Acl on a replicated tree: unable to bind as user

[Giuseppe Civitella <gcivitella@enter.eu>]

Hi all,

I've got a master / slave replica setup. I did use this tutorial to set
up the replica:

https://wiki.debian.org/LDAP/OpenLDAPSetup

My ldap tree is something like: Root -> o=(first level local branch),
o=(first level replicated branch).

The local branch is just a cut and paste of the replicated branch.

On the slave server I can use the replicated branch to authenticate
against a Radius server.

On the master server I realized I cannot let web users authenticate
against the replicated branch.

If I try to bind as a user from the replicated branch, on both the
master and the slave, I get:

ldapwhoami -H ldap://localhost -D
"uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W

Enter LDAP Password:
ldap_bind: Invalid credentials (49)

On the master, on the local branch, I get:

ldapwhoami -H ldap://localhost -D
"cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W

Enter LDAP Password:
dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is


I did try to configure the acl on the server to disallow anonymous bind.

And, once found this problem, I did try to create a bind user
(uid=read_only) able to read the replicated branch, userPassword attrs
included.

Unfortunately this did not solve the problem.

My acl on the master are:

dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=who,dc=is
olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=read_only,ou
 =binds,dc=who,dc=is" read
olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=isi_replica,
 ou=binds,dc=who,dc=is" read
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * non
 e
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read


I'm quite new to this kind of setup, is this something to be expected?
Is there a way to bind directly on the replicated branch?

Regards,
Giuseppe