[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Incorrect snippet in delta-syncrepl example in admin guide?
Hi.
I used the Delta-syncrepl configuration example from the admin guide
(http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl) to
create configuration files for a basic 1 Master, 1 Slave configuration.
With a populated & functional master, i started the slave and hit this
error...
slap_client_connect: URI=ldap://9.57.13.249:389
DN="cn=user.replicator,ou=people
,dc=exampleb,dc=com" ldap_sasl_bind_s failed (49)+
(The replicator DN couldn't bind.) In fact, i couldn't execute a basic
ldapsearch while binding as the replicator DN... kept getting "ldap_bind:
Invalid credentials (49)".
Long story short, the fix was to comment out the following ACL statements
in the master config file ... i could then bind as the replicator DN and
delta-syncrepl worked...
# Give the replica DN unlimited read access.
access to *
by dn.base="cn=user.replicator,ou=People,dc=exampleb,dc=com" read
by * break
I might be missing something... but based on my results, it seems like
those ACL statements aren't needed and actually prevented me from
delta-syncrepl'ing successfully. Wanted to pass along this info incase i'm
actually on to something... so you can fix the documentation if need be.
Thanks!
Master slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Give the replica DN unlimited read access.
#access to *
# by dn.base="cn=user.replicator,ou=People,dc=exampleb,dc=com" read
# by * break
# Accesslog database definitions
database hdb
suffix cn=accesslog
directory /usr/local/var/openldap-data/db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# Let the replica DN have limitless searches
limits dn.exact="cn=user.replicator,ou=People,dc=exampleb,dc=com"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
database hdb
suffix "dc=exampleb,dc=com"
rootdn "cn=kingb,dc=exampleb,dc=com"
rootpw pappie
directory /usr/local/var/openldap-data
index objectclass,entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches
limits dn.exact="cn=user.replicator,ou=People,dc=exampleb,dc=com"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
Slave slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database hdb
suffix "dc=exampleb,dc=com"
rootdn "cn=kingb,dc=exampleb,dc=com"
rootpw pappie
directory /usr/local/var/openldap-data
index entryUUID eq
# syncrepl directives
syncrepl rid=0
provider=ldap://(my_ip_address):389
bindmethod=simple
binddn="cn=user.replicator,ou=People,dc=exampleb,dc=com"
credentials=metsrbad
searchbase="dc=exampleb,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref ldap://(my_ip_address):389