[Date Prev][Date Next] [Chronological] [Thread] [Top]

change syncrepl creds with no restart?

(I'm having trouble finding the answer with Google, so inquiring here. If you have RTFM urls I will be quite happy indeed.)

It looks like I'm unable to change syncrepl (client) credentials without restarting slapd. When I tried this I couldn't modify an entry after the change, with an error message apparently indicating that this was a replicated consumer. Things went back to multimaster-normal after restarting both slapd's involved.

My questions (more details are below):

1) Is this intended?

2) Is there something that I can prod slapd with in order to have it change syncrepl credentials without restarting slapd?



(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):

The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.

First I added a new user:

dn: uid=sync,o=base
userPassword:: YmFzZQ==
objectClass: account
objectClass: shadowAccount
uid: sync

Then I gave that user read access to everything:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read
olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read
olcAccess: to dn.subtree="ou=groups,o=base" by * read
olcAccess: to dn.subtree="ou=people,o=base" by * read
olcAccess: to * by dn=uid=sync,o=base read

The acls for the o=base tree were then:

olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read
olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read
olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read
olcAccess: {3}to dn.subtree="ou=people,o=base" by * read
olcAccess: {4}to * by dn=uid=sync,o=base read

So I updated the olcSyncrepl rules:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1

However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...

dn: uid=cwood,ou=people,o=base
changetype: modify
add: userPassword
userPassword: fakefakefake

I got this:

modifying entry "uid=cwood,ou=people,o=base"
ldap_modify: Server is unwilling to perform (53)
        additional info: shadow context; no update referral

And this is what turned up in the logs:

Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base"
Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword
Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral
Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND