Re: Replication account problem

[Vincent Ducot <vincent.ducot@rubycat.eu>]

Hi,

thanks for your answer.

a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky)

b) I tested several possibilities but I didn't manage to make it work. Either the problem stayed the same, either the replication didn't work anymore, either I couldn't access to rpuser.

I understand that :

- rpuser should have read/write access to its password (to attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write)

- rpuser should have read/write access to all data (to * by dn="uid=rpuser,dc=foo,dc=bar" write)

- other users should have read access to their password (I don't want they could change it by themselves) and anonymous should authenticate (to attrs=userPassword by self read by anonymous auth by * none)

Am I right ?

Regards,

Vincent

Le 08/01/2020 à 19:13, Quanah Gibson-Mount a écrit :

>       
>       
>       --On Wednesday, January 8, 2020 4:16 PM +0100 Vincent Ducot
>       <vincent.ducot@rubycat.eu> wrote:
>       
>       
> >         
> >         Hi all,
> >         
> >          I'm testing multi-master replication between (at least 2)
> >         openldap nodes
> >         
> >         (2.4.45, on Ubuntu 18.04) and facing a problem with replication
> >         account.
> >         
> >       
>       
>       
> > Any idea of what could cause this problem
> >         ?
> >         
> >       
>       
> > # {1}mdb, config
> >         
> >          dn: olcDatabase={1}mdb,cn=config
> >         
> >          objectClass: olcDatabaseConfig
> >         
> >          objectClass: olcMdbConfig
> >         
> >          olcDatabase: {1}mdb
> >         
> >          olcDbDirectory: /var/lib/ldap
> >         
> >          olcSuffix: dc=nodomain
> >         
> >          olcAccess: {0}to attrs=userPassword by self write by anonymous
> >         auth by *
> >         
> >         none
> >         
> >          olcAccess: {1}to attrs=shadowLastChange by self write by * read
> >         
> >          olcAccess: {2}to * by * read
> >         
> >       
>       
> > # {2}mdb, config
> >         
> >          dn: olcDatabase={2}mdb,cn=config
> >         
> >          objectClass: olcDatabaseConfig
> >         
> >          objectClass: olcMdbConfig
> >         
> >          olcDatabase: {2}mdb
> >         
> >          olcDbDirectory: /var/lab/ldap
> >         
> >          olcSuffix: dc=foo,dc=bar
> >         
> >          olcAccess: {0}to attrs=userPassword by self =xw by anonymous
> >         auth by *
> >         
> >         none
> >         
> >          olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self
> >         write by
> >         
> >         user
> >         
> >           s read by * none
> >         
> >          olcAccess: {2}to * by dn="uid=rpuser,dc=foo,dc=bar" read
> >         
> >          olcAccess: {3}to * by dn="uid=rpuser,dc=foo,dc=bar" write
> >         
> >       
>       
>       
>       I see multiple problems with your configuration.
>       
>       
>       a) You have two different databases storing their DBs in the same
>       location (/var/lib/ldap).  I can't even imagine the havoc and
>       destruction that would cause.
>       
>       
>       b) Your ACLs are broken.  The "rpuser" account has no ability to
>       replicate userPassword, since it can't read it.  Also, ACLs #2 and
>       #3 here will never be evaluated, since it's already covered in
>       ACL#1 (by users read).  Since it can't replicate userPassword,
>       that value is getting lost from server#2, explaining why you can't
>       bind to it after replication starts.
>       
>       
>       Regards,
>       
>       Quanah
>       
>       
>       
>       --
>       
>       
>       Quanah Gibson-Mount
>       
>       Product Architect
>       
>       Symas Corporation
>       
>       Packaged, certified, and supported LDAP solutions powered by
>       OpenLDAP:
>       
>       <http://www.symas.com>
>       
>