From: Kaushal Shriyan <kaushalshriyan@gmail.com>
Sent: Thursday, July 4, 2024 8:59 PM
To: openldap-technical@openldap.org
Subject: [EXT] Configure multi-master replication OpenLDAP using https://repo.symas.com/soldap2.5/rhel8/
Hi,
I am running OpenLdap server 2.5.18 on Red Hat Enterprise Linux release 8.10 (Ootpa) OS to enable multimaster replication on both nodes (node 1 and node 2). Currently on Node1 I am encountering the ldap_modify:
Insufficient access (50) issue
Node1
# rpm -qa | grep openldap
symas-openldap-clients-2.5.18-1.el8.x86_64
symas-openldap-servers-selinux-1.0.6-2.el8.noarch
openldap-2.4.46-18.el8.x86_64
symas-openldap-servers-2.5.18-1.el8.x86_64
symas-openldap-libs-2.5.18-1.el8.x86_64
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.10 (Ootpa)
#
# pwd
/opt/symas/etc/openldap
# ls -l
total 20
-rw-r--r-- 1 symas symas 247 May 23 20:21 ldap.conf.default
drwxr-xr-x 2 symas symas 4096 Jun 26 16:02 schema
-rw------- 1 symas symas 2901 Jun 27 17:55 slapd.conf
-rw------- 1 symas symas 2710 May 23 20:21 slapd.conf.default
-rw------- 1 symas symas 2761 May 23 20:21 slapd.ldif.default
#
# cat syncprov_mod.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov_mod.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)
[Windl, Ulrich]
(Sorry, Outlook is not good inline-quoting HTML mail)
It means that your ldapi:/// URL does not have the rights to modify cn=config.
Usually you authenticate with the cn=config user to do that.
Also for replication, you probably want to set up a replication user that can read everything…
#
Am I missing anything? Please guide me.
Best Regards,
Kaushal