[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SyncRepl - no write access





--On Friday, January 07, 2005 3:12 PM +0100 Turbo Fredriksson <turbo@bayour.com> wrote:

Quoting Quanah Gibson-Mount <quanah@stanford.edu>:

updatedn="cn=Manager,dc=stanford,dc=edu"

What's this? Is this specified with 'root{dn,pw}' on the provider? It exists (with 'userPassword: {xxx}') in the DB? Can it be 'kerberized'?

It matches my rootdn on the replica so that the syncRepl thread can make updates to the database without requiring any ACL permissions to the DB.



I ask because no matter what I do, the consumer can't
update it's database (it tries to write as anonymous).


On the provider I kinit as 'ldap/provider' and then I start the provider slapd, modify (as myself) an attribute in the 'o=Bortheiry,c=SE' object.

On the consumer I kinit as 'ldap/consumer-1'. After starting
the consumer slapd, I get the  following output (slapd w/ '-d 384'):

This doesn't make any sense, if you are using syncRepl, since the master doesn't talk to the consumer when using syncRepl. I would hazard a guess that your mix of slurpd and syncRepl is confusing things.


--Quanah

CONSUMER
----- s n i p -----
sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
            ldap:///c=SE??sub?krb5PrincipalName=$1@BAYOUR.COM
include     <a
href="http://www.bayour.com/slapd.access.txt";>/etc/ldap/slapd.access</a>
access to * by
group.base="cn=Replicators,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
sasl_ssf=56 write             by
dn.exact="cn=ldap/provider,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
sasl_ssf=56 write             by aci write
syncrepl    rid=1
            provider=ldaps://pumba.bayour.com
            type=refreshAndPersist
            searchbase="c=SE"
            filter="(objectClass=*)"
            scope=sub
            attrs="*"
            schemachecking=off

updatedn="cn=ldap/provider,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
binddn="cn=ldap/consumer-1,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
bindmethod=sasl
            saslmech=GSSAPI
            realm=BAYOUR.COM
            authcId=ldap/consumer-1
updateref   ldaps://pumba.bayour.com
----- s n i p -----

I think you are confused here.

Your syncrepl statement is missing the updatedn clause, which I would make the same as your rootdn. This is probably where your issue is coming in from. You also don't need to specify the attrs bit if you want it to do all updates. Also, you are missing all the SASL bind statements. Please look at my syncrepl entry for my replica:

syncrepl        rid=0
               provider=ldap://MASTERALIAS.stanford.edu:389
               updatedn="cn=Manager,dc=stanford,dc=edu"

binddn="cn=HOSTNAME,cn=ldap,cn=operational,dc=stanford,dc=edu"
               bindmethod=sasl
               saslmech=gssapi
               searchbase="dc=stanford,dc=edu"
               authcId=ldap/HOSTNAME.stanford.edu@stanford.edu
               realm=stanford.edu
               schemachecking=on
               type=refreshAndPersist
       retry="60 +"

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin