[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: cn=config replication stops after adding olcAccess entries
- To: Jan Hugo Prins <jhp@jhprins.org>, openldap-technical@openldap.org
- Subject: Re: cn=config replication stops after adding olcAccess entries
- From: Quanah Gibson-Mount <quanah@symas.com>
- Date: Tue, 28 Jan 2020 13:10:19 -0800
- Content-disposition: inline
- Dkim-filter: OpenDKIM Filter v2.10.3 zmcc-2-mta-1.zmailcloud.com 5997CCF53E
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symas.com; s=37C7994C-28CA-11EA-A30F-68F90BB9D764; t=1580245818; bh=vH2hMdxomCO3ssPdQbIJsH1VPTzHVZSypiDx0z2D/7E=; h=Date:From:To:Message-ID:MIME-Version; b=JYb6QHYv40VYAGHWHlKeBnLJ3l/w8c0XnX97hrzQKaQGGORLaeZyczIPvcV8KR2ph vdiQz4StDnJvvMaLrh6coXvZflCFRWVws9fD4Wq/LB5VRsPPY1/E0HGb4fQzkItdc/ jlZU/TaKopRZzc45PwW10FQbnHAmlzyqDGuN4RZMICdPwUpA9RSlq+gWOSIJW40E1P HEfwxGdWM+PphX6quSinK6qzf6SLjGEIZE3e/Bki5XC2JLQfL8ggAVQNLcdgTRI3+u rn7Db5VGyD3QVMgsKn3gUROdLGfQbMqHSX7KbYUfviWq8zvb+ABVZvoq/1wHrWF3JH syogIkKTvPLHA==
- In-reply-to: <b8808541-d4a5-0aea-2e7e-8ce14c381bca@jhprins.org>
- References: <7a1e7cdd-cfe6-8ab5-f5de-d63a31f3a992@jhprins.org> <CD434FCACABD0E29159EED94@[192.168.1.144]> <b8808541-d4a5-0aea-2e7e-8ce14c381bca@jhprins.org>
--On Tuesday, January 28, 2020 2:43 PM +0100 Jan Hugo Prins
<jhp@jhprins.org> wrote:
Hello Quanah,
Your domain ACLs should be contained within the domain database
section, not in the global configuration section.
Within: dn: olcDatabase={1}mdb,cn=config ?
Changes this.
Correct, assuming that's the domain related database.
Something else I see, when I use jxplorer to look at the content of a
server using the cn=config credentials I would expect to see all values
including the empty values. On a server without olcAccess lines I see
this, but when there are olcAccess lines I only see the configured
values. All unset values are not visible.
I have no idea what this statement means. All values of what? What's
an empty/unset value mean?
Ok, let me give you a quick example:
Normally I would expect to see something like this for all my tables in
my cn=config tree:
But when I had the olcAccess lines in the frontend tree I didn't see all
the entries in the bottom.
I could only see the entries with a value.
JxPlorer apperas to be reading the schema for cn=config, and showing you
all possible attributes and any values if they have one set. Your
expecation for your cn=config tree via ldapsearch are incorrect. I
personally avoid UIs since they add additional data that can make
troubleshooting difficult.
Finally, with OpenLDAP 2.4, YMMV with cn=config replication as there
are missing rules necessary for it to work correctly. This has been
fixed for OpenLDAP 2.5. Unless you really need to replicate
cn=config, I advise against it.
Ok, but the 2.5 tree is currently development tree as far as I can see
and nothing close to production ready. Or am I missing something there?
Unfortunatley, no. Although we're working on a first alpha for 2.5.
cn=config replication is generally considered experimental in 2.4 and there
are known fixes for it for 2.5 as discussed.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>