Re: Access denied consumer replication (OpenLDAP+Kerberos)

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho 
<dlcarvalho@gmail.com> wrote:

> Hi
>
> I try to configure two openldap/kerberos server (provider and
> consumer), but I'm having some issues about replication. Under LDAP
> log, I have many entries like this: "slap_access_allowed: search
> access denied by none(=0)"
>
> These messages are related to consumer access to the Kerberos database
> on provider and the kerberos database can't be replicated to the
> consumer. The others data are replicated normaly.
>
> These are the ACL under privider:
> olcAccess: {0}to attrs=userPassword,shadowLastChange
>   by
> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
> dc=br" read
>   by anonymous auth by * none
>
> olcAccess: {1}to
> dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
>   by
> dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
> br" write
>   by
> dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
> br" read
>   by
> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
> dc=br" read by * none
>
> olcAccess: {2}to attrs=loginShell
>   by self write
>   by users read
>   by * none
>
> olcAccess: {3}to dn.base=""
>   by * read
>
> olcAccess: {4}to *
>   by users read
>   by * none

This is the entity asking permission:

Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
"uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
(=0)

This does not match

by 
dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"

It looks like you put the host entry in the users tree and not the consumer 
tree.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration