Hello.
Openldap 2.4.18, master-slave replication . Slave server successfully replicates all data, except hashed {sha} passwords. It is not problem with "access to attrs=userPassword " - I test ithis.
How I can solve it and sync passwords ?
[ slapd.conf ]
master server:
# index objectClass eq # overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #
slave server:
syncrepl rid= <> provider=ldap://server:389 type=refreshOnly interval=00:00:05:00 searchbase="dc=company,dc=com" filter="(objectClass=*)" scope=sub attrs="*" # schemachecking=off bindmethod=simple binddn="cn=adminuser,dc=company,dc=com" credentials=company-pass ###
------------------------------------------------ policy for passwords:
objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword pwdFailureCountInterval: 600 pwdGraceAuthNLimit: 1 pwdMaxFailure: 5 pwdInHistory: 6
On Mon, 21 Sep 2009, Evgeniy wrote:
Openldap 2.4.18, master-slave replication . Slave server successfully replicates all data, except hashed {sha} passwords. It is not problem with "access to attrs=userPassword " - I test ithis. [...] attrs="*"
syncrepl needs operational attributes, but those are omitted due to this configuration. Try "*,+" instead. (Although I thought there were recent changes in that area...to be fair, I can't remember what, though.)
I note that you included your ppolicy details (which I don't believe are germane to a sync issue). But I'll note that there's frequent confusion regarding "what ppolicy does" in a multiserver environment...if you're in doubt about that, check the archives and/or re-post.
On 09/20/2009 03:31 PM, Evgeniy wrote:
Hello.
Openldap 2.4.18, master-slave replication . Slave server successfully replicates all data, except hashed {sha} passwords. It is not problem with "access to attrs=userPassword " - I test ithis.
How I can solve it and sync passwords ?
[ slapd.conf ]
master server:
# index objectClass eq # overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #
slave server:
syncrepl rid=<> provider=ldap://server:389 type=refreshOnly interval=00:00:05:00 searchbase="dc=company,dc=com" filter="(objectClass=*)" scope=sub attrs="*" # schemachecking=off bindmethod=simple binddn="cn=adminuser,dc=company,dc=com" credentials=company-pass ###
Hi,
There are several problems with this syncrepl statement. The first probably is the cause of your problem.
1) The syncrepl statement in slapd.conf is actually just one line. You can continue it on new lines by starting them with space. But, if you insert a comment (# character) anywhere, then the rest of the configuration will be ignored. So I think your binddn etc are being ignored. Remove the commend.
2) You have specified "attrs=*". This means "only replicate user attributes" thus excluding operational attributes. The default for attrs is "*,+" as specified in the man page. I really recommend not changing this value.
Hope this helps, Jonathan
Thank you !
Remove the commend.
That's was a key of my problem. Thank you very much.
21.09.09, 18:34, "Jonathan Clarke" jonathan@phillipoux.net:
syncrepl rid=<> provider=ldap://server:389 type=refreshOnly interval=00:00:05:00 searchbase="dc=company,dc=com" filter="(objectClass=*)" scope=sub attrs="*" # schemachecking=off bindmethod=simple binddn="cn=adminuser,dc=company,dc=com" credentials=company-pass ###
Hi, There are several problems with this syncrepl statement. The first probably is the cause of your problem.
- The syncrepl statement in slapd.conf is actually just one line. You
can continue it on new lines by starting them with space. But, if you insert a comment (# character) anywhere, then the rest of the configuration will be ignored. So I think your binddn etc are being ignored. Remove the commend. 2) You have specified "attrs=*". This means "only replicate user attributes" thus excluding operational attributes. The default for attrs is "*,+" as specified in the man page. I really recommend not changing this value. Hope this helps, Jonathan
On 09/20/2009 03:31 PM, Evgeniy wrote:
Hello.
Openldap 2.4.18, master-slave replication . Slave server successfully replicates all data, except hashed {sha} passwords. It is not problem with "access to attrs=userPassword " - I test ithis.
How I can solve it and sync passwords ?
[ slapd.conf ]
master server:
# index objectClass eq # overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #
slave server:
syncrepl rid=<> provider=ldap://server:389 type=refreshOnly interval=00:00:05:00 searchbase="dc=company,dc=com" filter="(objectClass=*)" scope=sub attrs="*" # schemachecking=off bindmethod=simple binddn="cn=adminuser,dc=company,dc=com" credentials=company-pass ###
Hi,
There are several problems with this syncrepl statement. The first probably is the cause of your problem.
1) The syncrepl statement in slapd.conf is actually just one line. You can continue it on new lines by starting them with space. But, if you insert a comment (# character) anywhere, then the rest of the configuration will be ignored. So I think your binddn etc are being ignored. Remove the commend.
2) You have specified "attrs=*". This means "only replicate user attributes" thus excluding operational attributes. The default for attrs is "*,+" as specified in the man page. I really recommend not changing this value.
Hope this helps, Jonathan
openldap-software@openldap.org
-
Aaron Richton -
Evgeniy -
Jonathan Clarke