[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: change syncrepl creds with no restart?
- To: Howard Chu <hyc@symas.com>
- Subject: Re: change syncrepl creds with no restart?
- From: Christopher Wood <christopher_wood@pobox.com>
- Date: Fri, 2 Sep 2011 15:17:55 -0400
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=0QGw0LJg5NJpbdmdfQCMGlQr2r4=; b=ld9K6uM eXnqBsGreyWZaSn6nJincYCtCo94zq5+F89jfypqamtxB2XHT0K42GynweCwVbyJ ajnajDyCQ1DlniYB4FubfvPVLkdXJlPtfgNEiALaPNMZf6oOQ6WWBnUiYQOQWYk3 JLrX6LEJ8nes4DfT6hXvtrc5tx40/SlFmEcM=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to:cc :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=gHVYnp2MYCG1dhXjw+vbKkZYAXJhjnC1y C52gH5eyplf+WSZhtwcm4jST4r+FciKYzd6w0E5mgjj4TyL0Cv25trkArbQ4frAq pViX+MQqPq731GErQCI2qSCjKcVydpJNz78zleHTw5zeZsBj8i1RV3neToRrumQQ dG2AaVGd5k=
- In-reply-to: <4E5FDB06.2050704@symas.com>
- References: <20110901163248.GA25348@iniquitous.lan> <4E5FDB06.2050704@symas.com>
- User-agent: Mutt/1.5.20 (2009-06-14)
On Thu, Sep 01, 2011 at 12:20:38PM -0700, Howard Chu wrote:
> Christopher Wood wrote:
> >(I'm having trouble finding the answer with Google, so inquiring here. If
> you have RTFM urls I will be quite happy indeed.)
> >
> >It looks like I'm unable to change syncrepl (client) credentials without
> restarting slapd. When I tried this I couldn't modify an entry after the
> change, with an error message apparently indicating that this was a replicated
> consumer. Things went back to multimaster-normal after restarting both slapd's
> involved.
> >
> >My questions (more details are below):
> >
> >1) Is this intended?
> >
>
> >2) Is there something that I can prod slapd with in order to have it
> >change
> syncrepl credentials without restarting slapd?
>
> There's a bit of a glitch here; when you modify the olcSyncrepl
> attribute, it is internally a delete followed by an add. When the
> delete occurs, the olcMirrorMode flag is implicitly turned off.
> (Because it is only allowed to be On for a database that is being
> replicated.) When the add occurs, the flag is not automatically
> turned back on.
>
> The solution is to set it explicitly in your LDAPModify request.
Thank you. Your solution works whether I update olcMirrorMode in
the same ldapmodify request or in a later one.
> >
> >
> >
> >(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):
> >
> >The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.
> >
> >First I added a new user:
> >
> >dn: uid=sync,o=base
> >userPassword:: YmFzZQ==
> >objectClass: account
> >objectClass: shadowAccount
> >uid: sync
> >
> >Then I gave that user read access to everything:
> >
> >dn: olcDatabase={1}hdb,cn=config
> >changetype: modify
> >replace: olcAccess
> >olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read
> >olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read
> >olcAccess: to dn.subtree="ou=groups,o=base" by * read
> >olcAccess: to dn.subtree="ou=people,o=base" by * read
> >olcAccess: to * by dn=uid=sync,o=base read
> >
> >The acls for the o=base tree were then:
> >
> >olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read
> >olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read
> >olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read
> >olcAccess: {3}to dn.subtree="ou=people,o=base" by * read
> >olcAccess: {4}to * by dn=uid=sync,o=base read
> >
> >So I updated the olcSyncrepl rules:
> >
> >dn: olcDatabase={1}hdb,cn=config
> >changetype: modify
> >replace: olcSyncRepl
> >olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
> >olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
> >
> >However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...
> >
> >dn: uid=cwood,ou=people,o=base
> >changetype: modify
> >add: userPassword
> >userPassword: fakefakefake
> >
> >I got this:
> >
> >modifying entry "uid=cwood,ou=people,o=base"
> >ldap_modify: Server is unwilling to perform (53)
> > additional info: shadow context; no update referral
> >
> >And this is what turned up in the logs:
> >
> >Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base"
> >Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword
> >Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral
> >Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND
> >
> >
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>