[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Replication account problem
- To: Vincent Ducot <vincent.ducot@rubycat.eu>, openldap-technical@openldap.org
- Subject: Re: Replication account problem
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Wed, 08 Jan 2020 10:13:04 -0800
- Content-disposition: inline
- Dkim-filter: OpenDKIM Filter v2.10.3 zmcc-2-mta-1.zmailcloud.com CC2DECF09F
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symas.com; s=37C7994C-28CA-11EA-A30F-68F90BB9D764; t=1578507183; bh=s5cwH6jCdVHIhOhTaeKhXzbPIOd6DWK9QQGAjQCmF/U=; h=Date:From:To:Message-ID:MIME-Version; b=Qsb+9Ak47t3aXCh61DHrbKZR0aK+U6VoR6is0pasX5XWbW/Rqp8ov0p3jOcEj8ky4 Xf75Y25WFPZUNUmlPXdepYUq6WUJl6bV1Cv66uv9hU7smGVjVxuarZ66deX0vJ4uSh iKYTioS81hMUsO5VelzWcErRDIN0EF5z6npM2MimiqV2LLqNHs2b2Sbl40+VmnxLsz EF5+hI7mDiKT3+lvruv7Yox1VZ9Qp+4+pmd7S7cm6gFqVAMdPgvXeEbommBDRelbCs EENf6HBh4LTtT3sHP1rfzqjg2shwmA+CAe2o56iDJ228xL60J1rFzeD5cQ4JGGF2cc sKZV7gWl5t8FA==
- In-reply-to: <f0329178-d3c7-e121-a39b-f525d5814dd3@rubycat.eu>
- References: <f0329178-d3c7-e121-a39b-f525d5814dd3@rubycat.eu>
--On Wednesday, January 8, 2020 4:16 PM +0100 Vincent Ducot
<vincent.ducot@rubycat.eu> wrote:
Hi all,
I'm testing multi-master replication between (at least 2) openldap nodes
(2.4.45, on Ubuntu 18.04) and facing a problem with replication account.
Any idea of what could cause this problem ?
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
# {2}mdb, config
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lab/ldap
olcSuffix: dc=foo,dc=bar
olcAccess: {0}to attrs=userPassword by self =xw by anonymous auth by *
none
olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self write by
user
s read by * none
olcAccess: {2}to * by dn="uid=rpuser,dc=foo,dc=bar" read
olcAccess: {3}to * by dn="uid=rpuser,dc=foo,dc=bar" write
I see multiple problems with your configuration.
a) You have two different databases storing their DBs in the same location
(/var/lib/ldap). I can't even imagine the havoc and destruction that would
cause.
b) Your ACLs are broken. The "rpuser" account has no ability to replicate
userPassword, since it can't read it. Also, ACLs #2 and #3 here will never
be evaluated, since it's already covered in ACL#1 (by users read). Since
it can't replicate userPassword, that value is getting lost from server#2,
explaining why you can't bind to it after replication starts.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>