[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Incorrect snippet in delta-syncrepl example in admin guide?
Brad T Waldorf wrote:
Hi.
I used the Delta-syncrepl configuration example from the admin guide
(http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl) to
create configuration files for a basic 1 Master, 1 Slave configuration.
With a populated & functional master, i started the slave and hit this
error...
slap_client_connect: URI=ldap://9.57.13.249:389
DN="cn=user.replicator,ou=people
,dc=exampleb,dc=com" ldap_sasl_bind_s failed (49)+
(The replicator DN couldn't bind.) In fact, i couldn't execute a basic
ldapsearch while binding as the replicator DN... kept getting "ldap_bind:
Invalid credentials (49)".
Long story short, the fix was to comment out the following ACL statements
in the master config file ... i could then bind as the replicator DN and
delta-syncrepl worked...
# Give the replica DN unlimited read access.
access to *
by dn.base="cn=user.replicator,ou=People,dc=exampleb,dc=com" read
by * break
You ACLs are obviously wrong. The above piece of ACL is intended to
exist along with other rules, otherwise it's useless by itself. In
fact, in order to check an identity, anonymous must be able to bind, and
thus needs auth permission. Posting your hack like it were the solution
to a problem is only going to create further confusion in those who
didn't understand the ACL model yet.
A minimal ACL design that allows essential operations including
replication would need:
- let everyone try to auth
- let replication identity read everthing that needs to be replicated
- let others read/write what they are allowed to read
so:
access to attrs=userPassword
by <replication identity> read
by * auth
access to <something else>
by <replication identity> read
by <others> <as appropriate>
# catchall for what's left
access to *
by <replication identity> read
As you may see, you need to repeat the "by <replication identity> read"
snippet all times. So a shortcut is:
access to *
by <replication identity> read
by * break
access to attrs=userPassword
by * auth
access to <something else>
by <others> <as appropriate>
which means: replication identity can read everything, others don't gain
any privilege; but don't stop evaluating rules, step to the next one for
further permission.
If you don't understand this, please don't try to teach others how ACLs
need to be configured to have replication work as intended. You removed
from your example the comment "This ACL may need to be merged with other
ACL statements."
<http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl>
(that statement probably needs to be strenghtened, replacing "may" with
"must").
Probably this was not your intention, but the consequence is that
googling up "openldap delta-syncrepl access" will likely hit your
message and propagate false information.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando@sys-net.it
-----------------------------------