Hi All,
I'm half way through implementing and LDAP Master/Slave setup and have ground to a halt on replication.
I have LDAP working fine on the master and Samba works fine with it but I can't get the slurpd to push changes to the slave.
When I try I get the following:
Apr 5 15:15:37 smb7 slapd[5578]: fd=16 DENIED from unknown (172.20.0.105)
I have the following in slapd.conf on the master:
replica host=172.20.0.107:389
binddn="cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk" bindmethod=simple credentials=??????????? (omitted for obvious reasons)
and this on the slave:
# Replicas running syncrepl as non-rootdn "cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk" limits group="cn=Replicator,dc=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" size=unlimited time=unlimited
# ACL ensuring replicator has write access access to * by group="cn=Replicator,ou=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * read
# Replica configuration (if this server is a slave) updatedn "cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk" updateref "ldap://172.20.0.105"
I've created a group called Replicator and a user in it called Replicator but I keep getting the fd16 message.
Any suggestions and also which files do you need to check out.
Cherrs,
jools
On 4/5/07, Jools jools@oss4all.plus.com wrote:
Hi All,
I'm half way through implementing and LDAP Master/Slave setup and have ground to a halt on replication.
I have LDAP working fine on the master and Samba works fine with it but I can't get the slurpd to push changes to the slave.
When I try I get the following:
Apr 5 15:15:37 smb7 slapd[5578]: fd=16 DENIED from unknown (172.20.0.105)
I have the following in slapd.conf on the master:
replica host=172.20.0.107:389
binddn="cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk" bindmethod=simple credentials=??????????? (omitted for obvious reasons)
and this on the slave:
# Replicas running syncrepl as non-rootdn "cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk" limits group="cn=Replicator,dc=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" size=unlimited time=unlimited
# ACL ensuring replicator has write access access to * by group="cn=Replicator,ou=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * read
# Replica configuration (if this server is a slave) updatedn "cn=Replicator,dc=People,dc=bordengrammar,dc=kent,dc=sch,dc=uk" updateref "ldap://172.20.0.105"
Your updatedn doesn't match your ACL.
Can you try some stuff with cn=Replicator,ou=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk directly with ldapmodify first? And then change the updatedn or acl accordingly.
Maybe you should try using access to * by dn.exact="" write instead of group="".
Also:
# Replicas running syncrepl as non-rootdn "cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk" limits group="cn=Replicator,dc=Group,dc=bordengrammar,dc=kent,dc=sch,dc=uk" size=unlimited time=unlimited
You're not using syncrepl (at least, you seem to want to use slurpd), so that's a little confusing. And I'm also not sure if this 'limits' is going to work for the same reasons I'm not sure about the acl.
fyi- slurpd is getting deprecated in 2.5 or something.
_Matt
--On Thursday, April 05, 2007 1:29 PM -0400 matthew sporleder msporleder@gmail.com wrote:
fyi- slurpd is getting deprecated in 2.5 or something.
I think it is deprecated now. Bugs for it certainly stopped being fixed. The only open question I believe is whether it will get removed from 2.4 or if that will wait until 2.5.
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Does that mean that as of now, effectively, there is no replication capability in openLDAP?
-----Original Message----- From: openldap-software-bounces+bob.marcum=telecheck.com@OpenLDAP.org [mailto:openldap-software-bounces+bob.marcum=telecheck.com@OpenLDAP.org] On Behalf Of Quanah Gibson-Mount Sent: Thursday, April 05, 2007 12:44 PM To: matthew sporleder; jools@oss4all.plus.com Cc: openldap-software@openldap.org Subject: Re: Replication with Open LDAP
--On Thursday, April 05, 2007 1:29 PM -0400 matthew sporleder msporleder@gmail.com wrote:
fyi- slurpd is getting deprecated in 2.5 or something.
I think it is deprecated now. Bugs for it certainly stopped being fixed. The only open question I believe is whether it will get removed from 2.4 or if that will wait until 2.5.
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html ----------------------------------------- The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
--On Thursday, April 05, 2007 11:50 AM -0600 "Marcum, Bob" Bob.Marcum@telecheck.com wrote:
Does that mean that as of now, effectively, there is no replication capability in openLDAP?
No. syncrepl is the supported replication mechanism as of 2.3.
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Marcum, Bob wrote:
Does that mean that as of now, effectively, there is no replication capability in openLDAP?
No, that means that the braindead old replication mechanism is no longer supported. Syncrepl has been available since OpenLDAP 2.2 and is superior to slurpd in every way.
-----Original Message----- From: openldap-software-bounces+bob.marcum=telecheck.com@OpenLDAP.org [mailto:openldap-software-bounces+bob.marcum=telecheck.com@OpenLDAP.org] On Behalf Of Quanah Gibson-Mount Sent: Thursday, April 05, 2007 12:44 PM To: matthew sporleder; jools@oss4all.plus.com Cc: openldap-software@openldap.org Subject: Re: Replication with Open LDAP
--On Thursday, April 05, 2007 1:29 PM -0400 matthew sporleder msporleder@gmail.com wrote:
fyi- slurpd is getting deprecated in 2.5 or something.
I think it is deprecated now. Bugs for it certainly stopped being fixed. The only open question I believe is whether it will get removed from 2.4 or if that will wait until 2.5.
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
Jools wrote:
Hi All,
I'm half way through implementing and LDAP Master/Slave setup and have ground to a halt on replication.
I have LDAP working fine on the master and Samba works fine with it but I can't get the slurpd to push changes to the slave.
When I try I get the following:
Apr 5 15:15:37 smb7 slapd[5578]: fd=16 DENIED from unknown (172.20.0.105)
That looks like a TCP wrapper access control check. You should make sure your machines are allowed to connect in /etc/hosts.allow or /etc/hosts.deny...
openldap-software@openldap.org
-
Howard Chu -
Jools -
Marcum, Bob -
matthew sporleder -
Quanah Gibson-Mount