[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication account problem

To: Quanah Gibson-Mount <quanah@symas.com>, <openldap-technical@openldap.org>
Subject: Re: Replication account problem
From: Vincent Ducot <vincent.ducot@rubycat.eu>
Date: Mon, 13 Jan 2020 16:53:22 +0100
Content-language: en-US
In-reply-to: <4153400F98CD378339769248@[192.168.1.144]>
References: <f0329178-d3c7-e121-a39b-f525d5814dd3@rubycat.eu> <21AF0BBF8D8F200B382C85B6@[192.168.1.144]> <6f97400f-404e-ebed-00a5-6de166af96e5@rubycat.eu> <4153400F98CD378339769248@[192.168.1.144]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2

Hi,

yes, I understand the processing order. So something like this should work, right ?

olcAccess: to attrs=userPassword by anonymous auth
olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write
olcAccess: to attrs=userPassword by self write by * none
olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by users read by * none

Actually, after an object is replicated, rpuser is deleted (and also other objects of the same tree). Any idea why ?

In the log I get :

Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "dc=foo,dc=bar" "children" requested
Jan 13 16:26:33 node5 slapd[9976]: <= root access granted
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd)
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access to "uid=rpuser,dc=foo,dc=bar" "entry" requested
Jan 13 16:26:33 node5 slapd[9976]: <= root access granted
Jan 13 16:26:33 node5 slapd[9976]: => access_allowed: delete access granted by manage(=mwrscxd)
Jan 13 16:26:33 node5 slapd[9976]: => index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" )
Jan 13 16:26:33 node5 slapd[9976]: <= index_entry_del( 7, "uid=rpuser,dc=foo,dc=bar" ) success
Jan 13 16:26:33 node5 slapd[9976]: mdb_delete: deleted id=00000007 dn="uid=rpuser,dc=foo,dc=bar"

Thanks

Le 10/01/2020 à 23:27, Quanah Gibson-Mount a écrit :

--On Friday, January 10, 2020 5:48 PM +0100 Vincent Ducot <vincent.ducot@rubycat.eu> wrote:

a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky)

Ah, missed that.

b) I tested several possibilities but I didn't manage to make it work.
Either the problem stayed the same, either the replication didn't work
anymore, either I couldn't access to rpuser.

I understand that :

- rpuser should have read/write access to its password (to
attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write)

- rpuser should have read/write access to all data (to * by
dn="uid=rpuser,dc=foo,dc=bar" write)

Sure, but ACLs stop processing on the first matching rule. Please review the slapd.access(5) man page. Your ACLsforthe rpuser are never evaluated since prior rules prevent them being reached.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Replication account problem
  - From: Quanah Gibson-Mount <quanah@symas.com>

References:
- Replication account problem
  - From: Vincent Ducot <vincent.ducot@rubycat.eu>
- Re: Replication account problem
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Replication account problem
  - From: Vincent Ducot <vincent.ducot@rubycat.eu>
- Re: Replication account problem
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Antw: Re: Replication of olcAccess
Next by Date: Re: Replication of olcAccess
Index(es):
- Chronological
- Thread