[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Translucent with syncrepl to Active Directory
Hello,
I'm trying to get syncrepl work from a provider that is configured as a
back-ldap to an Active Directory with the translucent overlay. Although
the master is also an OpenLDAP, since it uses the back-ldap backend to
AD, the entryUUID and entryCSN fields are not present, thus preventing
syncrepl from working.
But I really only need to replicate the local modifications stored in my
translucent (HDB). And doing a slapcat shows that the entryUUID and
entryCSN are present in the translucent DB. So I'm wondering if there's
a way to tell syncrepl to bother only with entries stored in my hdb, and
ignore anything that doesn't have the entryUUID/CSN fields (the fields
proxied from AD).
I'm getting the following error on the slave:
syncrepl_entry: rid=100 entry unchanged, ignored (dc=testdomain,dc=org)
do_syncrep2: rid=100 got empty syncUUID with LDAP_SYNC_ADD
Server in the example (using OpenLDAP 2.4.11 on Debian Lenny):
tst-dc01.testdomain.org = Active Directory
ldap.tst.testdomain.org = OpenLDAP master
ldap-slave.tst.testdomain.org = OpenLDAP slave
Master configuration:
---------------------
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/testdomain.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_ldap
moduleload back_hdb
moduleload translucent
moduleload syncprov
TLSCACertificateFile /etc/ssl/certs/testdomainca.pem
TLSCertificateFile /etc/ldap/ssl/ldap.tst.testdomain.org.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap.tst.testdomain.org.key
TLSVerifyClient never
defaultsearchbase "dc=testdomain,dc=org"
sizelimit unlimited
backend hdb
backend ldap
database hdb
directory /var/lib/ldap
suffix "dc=testdomain,dc=org"
index objectclass,entryCSN,entryUUID eq
rootdn cn=ldaproot,dc=testdomain,dc=org
rootpw blah
overlay translucent
uri "ldap://tst-dc01.testdomain.org";
idassert-bind bindmethod=simple
binddn="CN=readonly,DC=testdomain,DC=org"
credentials="pw"
mode=none
chase-referrals no
rebind-as-user yes
lastmod on
translucent_strict
overlay syncprov
syncprov-checkpoint 64 30
syncprov-sessionlog 1024
access to dn.subtree="dc=testdomain,dc=org"
by * read
Slave configuration:
--------------------
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/testdomain.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_ldap
moduleload back_hdb
moduleload translucent
TLSCACertificateFile /etc/ssl/certs/testdomainca.pem
TLSCertificateFile /etc/ldap/ssl/ldap-slave.tst.testdomain.org.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap-slave.tst.testdomain.org.key
TLSVerifyClient never
defaultsearchbase "dc=testdomain,dc=org"
sizelimit unlimited
backend hdb
backend ldap
database hdb
directory /var/lib/ldap
suffix "dc=testdomain,dc=org"
index objectclass,entryCSN,entryUUID eq
rootdn cn=ldaproot,dc=testdomain,dc=org
rootpw blah
syncrepl rid=100
provider=ldaps://ldap.tst.testdomain.org
type=refreshAndPersist
interval=00:00:15:00
retry="300 20 7200 +"
searchbase="dc=testdomain,dc=org"
attrs="gecos"
schemachecking=off
bindmethod=simple
binddn="CN=repl,DC=testdomain,DC=org"
credentials="pw"
overlay translucent
uri "ldap://tst-dc01.testdomain.org
ldap://tst-dc02.testdomain.org";
idassert-bind bindmethod=simple
binddn="CN=readonly,DC=testdomain,DC=org"
credentials="pw"
mode=none
chase-referrals no
rebind-as-user yes
lastmod on
translucent_strict
access to dn.subtree="dc=testdomain,dc=org"
by * read
Thanks for any info!
--
Pascal