[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: change syncrepl creds with no restart?
Christopher Wood wrote:
(I'm having trouble finding the answer with Google, so inquiring here. If
you have RTFM urls I will be quite happy indeed.)
It looks like I'm unable to change syncrepl (client) credentials without
restarting slapd. When I tried this I couldn't modify an entry after the
change, with an error message apparently indicating that this was a replicated
consumer. Things went back to multimaster-normal after restarting both slapd's
involved.
My questions (more details are below):
1) Is this intended?
2) Is there something that I can prod slapd with in order to have it
change
syncrepl credentials without restarting slapd?
There's a bit of a glitch here; when you modify the olcSyncrepl attribute, it
is internally a delete followed by an add. When the delete occurs, the
olcMirrorMode flag is implicitly turned off. (Because it is only allowed to be
On for a database that is being replicated.) When the add occurs, the flag is
not automatically turned back on.
The solution is to set it explicitly in your LDAPModify request.
(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):
The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.
First I added a new user:
dn: uid=sync,o=base
userPassword:: YmFzZQ==
objectClass: account
objectClass: shadowAccount
uid: sync
Then I gave that user read access to everything:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read
olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read
olcAccess: to dn.subtree="ou=groups,o=base" by * read
olcAccess: to dn.subtree="ou=people,o=base" by * read
olcAccess: to * by dn=uid=sync,o=base read
The acls for the o=base tree were then:
olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read
olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read
olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read
olcAccess: {3}to dn.subtree="ou=people,o=base" by * read
olcAccess: {4}to * by dn=uid=sync,o=base read
So I updated the olcSyncrepl rules:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...
dn: uid=cwood,ou=people,o=base
changetype: modify
add: userPassword
userPassword: fakefakefake
I got this:
modifying entry "uid=cwood,ou=people,o=base"
ldap_modify: Server is unwilling to perform (53)
additional info: shadow context; no update referral
And this is what turned up in the logs:
Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base"
Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword
Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral
Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/