https://bugs.openldap.org/show_bug.cgi?id=9772
--- Comment #15 from stefan(a)kania-online.de ---
Here the content of "dn: olcDatabase={2}mdb,cn=config" from ldap01 the server
where I made the changes:
-----------
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcmdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data
olcSuffix: dc=example,dc=net
olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" manage by dn.exact="gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth" manage by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=ne
t" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by
dn.ex
act="uid=sssd-user,cn=gssapi,cn=auth" read by
dn.exact="krbPrincipalName=K/M@
EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by dn.exact="
uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="uid=kadmin,ou=k
erberos-adm,dc=example,dc=net" write by * read
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none
olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unlimi
ted size=unlimited
olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim
ited size=unlimited
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7
ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
olcSizeLimit: unlimited
olcSyncrepl: {0}rid=101
provider=ldap://ldap01.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcSyncrepl: {1}rid=102
provider=ldap://ldap02.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcSyncrepl: {2}rid=103
provider=ldap://ldap03.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcSyncrepl: {3}rid=104
provider=ldap://ldap04.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcTimeLimit: unlimited
olcMultiProvider: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: default eq
olcDbIndex: objectClass
olcDbIndex: entryUUID
olcDbIndex: entryCSN
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: description pres,eq,sub
olcDbIndex: title pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbMaxSize: 85899345920
-----------
And here the content of "dn: olcDatabase={2}mdb,cn=config" from one of the
other ldap-server:
-----------
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcmdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/symas/openldap-data
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net w
rite by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none
olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unlimi
ted size=unlimited
olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim
ited size=unlimited
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7
ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
olcSizeLimit: unlimited
olcSyncrepl: {0}rid=101
provider=ldap://ldap01.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcSyncrepl: {1}rid=102
provider=ldap://ldap02.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcSyncrepl: {2}rid=103
provider=ldap://ldap03.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcSyncrepl: {3}rid=104
provider=ldap://ldap04.example.net bindmethod=simple t
imeout=0 network-timeout=0 binddn=uid=repl-user,ou=users,dc=example,dc=net cr
edentials=secret filter="(objectclass=*)"
searchbase="dc=example,dc=net" logf
ilter="(&(objectClass=auditWriteObject)(reqResult=0))" logbase=cn=accesslog
s
cope=sub schemachecking=off type=refreshAndPersist retry="60 +" syncdata=acce
sslog keepalive=240:10:30 starttls=yes tls_reqcert=allow
olcTimeLimit: unlimited
olcMultiProvider: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: default eq
olcDbIndex: objectClass
olcDbIndex: entryUUID
olcDbIndex: entryCSN
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: description pres,eq,sub
olcDbIndex: title pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbMaxSize: 85899345920
-----------
I made a diff on both and only the changed ACL is listed:
-----------------
diff config-ldap01.txt config-ldap02.txt
✔ 4468
17:19:53
7,14c7,10
< olcAccess: {0}to * by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
< l,cn=auth" manage by
dn.exact="gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
< xternal,cn=auth" manage by
dn.exact="uid=ldap-admin,ou=users,dc=example,dc=ne
< t" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read
by
dn.ex
< act="uid=sssd-user,cn=gssapi,cn=auth" read by
dn.exact="krbPrincipalName=K/M@
< EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net" write by
dn.exact="
< uid=kdc,ou=kerberos-adm,dc=example,dc=net" write by
dn.exact="uid=kadmin,ou=k
< erberos-adm,dc=example,dc=net" write by * read
---
olcAccess: {0} to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net w
rite by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break
-----------------
Again I'm setting up my four ldap-server via Ansible.
The first step, after installing the symas-packages (on debian11), is adding
the config from file "config.ldif" (see attachment).
The next step is configuring the certificates for TLS via Ansible-tasks with
the Ansible module "ldap_attr".
Then create the initial objects on the first ldap-server (ldap01), via
Ansible-module ldap_entry.
Then configuring the delta-syncrepl of the main DB via Ansible with
"main-db-repl.ldif (see attachment) on all four servers.
Then configuring the replication of cn=config on all four server with
"repl_config.ldif" (see attachment)
And that's how I setup the all servers with my Ansible-role
--
You are receiving this mail because:
You are on the CC list for the issue.