[Date Prev][Date Next] [Chronological] [Thread] [Top]

Syncrepl Problems for Attribute-Value Pair host=*

To: openldap-software@OpenLDAP.org
Subject: Syncrepl Problems for Attribute-Value Pair host=*
From: Michael.Heep@o2.com
Date: Mon, 19 Dec 2005 10:37:11 +0100

Hello,

I'm having a little syncrepl problem here. OL version is 2.3.13 + bdb 
4.2.52 with 4 patches + OL transactions patch (is it still need?).
We have a master server filled with mostly POSIX account and group data.

I was experimenting to set up a slave slapd on a UNIX client which should 
only contain POSIX accounts that are actually allowed to login on that 
client (which is defined through the host attribute).

So I set up a syncrepl slapd on that machine with a filter diretive that 
replicates all posix groups and all accounts which are allowed to login 
along with the dc's and ou's needed to reflect the posix information 
apropriately:
syncrepl rid=999
 provider=ldap://<master ip>
 type=refreshAndPersist
 interval=00:00:00:10
 retry="60 10 300 +"
 searchbase="dc=o2online,dc=de"
 
filter="(|(objectclass=dcobject)(objectclass=oragnizationalunit)(objectclass=posixgroup)(&(objectclass=posixaccount)(host=\\*))(&(objectclass=posixaccount)(host=<hostname>)))"
 scope=sub
 attrs="*,+"
 schemachecking=on
 starttls=critical
 binddn="<bind dn>"
 credentials=<password>

I added a few testusers of this kind to the directory:
dn: uid=test,ou=People,dc=o2online,dc=de
cn: TestO Steron
gecos: TestO Steron
loginShell: /bin/bash
homeDirectory: /home/test
shadowWarning: 7
shadowInactive: -1
shadowFlag: 0
shadowMin: 0
shadowMax: 40
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: account
objectClass: ldapPublicKey
uid: test
gidNumber: 20000
uidNumber: 10099
shadowLastChange: 13056
sshPublicKey: ssh-rsa...
userPassword: {SSHA}...
shadowExpire: 99999
host: * (or host: <hostname>)

The first thing I stumbled upon was the fact that i had to escape the "*" 
twice in the syncrepl's filter directive as opposed to nly once when using 
ldapsearch.
But the real troublemaker is the "host: *" part in the above LDIF. When I 
completely remove the "host: *" attribute from a user entry on the master 
it doesn't get deleted on the slave, which on the other hand works 
perfectly fine when removing "host: <hostname>" from an entry. While on 
the other hand modifyinbg "host: *" to sth. like "host: <not the slave's 
hostname>" the entry gets removed on the slave.

So aparently syncrepl doesn't handle attribute-value pairs of the type 
<attribute>=* properly if used in a syncrepl filter directive.
Any ideas?

Kind regards and thanks for any help
Michael Heep

Prev by Date: Illustrate unusual setups (Was: bind and search using different backends?)
Next by Date: Re: Syncrepl Problems for Attribute-Value Pair host=*
Index(es):
- Chronological
- Thread