On Thu, Apr 15, 2010 at 01:18:13PM -0700, Tim Gustafson wrote:
access to * by dn="uid=replicator,ou=People,dc=bar" read by * break
I assume you are using syncrepl here.
It would be worth checking that the replication process really does bind as that DN. If it does, then all later access clauses are irrelevant.
When replication is *not* working in this set-up, re-starting slapd on 10.0.0.3 and 10.0.0.4 (without changing any ACLs anywhere) causes them to suck down all the updates they missed before.
Am I misunderstanding the way these ACLs work? Is there any way that giving READ access to the web server (which it already has by virtue of the user having bound themselves to the LDAP server) should cause replication for 10.0.0.3 and 10.0.0.4 to work again? Or is this perhaps a bug in the version of slapd (2.3.43; yes I know it's old; it's a vendor package and that's how we roll around here at the moment) that we're running?
This does not sound like an ACL problem to me. I would suggest setting up a test environment with the latest 2.4.x release to see what happens.
Andrew