[Date Prev][Date Next] [Chronological] [Thread] [Top]

troubles with replication using sync-repl



Hello.

I'm having troubles with replication using sync-repl.

I first configured my provider and consumer servers as explained on
http://www.openldap.org/doc/admin22/syncrepl.html.

Additional directives for the provider:
# replication management
sessionlog      001 500

Additional directives for the consumer:
access to dn.subtree="dc=village,dc=inria,dc=fr" attrs=userPassword
    by dn="cn=replicator,dc=village,dc=inria,dc=fr" write
    by anonymous auth
    by * read

access to dn.subtree="dc=village,dc=inria,dc=fr"
    by dn="cn=replicator,dc=village,dc=inria,dc=fr" write
    by * read

syncrepl rid=001
    provider=ldaps://yquem.inria.fr
    type=refreshOnly
    interval=01:00:00:00
    searchbase="dc=village,dc=inria,dc=fr"
    scope=sub
    schemachecking=off
    updatedn="cn=replicator,dc=village,dc=inria,dc=fr"
    bindmethod=simple
    binddn="cn=replicator,dc=village,dc=inria,dc=fr"
    credentials=*****

Additional LDAP entry:
dn: cn=replicator,dc=village,dc=inria,dc=fr
description: LDAP replicator
cn: replicator
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword: ****

I then restarted the provider, and started the consumer, expecting from
my documentation understanding than synchronisation would take place
automatically... but nothing happened.

I then manually exported and imported provider content into consumer,
with slapcat/slapadd, and started consumer with explicit cookie (-c
sid=001,rid=001). Explicit index access errors lead me to add an
additional entryUUID index directive in the consumer configuration:
index entryUUID eq

The error message disapeard, and I now have consumer's request in the
provider's log:
[[5~Apr 12 15:26:59 yquem slapd[32057]: conn=16 fd=20 ACCEPT from
IP=128.93.8.193:33297 (IP=0.0.0.0:636)
Apr 12 15:26:59 yquem slapd[32057]: conn=16 op=0 BIND
dn="cn=replicator,dc=village,dc=inria,dc=fr" method=128
Apr 12 15:26:59 yquem slapd[32057]: conn=16 op=0 BIND
dn="cn=replicator,dc=village,dc=inria,dc=fr" mech=SIMPLE ssf=0
Apr 12 15:26:59 yquem slapd[32057]: conn=16 op=0 RESULT tag=97 err=0 text=
Apr 12 15:26:59 yquem slapd[32057]: conn=16 op=1 SRCH
base="dc=village,dc=inria,dc=fr" scope=2 deref=0 filter="(objectClass=*)"
Apr 12 15:26:59 yquem slapd[32057]: conn=16 op=1 SRCH attr=* +
Apr 12 15:26:59 yquem slapd[32057]: conn=16 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=
Apr 12 15:26:59 yquem slapd[32057]: conn=16 op=2 UNBIND

The first request on startup returns 308 entries, the following 0, which
seems to prove synchronisation is working as expected. However, neither
new entries nor modification appears in my consumer server :/

The only information I found using a loglevel of -1 was some curious
references to wrong ACLs denying write access:
Apr 11 18:40:27 julien slapd[8154]: => acl_mask: access to entry
"ou=users,dc=village,dc=inria,dc=fr", attr "children" requested
Apr 11 18:40:27 julien slapd[8154]: => acl_mask: to all values by "", (=0)
Apr 11 18:40:27 julien slapd[8154]: <= check a_dn_pat:
cn=replicator,dc=village,dc=inria,dc=fr
Apr 11 18:40:27 julien slapd[8154]: <= check a_dn_pat: *
Apr 11 18:40:27 julien slapd[8154]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Apr 11 18:40:27 julien slapd[8154]: <= acl_mask: [2] mask: read(=rscxd)
Apr 11 18:40:27 julien slapd[8154]: => access_allowed: add access denied
by read(=rscxd)
Apr 11 18:40:27 julien slapd[8154]: bdb_add: no write access to parent
Apr 11 18:40:27 julien slapd[8154]: send_ldap_result: conn=-1 op=0 p=3
Apr 11 18:40:27 julien slapd[8154]: send_ldap_result: err=50 matched=""
text="no write access to parent"
Apr 11 18:40:27 julien slapd[8154]: bdb_modify: dc=village,dc=inria,dc=fr
Apr 11 18:40:27 julien slapd[8154]:
bdb_dn2entry("dc=village,dc=inria,dc=fr")
Apr 11 18:40:27 julien slapd[8154]: bdb_modify_internal: 0x00000001:
dc=village,dc=inria,dc=fr
Apr 11 18:40:27 julien slapd[8154]: acl: no-user-mod contextCSN: modify
access granted

However, my updatedn is supposed to have write access everywhere beneath
the root (included). I also checked it had read access anywhere in the
consumer by manual searches.

The provider has version 2.2.23, running on debian stable i586, while
the consumer has version 2.3.6, running on mandriva 2006.0 x86_64.