I solved this issue. It was in fact a mistake in my ACL directives. For those who try to build a master-master replication between LDAP servers, for both cn=config DIT and dc=exemple,dc=com, my config DIT look like this : On ldap1.vm : ================================================= dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcAuthzRegexp: {0}uid=admin,cn=exemple.com,cn=gssapi,cn=auth cn=admin,dc=exemple,dc=com olcAuthzRegexp: {1}uid=ldap\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth cn=$1,ou=ldap,dc=exemple,dc=com olcAuthzRegexp: {2}uid=host\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth cn=$1,ou=hosts,dc=exemple,dc=com olcAuthzRegexp: {3}uid=(.*),cn=exemple.com,cn=gssapi,cn=auth uid=$1,ou=people,dc=exemple,dc=com olcLogLevel: stats olcPidFile: /var/run/slapd/slapd.pid olcSaslRealm: EXEMPLE.COM olcServerID: 1 ldap://ldap1.vm.exemple.com/ olcServerID: 2 ldap://ldap2.vm.exemple.com/ olcToolThreads: 1 dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}syncprov dn: olcBackend={0}hdb,cn=config objectClass: olcBackendConfig olcBackend: {0}hdb dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 500 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn. read by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcRootDN: cn=admin,cn=config olcSyncrepl: {0}rid=001 provider="ldap://ldap1.vm.exemple.com/" type=refreshAndPersist retry="10 30 30 +" searchbase="cn=config" bind method=sasl saslmech=gssapi olcSyncrepl: {1}rid=002 provider="ldap://ldap2.vm.exemple.com/" type=refreshAndPersist retry="10 30 30 +" searchbase="cn=config" bind method=sasl saslmech=gssapi olcMirrorMode: TRUE dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=exemple,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange by dn. read by anonymous auth by * none olcAccess: {1}to dn.subtree="dc=exemple,dc=com" by dn. read by dn="cn=adm-srv,ou=krb5,dc=exemple,dc=com" write by dn="cn=kdc-srv,ou=krb5,dc=exemple,dc=com" read olcAccess: {2}to attrs=loginShell by self write by users read by * none olcAccess: {3}to dn.base="" by * read olcAccess: {4}to * by users read by * none olcLastMod: TRUE olcRootDN: cn=admin,dc=exemple,dc=com olcRootPW: {SSHA}cS3TS9Mo5wFbddEWzcNzx5fKLV7Y3AHX olcSyncrepl: {0}rid=101 provider="ldap://ldap1.vm.exemple.com/" type=refreshAndPersist retry="10 30 30 +" searchbase="dc=exemple,dc=com" bindmethod=sasl saslmech=gssapi olcSyncrepl: {1}rid=102 provider="ldap://ldap2.vm.exemple.com/" type=refreshAndPersist retry="10 30 30 +" searchbase="dc=exemple,dc=com" bindmethod=sasl saslmech=gssapi olcMirrorMode: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: memberUid eq olcDbIndex: uniqueMember eq olcDbIndex: krbPrincipalName eq,pres,sub olcDbIndex: krbPwdPolicyReference eq olcDbIndex: entryCSN eq dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 ================================================= On ldap2.vm you just need to add this line on the "dn: olcDatabase={0}config,cn=config" entry : ================================================= olcSyncrepl: {0}rid=001 provider="ldap://ldap1.vm.exemple.com/" type=refreshAndPersist retry="10 30 30 +" searchbase="cn=config" bind method=sasl saslmech=gssapi ================================================= The syncrepl will perform the replication of your cn=config DIT and, because you have some others olcSyncrepl on ldap1.vm, replicate also the dc=exemple,dc=com DIT. Don't forget the kstart directive in /etc/inittab to get the necessary ticket : KS:2345:respawn:/usr/bin/k5start -U -f /etc/ldap/ldap.keytab -K 10 -l 24h -k /tmp/krb5cc_107 -o openldap where /etc/ldap/ldap.keytab is my keytab file (see /etc/default/slapd) and 107 is the uid for openldap (use getent passwd). Regards, Quentin. |