Hello list,
I have an OpenLDAP provider/consumer installation on two SLES10 systems. One is set up as a provider LDAP, the second is a consumer LDAP using "refreshOnly" synrepl synchronization. The LDAP provides user information for a Samba installation.
The initial synchronization of the consumer works as expected. All LDAP entries are copied to the consumer directory. But after some time, usually when users log in into the Samba running with the provider LDAP, nearly 50% of all LDAP entries on the consumer are deleted. This happens without any change on the provider LDAP!
Checking the logs I found, that delete-messages can be found in the consumers system log.
I do not understand the source of the problem. No entries in the provider LDAP are deleted, so no entries should be deleted in the consumer.
To check the installation, I set up a second consumer in a VMWare environment. And also in this system, which had been set up from scratch and only holds the OpenLDAP-consumer, the entries are deleted at the same time when they are deleted in the "real" OpenLDAP consumer system.
When I change an attribute of an entry in the provider LDAP which has been deleted from the consumer by this process, like adding a description, this change is forwarded to th consumer and the entry "reappears" in the LDAP of the consumer.
Any help or suggestion is appreciated.
Thanks in advance Joachim Hergeth
The providers slapd.conf is: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema #include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/samba3.schema # Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules: modulepath /usr/lib/openldap/modules # moduleload back_ldap.la # moduleload back_meta.la # moduleload back_monitor.la # moduleload back_perl.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access to user password # Allow anonymous users to authenticate # Allow read access to everything else # Directives needed to implement policy: ## Yast2 samba hack ACL ## allow the "ldap admin dn" access, but deny everyone else access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=Administrator,dc=master-ldap,dc=gts-systems.de" write by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by * none ## Yast2 samba hack ACL done access to dn.base="" by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by self write by * auth
access to dn.base="cn=Subschema" by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by * read
access to attrs=userPassword,userPKCS12 by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by self write by * auth
access to attrs=shadowLastChange by self write by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by * read
access to * by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by * read by anonymous auth
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
schemacheck on idletimeout 30 loglevel 131 backend bdb database bdb suffix "dc=master-ldap,dc=gts-systems.de" rootdn "cn=Administrator,dc=master-ldap,dc=gts-systems.de" rootpw <some working password> directory /var/lib/ldap/ checkpoint 1024 5 cachesize 10000 index objectClass,entryCSN,entryUUID,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub overlay syncprov syncprov-checkpoint 100 1 syncprov-sessionlog 1 ---------------------------------------------------------------------------
the consumers slapd.conf is: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema #include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/yast.schema # Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules: modulepath /usr/lib/openldap/modules # moduleload back_ldap.la # moduleload back_meta.la # moduleload back_monitor.la # moduleload back_perl.la
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access to user password # Allow anonymous users to authenticate # Allow read access to everything else # Directives needed to implement policy: access to dn.base="" by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by self write by * auth
access to dn.base="cn=Subschema" by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by * read
access to attrs=userPassword,userPKCS12 by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by self write by * auth
access to attrs=shadowLastChange by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write by self write by * read
access to * by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write # by anonymous auth by * read
# if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # BDB database definitions #######################################################################
schemackeck on idletimeout 30 loglevel 15288 # TLSCertificateFile /etc/ssl/servercerts/servercert.pem # TLSCACertificatePath /etc/ssl/certs/ # TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
database bdb suffix "dc=master-ldap,dc=gts-systems.de" rootdn "cn=Administrator,dc=master-ldap,dc=gts-systems.de" rootpw "<some working password>" directory /var/lib/ldap checkpoint 1024 5 cachesize 10000
index objectClass,uidNumber,gidNumber,entryCSN,entryUUID eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub
syncrepl rid=321 provider=ldap://192.168.1.210:389 type=refreshOnly interval=00:00:00:30 searchbase="dc=master-ldap,dc=gts-systems.de" scope=sub schemachecking=off bindmethod=simple binddn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" credentials=<another nice password>
---------------------------------------------------------------------------