[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapo-chain on syncrepl slave. I simply can't get it working. Help??



Hi,

I've spent 2 days on this now and can't figure it out.

Master directory (2.4.21 on FBSD 7, compiled with SASL)

Slave (2.4.31 on Debian Squeeze)

The goal is to eventually use TLS as both the servers are remote from one
to another, but for the sake of simplicity during testing i'm not using
TLS at this stage.

RefreshAndPersist replication is setup and working

Master config(not complete, but related parts):

authz-policy    to

database bdb
suffix cn=accesslog
directory /db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

# Let the replica DN have limitless searches
limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited

database        bdb
suffix          "dc=webgate,dc=net,dc=au"
rootdn          "cn=Manager,dc=webgate,dc=net,dc=au"

rootpw          deleted

password-hash   {SSHA}

directory       /var/db/openldap-data
mode            0600

cachesize       2000

# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60

# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00

# Let the replica DN have limitless searches
limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited

access to attrs=userPassword
        by self write
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by * auth

access to dn.base="ou=zones,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.children="ou=zones,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.base="ou=emails,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.children="ou=emails,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.children="ou=users,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.base="ou=users,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.base="ou=groups,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.children="ou=groups,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.base="ou=virtualhosts,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to dn.children="ou=virtualhosts,dc=webgate,dc=net,dc=au"
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read
        by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write

access to *
        by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
        by users read
        by anonymous none
        by * none

Slave config:

overlay                 chain

chain-uri               ldap://xxx:389/
chain-rebind-as-user    Yes

chain-idassert-bind     bindmethod="simple"
binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
credentials="xxx" mode="self"
chain-return-error      Yes

access to attrs=userPassword,shadowLastChange
        by anonymous auth
        by * none

access to dn.base="" by * read

access to *
        by * read

# syncrepl directives
syncrepl  rid=0
          provider=ldap://xxx:389
          bindmethod=simple
          binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
          credentials=deleted
          searchbase="dc=webgate,dc=net,dc=au"
          logbase="cn=accesslog"
          logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
          schemachecking=on
          type=refreshAndPersist
          retry="60 +"
          syncdata=accesslog

# Refer updates to the master
updateref               ldap://xxx

cn=replicator contains:
dn: cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au
objectClass: top
objectClass: inetOrgPerson
cn: replicator
sn: replicator
userPassword:: xxx
authzTo: {0}dn:*

No matter what I change, when I run ldapmodify on slave

ldapmodify -x -D "cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" -W -f
test_update.ldif

modifying entry "uid=xxx,ou=emails,dc=webgate,dc=net,dc=au"
ldap_modify: Strong(er) authentication required (8)

I run the server with -d 1 to see what's going on and it seems even if i
change

chain-idassert-bind binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"

to anything that doesn't even exist in the directory it never gets used...

The only thing that makes a difference from the chain-* directives is the

chain-return-error      Yes, setting it to "no" makes it return just the
referral address

What am I doing wrong???

Thanks
Petr