replicating cn=config generates LDAP_NOT_ALLOWED_ON_RDN

[Chris Cook <ccook@pandora.com>]

Openldap 2.4.31

I create my read-only ldap hosts with a stub config that contains a syncrepl statement:

olcSyncrepl: {0}rid=001 provider=ldaps://ldap.savagebeast.com binddn="cn=

 admin,cn=config,cn=slave" bindmethod=simple credentials=$PW searchbase="cn=

 config,cn=slave" type=refreshAndPersist retry="60 +" timeout=3 suffixmassage=

 "cn=config" schemachecking=off

That on first run with a –c ‘rid=001’ flag syncs the rest of the configs and associated databases from the primary servers. Leaving the config database as:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.

# CRC32 3c65cc7d

dn: olcDatabase={0}config

objectClass: olcDatabaseConfig

olcDatabase: {0}config

olcRootDN: cn=admin,cn=config

olcUpdateRef: ldaps://ldap.savagebeast.com

structuralObjectClass: olcDatabaseConfig

entryUUID: fee78e38-2723-1030-8342-0d5a80dcc32a

creatorsName: cn=admin,cn=config

createTimestamp: 20110609203711Z

olcRootPW:: x==

olcSyncrepl: {0}rid=001 provider=ldaps://guess-who.savagebeast.com binddn="cn=

 admin,cn=config,cn=slave" bindmethod=simple credentials=x searchbase

 ="cn=config,cn=slave" schemachecking=off type=refreshAndPersist retry="60 +"

 timeout=3 suffixmassage="cn=config"

entryCSN: 20151119013205.450738Z#000000#000#000000

modifiersName: cn=admin,dc=savagebeast,dc=com

modifyTimestamp: 20151119013205Z

This works great for the first run, but subsequent changes to the cn=config,cn=slave entries on the primary servers generate a replication error on the downstream hosts.

564fc719 syncrepl_entry: rid=001 be_search (0)

564fc719 syncrepl_entry: rid=001 olcDatabase={2}hdb,cn=config

564fc719 <= acl_access_allowed: granted to database root

564fc719 send_ldap_result: conn=-1 op=0 p=3

564fc719 send_ldap_result: err=67 matched="" text="Use modrdn to change the entry name"

564fc719 null_callback : error code 0x43

564fc719 syncrepl_entry: rid=001 be_modify olcDatabase={2}hdb,cn=config (67)

564fc719 syncrepl_entry: rid=001 be_modify failed (67)

Which is LDAP_NOT_ALLOWED_ON_RDN.

The only change to be synced was the addition of an olcDbIndex to one of the databases.

The suffix massage seems to still be in place:

564fc719 syncrepl_message_to_entry: rid=001 DN: olcDatabase={2}hdb,cn=config,cn=slave, UUID: ef2a6d04-b2cf-1033-9ca0-37a633abeda5

564fc719 ==> rewrite_context_apply [depth=1] string='olcDatabase={2}hdb,cn=config,cn=slave'

564fc719 ==> rewrite_rule_apply rule='(.*)cn=config,cn=slave$' string='olcDatabase={2}hdb,cn=config,cn=slave' [1 pass(es)]

564fc719 ==> rewrite_context_apply [depth=1] res={0,'olcDatabase={2}hdb,cn=config'}

564fc719 >>> dnPrettyNormal: <olcDatabase={2}hdb,cn=config>

Any pointers on how to troubleshoot why this error is called?