please be gentle.
|
| I managed to change an existing LDAP configuration to do replication.
| both "server" and "client" are RedHat 7.3 with
| openldap-servers-2.0.27-2.7.3
|
| Now I also need a RedHat 9 machine (with openldap-servers-2.0.27-8 )
| to be a slave.
|
| I copied the entire /etc/openldap and /var/lib/ldap directories with
| rsync to the new machine.
Hopefully your slapd on the slave wasn't running at the time ...
|
| This is the entry in the master slapd.conf ( I have a second one right
| before this one - and that one works)
| replica host=epimetheus.intern.mpwi.at:389
| binddn="cn=Manager,dc=intern,dc=mpwi,dc=at"
| bindmethod=simple credentials=PASSWORD
|
| The client/slave config looks like this:
|
| ===================
| include /etc/openldap/schema/core.schema
| include /etc/openldap/schema/cosine.schema
| include /etc/openldap/schema/nis.schema
| include /etc/openldap/schema/inetorgperson.schema
| include /etc/openldap/schema/samba.3.schema
| include /etc/openldap/schema/redhat/rfc822-MailMember.schema
| include /etc/openldap/schema/redhat/autofs.schema
| include /etc/openldap/schema/redhat/kerberosobject.schema
| include /etc/openldap/schema/qmail.schema
| include /etc/openldap/schema/rolodap.schema
| include /etc/openldap/schema/phpgwaccount.schema
| include /etc/openldap/schema/phpgwcontact.schema
| loglevel 256
| modulepath /usr/sbin/openldap
| moduleload back_ldap.la
| moduleload back_ldbm.la
| moduleload back_passwd.la
| moduleload back_shell.la
|
| access to attr=userpassword
| by self write
| by anonymous auth
| by * none
|
| access to attr=lmpassword
| by self write
| by anonymous auth
| by * none
Most likely this will not do what you want, samba cannot "auth" a user
against openldap with an lmpassword, it must read the password, and then
authenticate the user itself. Also, you most likely need to allow samba
to change the password (unless your users can NTLM in their heads ...).
|
| access to attr=ntpassword
| by self write
| by anonymous auth
| by * none
|
Same applies as to lmpassword.
| access to *
| by self write
| by dn=".+" read
Why not use "by users read", it does the same ...
| by * read
|
| access to attr=ntpassword
| by self write
| by anonymous auth
| by * none
|
| access to *
| by self write
| by dn=".+" read
| by * read
|
| database ldbm
| suffix "dc=intern,dc=mpwi,dc=at"
| rootdn "cn=Manager,dc=intern,dc=mpwi,dc=at"
| rootpw PASSWORD
| directory /var/lib/ldap
| index objectClass,uid,uidNumber,gidNumber,memberUid eq
| index cn,mail,surname,givenname eq,subinitial
You probably want to index some samba attributes as well, especially
sambaSID
|
| updatedn "cn=Manager,dc=intern,dc=mpwi,dc=at"
| referral master://ldap.intern.mpwi.at
This should be:
updateref "ldap://ldap.intern.mpwi.at";
| Now, whatever that means, when the master server is down, I can still
| browse the working replication, but when I look at this second one it
| ALWAYS needs to connect to the master (hence it is not really a usefull
| backup)
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFA0xH6rJK6UGDSBKcRAqT+AKCde4dMblOLw//cADB+0Z3GX0/P5QCgj655
xMN1RFF9yGJNxs3aN2riRR4=
=r6PO
-----END PGP SIGNATURE-----