Hi,
I've spent 2 days on this now and can't figure it out.
Master directory (2.4.21 on FBSD 7, compiled with SASL)
Slave (2.4.31 on Debian Squeeze)
The goal is to eventually use TLS as both the servers are remote from one
to another, but for the sake of simplicity during testing i'm not using
TLS at this stage.
RefreshAndPersist replication is setup and working
Master config(not complete, but related parts):
authz-policy to
database bdb
suffix cn=accesslog
directory /db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# Let the replica DN have limitless searches
limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
database bdb
suffix "dc=webgate,dc=net,dc=au"
rootdn "cn=Manager,dc=webgate,dc=net,dc=au"
rootpw deleted
password-hash {SSHA}
directory /var/db/openldap-data
mode 0600
cachesize 2000
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches
limits dn.exact="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
access to attrs=userPassword
by self write
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by * auth
access to dn.base="ou=zones,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=zones,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=dns,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=emails,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=emails,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=postfix,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=users,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=users,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=groups,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=groups,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.base="ou=virtualhosts,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to dn.children="ou=virtualhosts,dc=webgate,dc=net,dc=au"
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=httpd,ou=daemons,dc=webgate,dc=net,dc=au" read
by dn="cn=users,ou=daemons,dc=webgate,dc=net,dc=au" write
access to *
by dn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" read
by users read
by anonymous none
by * none
Slave config:
overlay chain
chain-uri ldap://xxx:389/
chain-rebind-as-user Yes
chain-idassert-bind bindmethod="simple"
binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
credentials="xxx" mode="self"
chain-return-error Yes
access to attrs=userPassword,shadowLastChange
by anonymous auth
by * none
access to dn.base="" by * read
access to *
by * read
# syncrepl directives
syncrepl rid=0
provider=ldap://xxx:389
bindmethod=simple
binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
credentials=deleted
searchbase="dc=webgate,dc=net,dc=au"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref ldap://xxx
cn=replicator contains:
dn: cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au
objectClass: top
objectClass: inetOrgPerson
cn: replicator
sn: replicator
userPassword:: xxx
authzTo: {0}dn:*
No matter what I change, when I run ldapmodify on slave
ldapmodify -x -D "cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au" -W -f
test_update.ldif
modifying entry "uid=xxx,ou=emails,dc=webgate,dc=net,dc=au"
ldap_modify: Strong(er) authentication required (8)
I run the server with -d 1 to see what's going on and it seems even if i
change
chain-idassert-bind binddn="cn=replicator,ou=daemons,dc=webgate,dc=net,dc=au"
to anything that doesn't even exist in the directory it never gets used...
The only thing that makes a difference from the chain-* directives is the
chain-return-error Yes, setting it to "no" makes it return just the
referral address
What am I doing wrong???
Thanks
Petr