I have tried to review all possible documentation and read through all mailing list archives relevant to this problem. My apologies if this has been covered before and I have missed it.
No matter what kind of change I make I continue to get err=19 when I try to replicate.
May 17 23:25:35 ldap2 slapd[3097]: conn=1 op=8 MOD attr=description entryCSN modifiersName modifyTimestamp May 17 23:25:35 ldap2 slapd[3097]: conn=1 op=8 RESULT tag=103 err=19 text=entryCSN: no user modification allowed
I am running Fedora Core 5 with ldap version openldap-servers-2.3.30-2.fc5 on both the master and slave.
I currently am using the rootdn simply because there shouldn't be any restrictions on that user. I was using a different user previously with the exact same results. Both systems have an exact copy of the same LDAP db.
Here is my master LDAP slapd.conf file.
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/officeperson.schema include /etc/openldap/schema/RADIUS-LDAPv3.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/ldap.intelligraphics.com-crt.crt TLSCertificateKeyFile /etc/pki/tls/certs/ldap.intelligraphics.com-key.pem
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by anonymous auth by * none access to attrs=uid by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by * read access to attrs=mail,homeemail,telephonenumber,homephone,mobile,ipphone,facsimiletelephonenumber,postaladdress,l,st,postalcode,c,comment,description by group="cn=phoneadmins,ou=Groups,dc=intelligraphics,dc=com" write by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by * read access to attrs=o by group="cn=phoneadmins,ou=Groups,dc=intelligraphics,dc=com" write by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by * read access to * by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by * read
database bdb suffix "dc=intelligraphics,dc=com" rootdn "cn=Manager,dc=intelligraphics,dc=com" rootpw password
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
replogfile /var/lib/ldap/openldap-master-replog replica uri=ldap://ldap2.intelligraphics.com binddn="cn=Manager,dc=intelligraphics,dc=com" bindmethod=simple credentials=password
Here is my slave LDAP slapd.conf file.
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/officeperson.schema include /etc/openldap/schema/RADIUS-LDAPv3.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/openvpn.intelligraphics.com-cert.pem TLSCertificateKeyFile /etc/pki/tls/certs/openvpn.intelligraphics.com-key.pem
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by anonymous auth by * none access to attrs=uid by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by * read access to attrs=mail,homeemail,telephonenumber,homephone,mobile,ipphone,facsimiletelephonenumber,postaladdress,l,st,postalcode,c,comment,description by group="cn=phoneadmins,ou=Groups,dc=intelligraphics,dc=com" write by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by * read access to attrs=o by group="cn=phoneadmins,ou=Groups,dc=intelligraphics,dc=com" write by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by * read access to * by group="cn=ldapadmins,ou=Groups,dc=intelligraphics,dc=com" write by self write by * read
database bdb suffix "dc=intelligraphics,dc=com" rootdn "cn=Manager,dc=intelligraphics,dc=com" rootpw password
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
updatedn="cn=Manager,dc=intelligraphics,dc=com" updateref="ldap://ldap.intelligraphics.com"
Does anyone have any ideas on what to try?
David Browning david.browning@intelligraphics.com
On Thu, 17 May 2007, David Browning wrote:
replica uri=ldap://ldap2.intelligraphics.com binddn="cn=Manager,dc=intelligraphics,dc=com" bindmethod=simple credentials=password
I'd say this is your problem; you are using the rootDN for the replication. Use another one instead.
Also, you might want to look at SyncRepl instead of SLURPD.
Dave Horsfall wrote:
On Thu, 17 May 2007, David Browning wrote:
replica uri=ldap://ldap2.intelligraphics.com binddn="cn=Manager,dc=intelligraphics,dc=com" bindmethod=simple credentials=password
I'd say this is your problem; you are using the rootDN for the replication. Use another one instead.
No, that's not the problem.
Also, you might want to look at SyncRepl instead of SLURPD.
That's good advice anyway.
The real problem is here on the slave config:
updatedn="cn=Manager,dc=intelligraphics,dc=com" updateref="ldap://ldap.intelligraphics.com"
slapd.conf directives don't use "=" equal signs.
On Thu, 17 May 2007, Howard Chu wrote:
I'd say this is your problem; you are using the rootDN for the replication. Use another one instead.
No, that's not the problem.
But still not recommended, right?
The = sign was indeed the problem. Thank you very much.
-David
Dave Horsfall wrote:
On Thu, 17 May 2007, David Browning wrote:
replica uri=ldap://ldap2.intelligraphics.com binddn="cn=Manager,dc=intelligraphics,dc=com" bindmethod=simple credentials=password
I'd say this is your problem; you are using the rootDN for the replication. Use another one instead.
No, that's not the problem.
Also, you might want to look at SyncRepl instead of SLURPD.
That's good advice anyway.
The real problem is here on the slave config:
updatedn="cn=Manager,dc=intelligraphics,dc=com" updateref="ldap://ldap.intelligraphics.com"
slapd.conf directives don't use "=" equal signs.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-software@openldap.org
-
Dave Horsfall -
David Browning -
Howard Chu