[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cn=config replication stops after adding olcAccess entries





--On Tuesday, January 28, 2020 2:43 PM +0100 Jan Hugo Prins <jhp@jhprins.org> wrote:

Hello Quanah,

Your domain ACLs should be contained within the domain database
section, not in the global configuration section.


Within: dn: olcDatabase={1}mdb,cn=config  ?
Changes this.

Correct, assuming that's the domain related database.


Something else I see, when I use jxplorer to look at the content of  a
server using the cn=config credentials I would expect to see all values
including the empty values. On a server without olcAccess lines I see
this, but when there are olcAccess lines I only see the configured
values. All unset values are not visible.

I have no idea what this statement means.  All values of what?  What's
an empty/unset value mean?

Ok, let me give you a quick example:
Normally I would expect to see something like this for all my tables in
my cn=config tree:



But when I had the olcAccess lines in the frontend tree I didn't see all
the entries in the bottom.
I could only see the entries with a value.

JxPlorer apperas to be reading the schema for cn=config, and showing you all possible attributes and any values if they have one set. Your expecation for your cn=config tree via ldapsearch are incorrect. I personally avoid UIs since they add additional data that can make troubleshooting difficult.

Finally, with OpenLDAP 2.4, YMMV with cn=config replication as there
are missing rules necessary for it to work correctly.  This has been
fixed for OpenLDAP 2.5.  Unless you really need to replicate
cn=config, I advise against it.

Ok, but the 2.5 tree is currently development tree as far as I can see
and nothing close to production ready. Or am I missing something there?

Unfortunatley, no. Although we're working on a first alpha for 2.5. cn=config replication is generally considered experimental in 2.4 and there are known fixes for it for 2.5 as discussed.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>