In man slapd.conf you can read:
-- rootdn <dn> Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. [...] Note that the rootdn is always needed when using syncrepl. --
In this Conexitor forum[1] about replication configuration a particular DN is used with permissions granted via ACIs, it seems that cn=replicator is not the rootdn.
Could you clarify about the real necessity of rootdn (and its usage) for syncrepl?
Regards, maykel
--On Monday, October 08, 2007 7:06 PM -0400 Maykel Moya moya-lists@infomed.sld.cu wrote:
In man slapd.conf you can read:
-- rootdn <dn> Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. [...] Note that the rootdn is always needed when using syncrepl. --
In this Conexitor forum[1] about replication configuration a particular DN is used with permissions granted via ACIs, it seems that cn=replicator is not the rootdn.
The rootdn is not required for syncrepl in OpenLDAP 2.3. It may have been for OpenLDAP 2.2. Sounds like a bit of cruft remaining in slapd.conf.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Monday, October 08, 2007 5:07 PM -0700 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Monday, October 08, 2007 7:06 PM -0400 Maykel Moya moya-lists@infomed.sld.cu wrote:
In man slapd.conf you can read:
-- rootdn <dn> Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. [...] Note that the rootdn is always needed when using syncrepl. --
In this Conexitor forum[1] about replication configuration a particular DN is used with permissions granted via ACIs, it seems that cn=replicator is not the rootdn.
The rootdn is not required for syncrepl in OpenLDAP 2.3. It may have been for OpenLDAP 2.2. Sounds like a bit of cruft remaining in slapd.conf.
Actually to correct that --
The syncrepl client LDAP Directory needs a rootdn directive in its slapd.conf. It does not need to talk to the *master* using a rootdn. This is so the syncrepl client can internally update its own database using the rootdn specified.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org
-
Maykel Moya -
Quanah Gibson-Mount