[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication account problem





--On Wednesday, January 8, 2020 4:16 PM +0100 Vincent Ducot <vincent.ducot@rubycat.eu> wrote:


Hi all,
 I'm testing multi-master replication between (at least 2) openldap nodes
(2.4.45, on Ubuntu 18.04) and facing a problem with replication account.


Any idea of what could cause this problem ?

# {1}mdb, config
 dn: olcDatabase={1}mdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: {1}mdb
 olcDbDirectory: /var/lib/ldap
 olcSuffix: dc=nodomain
 olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
 olcAccess: {1}to attrs=shadowLastChange by self write by * read
 olcAccess: {2}to * by * read

# {2}mdb, config
 dn: olcDatabase={2}mdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: {2}mdb
 olcDbDirectory: /var/lab/ldap
 olcSuffix: dc=foo,dc=bar
 olcAccess: {0}to attrs=userPassword by self =xw by anonymous auth by *
none
 olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self write by
user
  s read by * none
 olcAccess: {2}to * by dn="uid=rpuser,dc=foo,dc=bar" read
 olcAccess: {3}to * by dn="uid=rpuser,dc=foo,dc=bar" write


I see multiple problems with your configuration.

a) You have two different databases storing their DBs in the same location (/var/lib/ldap). I can't even imagine the havoc and destruction that would cause.

b) Your ACLs are broken. The "rpuser" account has no ability to replicate userPassword, since it can't read it. Also, ACLs #2 and #3 here will never be evaluated, since it's already covered in ACL#1 (by users read). Since it can't replicate userPassword, that value is getting lost from server#2, explaining why you can't bind to it after replication starts.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>