I am newbie, I am trying to configure Syncrepl beetwen 2 OpenLDAP servers. I have read FAQ, Admin's guide, mailing lists, but I didn't find any answer about my problem.
The master server is on 192.168.1.255 subnet and is working fine. Now I am triyng to replicate it to another server in 192.168.123.255 subnet.
Replication from provider to consumer works good (if I write an entry in provider, it will be replicated to consumer), but if I try to write to consumer (ldapadd -x -D cn=Manager,dc=DOMAIN -W -f file.ldif) I get only this answer:
adding new entry "cn=newentry,dc=DOMAIN" ldap_add: Referral (10) referrals: ldap://192.168.1.100/cn=newentry,dc=DOMAIN
but nothing appears in provider's log and LDAP databases.
How can configure Syncrepl in order to write to consumer and replicate entries to provider too? (OpenLDAP: slapd 2.3.30 on Debian Etch).
Following examples in FAQ, I configured provider and consumer as showed below:
=================CONSUMER================= [cut] suffix "dc=DOMAIN" rootdn "cn=Manager,dc=DOMAIN" rootpw {SSHA}something-hashed [cut] access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=syncuser,dc=DOMAIN" write by anonymous auth by self write by * none
access to dn.base="" by * read
# The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=syncuser,dc=DOMAIN" write by * read
syncrepl rid=1 provider=ldap://192.168.1.100:389 type=refreshAndPersist retry="60 +" searchbase="dc=DOMAIN" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncuser,dc=DOMAIN" credentials=secret
updateref ldap://192.168.1.100
=================PROVIDER================= [cut] suffix "dc=DOMAIN"
rootdn "cn=Manager,dc=DOMAIN"
rootpw {SSHA}something-hashed overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 [cut] access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=ENIGMA" write by dn="cn=syncuser,dc=ENIGMA" write by anonymous auth by self write by * none
access to * by dn="cn=admin,dc=ENIGMA" write by dn="cn=syncuser,dc=ENIGMA" write by * read
___________________________________ L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail: http://it.docs.yahoo.com/nowyoucan.html
gianni mazzini maxione4@yahoo.it writes:
I am newbie, I am trying to configure Syncrepl beetwen 2 OpenLDAP servers. I have read FAQ, Admin's guide, mailing lists, but I didn't find any answer about my problem.
The master server is on 192.168.1.255 subnet and is working fine. Now I am triyng to replicate it to another server in 192.168.123.255 subnet.
Replication from provider to consumer works good (if I write an entry in provider, it will be replicated to consumer), but if I try to write to consumer (ldapadd -x -D cn=Manager,dc=DOMAIN -W -f file.ldif) I get only this answer:
adding new entry "cn=newentry,dc=DOMAIN" ldap_add: Referral (10) referrals: ldap://192.168.1.100/cn=newentry,dc=DOMAIN
This is correct. The consumer answers a write operation request with a referral. It is up to the client to follow this referral. ldapadd is not able to follow referrals.
but nothing appears in provider's log and LDAP databases.
Why should you find anything in the providers log?
How can configure Syncrepl in order to write to consumer and replicate entries to provider too?
There is nothing to configure, just use a proper client application or read man slapo-chain(5)
-Dieter
Dieter Kluenter skrev, on 24-11-2007 16:56:
[...]
There is nothing to configure, just use a proper client application
Not so. There is chaining in 2.3.30 (which OP is using) and it will do a certain amount that OP wants. However, it's brain-dead as far as ppolicy is concerned, I just spent a Saturday morning and part of an afternoon on production servers finding out why.
or read man slapo-chain(5)
Advising OP to just to "use a proper client application or read man slapo-chain(5)" may work for many things, but not for ppolicy. I have my own solution for that, but it is OT. And absolutely not optimal, for a couple of reasons.
Best,
--Tonni
openldap-software@openldap.org
-
Dieter Kluenter -
gianni mazzini -
Tony Earnshaw