--- On Fri, 8/21/09, Quanah Gibson-Mount quanah@zimbra.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com Subject: Re: top-level data entries not replicating, 2.4.15, now 2.4.17 To: "Brian Neu" proclivity76@yahoo.com, openldap-technical@openldap.org Date: Friday, August 21, 2009, 12:05 PM --On Friday, August 21, 2009 8:52 AM -0700 Brian Neu proclivity76@yahoo.com wrote:
I really only created the test2 record to find out why
the
sambaDomainName=SRG,dc=srg,dc=com
record wasn't replicating.
This entry won't replicate either, even with a cn
attribute . . .
dn:cn=test3,dc=srg,dc=com objectclass: top objectclass: person userpassword:blah sn:test3 cn:test3
Please don't top post.
Your config is a little... odd. You have per-db access rules, and yet you break them like you expect more:
database hdb suffix "cn=accesslog" ... access to * by dn.base="cn=replicator,dc=srg,dc=com" read by * break
Not that this hurts anything, but it is a weird read.
Also, I don't see *any* access rules on the main DB. You have:
database hdb suffix "dc=srg,dc=com" .... database monitor access to * by dn.exact="cn=Manager,dc=srg,dc=com" write by dn.exact="uid=root,ou=People,dc=srg,dc=com" write by dn.base="cn=replicator,dc=srg,dc=com" read by * break
Which means you just gave a lot of access to the *monitor* database but not your *primary* database. I suggest go re-read the slapd.access(5) man page. If you want global ACLs, they need to come before any "database xyz" line. If you want per-db ACLs, which I think is what you're trying to do, then you need to do them *per-db*. Not the odd acl in accesslog, none in your main db, and some for your monitor database.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
OK, my sloppy ACL is cleaned up and makes much more sense now -- but the problem remains.