Re: Cannot replicate userPassword?

[Pierangelo Masarati <ando@sys-net.it>]

Quanah Gibson-Mount wrote:
> 
> 
> --On January 2, 2008 2:22:20 PM +0100 Pierangelo Masarati
> <ando@sys-net.it> wrote:
> 
>> According to the configuration files posted, the user
>> "cn=admin,dc=ipodion,dc=at" is used as binddn by the consumer, but it is
>> the rootdn on the producer, so it can read all values (the real,
>> harmless error is that there's no point in authorizing access for the
>> rootdn: it has unlimited access privileges).  Local writes by syncrepl
>> are performed with the local rootdn's identity, so there's no point in
>> authorizing them either.
> 
> Hm, I thought at least at one point in time, syncrepl used the identity
> it bound as to make the updates in the local DB, but I guess not.  Maybe
> that was just a holdover in my ACL files from when I used slurpd.

I recall something similar: at some point, syncrepl switched to using
the consumer database's rootdn.  However, the only mention of something
related to syncrepl and rootdn I could find in CHANGES was in 2.3.25, so
it should already be in the version in use.  What I believe is most
likely is that at some point replication was initiated with an identity
that couldn't read userPassword; eventually the ACL about userPassword
was broadened, but the database was not re-sync'ed.  In any case, the
configuration files posted in the original message worked with 2.3.40.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------