openldap syncrepl Provider with Slave(older version)

[Rupesh Thakkar <Rupesh.Thakkar@symphonysv.com>]

Hi ,

 

My application was using replication using Slurpd .

Now, we want to move to openldap version 2.4 (RHEL 6.x)from 2.2, so I should use syncrepl  instead slurpd. Replication clients(slaves) can still be of older version(2.2)

 

I am tried to replication setup using sincerely using doc http://www.openldap.org/doc/admin24/replication.html

I am following first of two topologies suggested for replacing slurped in doc http://www.openldap.org/doc/admin24/replication.html

It says (Master/Provider configuration) ---àProxy consumer configuration --sincerely-àold Slaves(which were working with slurpd)

 

Following are my Master and Proxy configuration file they are similar to what above documents says

 

 

Master slapd.conf [ /usr/sbin/slapd -h ldap://localhost:389 -f /usr/share/openldap-servers/slapd.conf ]

--------------------------------------------------------------------------------------------------------------------------------------------------------------

access to *

             by dn.base="cn=replicator,dc=Avaya" write

             by dn.base="cn=root,dc=Avaya" write

             by dn.base=umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya read

             by * break

access to dn.base=""

                by * read

access to dn.base="dc=Avaya"

                by * read

access to dn.subtree="ou=People,dc=Avaya"

            by dn.exact="cn=root,dc=Avaya" write

            by users read

            by * read

access to *

                by self write

                by * read

database        bdb

suffix          "dc=Avaya"

rootdn          "cn=root,dc=Avaya"

rootpw          secret

rootpw          Testpw

 

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

password-hash {CLEARTEXT},{SHA},{SSHA}

directory       /var/lib/ldap

 

index objectClass                       eq

index       default     sub

index ou,cn,mail,surname,givenname      eq,pres,sub

index nisMapName,nisMapEntry            eq,pres,sub

index entryCSN eq

index entryUUID eq

 

checkpoint      1024 15

cachesize       10000

idlcachesize    10000

#syncrepl Provider for primary db

        overlay syncprov

        syncprov-checkpoint 1000 60

        # Let the replica DN have limitless searches

        limits dn.exact="umObjectGUID=218afb42cb5e11e09542001a64e587d4,ou=People,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

        limits dn.exact="cn=replicator,dc=Avaya" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

 

 

 

 

Proxy slapd_p.conf  [ /usr/sbin/slapd -h ldap://localhost:50389 -f /usr/share/openldap-servers/slapd_p.conf ]

--------------------------------------------------------------------------------------------------------------------------------------------------------------

access to *

        by * read

        # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap

        database        ldap

        # ignore conflicts with other databases, as we need to push out to same suffix

        hidden              on

        suffix          "dc=Avaya"

        rootdn         "cn=slapd-ldap,dc=Avaya"

        uri     ldap://localhost:50389

        rootpw          secret

        rootpw          testing

        lastmod         on

        acl-bind     bindmethod=simple

binddn=”cn=replicator,dc=Avaya”

credentials=Testpw

                        #binddn="umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya"

                        #credentials=1234

        syncrepl        rid=001

                        provider=ldap://localhost:389/

                        binddn=”cn=replicator,dc=Avaya”

                        #binddn="umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya

                        bindmethod=simple

                        credentials=Testpw

                        #credentials=1234

                        searchbase="dc=Avaya"

                        type=refreshAndPersist

                        retry="5 5 300 5"

        overlay         syncprov

 

 

 

1)I am able to query Master database but not to proxy database why so ?

ps -ef | grep slapd

/usr/sbin/slapd -h ldap://localhost:389 -f /usr/share/openldap-servers/slapd.conf

/usr/sbin/slapd -h ldap://localhost:50389 -f /usr/share/openldap-servers/slapd_P.conf

 

lsearch query to master database(port 389) is working

/usr/bin/ldapsearch  -x -h localhost -p 389 -D"cn=root,dc=Avaya" -w w00dstock -b"dc=Avaya" '(objectClass=*)'

 

Why following query to proxy (50389) is failing even though database has read permissions to everyone .

 

/usr/bin/ldapsearch  -x -h localhost -p 50389 -D"cn=slapd-ldap" -w w00dstock -b"dc=Avaya" '(objectClass=*)'

ldap_bind: Invalid credentials (49)

 

2)is  "cn=replicator,dc=Avaya" here should be rootdn user or normal database(slapd) user ?.

 

I tried this ldap slapd user "umObjectGUID=31ff609ecb5e11e09542001a64e587d4,ou=People,dc=Avaya” and with password ”1234” and restarting both master and proxy still query fails

 

Can you point me where am I wrong ?

 

 

Thanks

Rupesh

"This email and any files transmitted with it contain confidential, proprietary,
privileged information of Symphony Services Corp (India) Pvt. Ltd. and are intended
solely for the use of the recipient/s to whom it is addressed. Any unauthorized
notifying, copying or distributing of this e-mail, directly or indirectly, and the
contents therein in full or part is prohibited by any entity who is not a recipient.
Any email received inadvertently or by mistake should be deleted by the entity who
is not a recipient thereof. You may be pleased to notify the sender immediately by
email and the email should be deleted from your system".