Lee Jensen wrote:
on the fear of sounding like an idiot, it didnt work. i have the following missing in my understanding:
>>do both provider and consumer have the same name?
>>I'm using ssl start_tls, but the consumer has his cacert that he passes to its clients and the provider has his, do i make one cacert that will work on both?
I've never configured SSL/TLS for openldap and don't know what implications or configuration changes are required to use it with syncrepl. Someone else may better be able to answer this.
>>and the binddn "slave_reader" has the bind password in the slapd.conf, but the updatedn doesnt, so how is it gona bind and update?
I wondered this myself. I assume that because syncrepl actually runs inside the server daemon and the updatedn is configured from within the slapd.conf it's considered safe. So the syncrepl part of the daemon just uses that as the dn which is making mods for internal calls to check permissions to modify objects.
If it's not working perhaps you could enable some trace debugging and
send that to the list. "it's not working" doesn't provide a great deal
of information to go off of. It could be SSL related however. You may
need to alter your provider configuration for the provider or
something.
Do you have at least the master running with clients able to connect etc using SSL? Perhaps you should break it down. Make sure SSL is configured and working properly and then set up syncrepl. Or in reverse set up syncrepl and test it out then enable SSL and realize you'll probably need to modify the config a little.
Lee
>>and i believe this line "limits dn.exact="cn=slave_writer,dc=directory,dc=com" size=unlimited time=unlimited" doesnt work on my version of openldap "openldap : slapd 2.2.13", do this line matter much or not?
this is my simple ACL in the master slapd.conf:
access to * by dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" read stop by * none break access to attr=userPassword by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write by self write by anonymous auth by * none access to * by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write by * read
and this is the slapd.conf in the slave:
access to * by dn.exact="cn=writer,dc=yyy,dc=mycompany,dc=com" write stop by * none break access to attr=userPassword by dn="cn=manager,dc=yyy,dc=mycompany,dc=com" write by self write by anonymous auth by * none access to * by dn="cn=manager,dc=yyy,dc=mycompany,dc=com" write by * read
and the Syncrepl in the slave is:
syncrepl rid=1
provider=ldap://zlato.batelco.jo:389
type=refreshOnly
interval=00:01:00:00
searchbase="dc=xxx,dc=mycompany,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
updatedn="cn=writer,dc=yyy,dc=mycompany,dc=com"
bindmethod=simple
binddn="cn=reader,dc=xxx,dc=mycompany,dc=com"
credentials=slave_reader_password
starttls=yes
updateref ldap://xxx.mycompany.com
I cant seem to make it work?
thanks.