I solved this issue. It was in fact a mistake in my ACL directives.
For those who try to build a master-master replication between LDAP
servers, for both cn=config DIT and dc=exemple,dc=com, my config DIT
look like this :
On ldap1.vm :
=================================================
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcAuthzRegexp: {0}uid=admin,cn=exemple.com,cn=gssapi,cn=auth
cn=admin,dc=exemple,dc=com
olcAuthzRegexp: {1}uid=ldap\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth
cn=$1,ou=ldap,dc=exemple,dc=com
olcAuthzRegexp:
{2}uid=host\/(.*).exemple.com,cn=exemple.com,cn=gssapi,cn=auth
cn=$1,ou=hosts,dc=exemple,dc=com
olcAuthzRegexp: {3}uid=(.*),cn=exemple.com,cn=gssapi,cn=auth
uid=$1,ou=people,dc=exemple,dc=com
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcSaslRealm: EXEMPLE.COM
olcServerID: 1 ldap://ldap1.vm.exemple.com/
olcServerID: 2 ldap://ldap2.vm.exemple.com/
olcToolThreads: 1
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
dn: olcBackend={0}hdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}hdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *
by dn.one="ou=ldap,dc=exemple,dc=com"
read
by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage
by * break
olcRootDN: cn=admin,cn=config
olcSyncrepl: {0}rid=001
provider="ldap://ldap1.vm.exemple.com/"
type=refreshAndPersist
retry="10 30 30 +"
searchbase="cn=config"
bind method=sasl
saslmech=gssapi
olcSyncrepl: {1}rid=002
provider="ldap://ldap2.vm.exemple.com/"
type=refreshAndPersist
retry="10 30 30 +"
searchbase="cn=config"
bind method=sasl
saslmech=gssapi
olcMirrorMode: TRUE
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=exemple,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn.one="ou=ldap,dc=exemple,dc=com"
read
by anonymous auth
by * none
olcAccess: {1}to dn.subtree="dc=exemple,dc=com"
by dn.one="ou=ldap,dc=exemple,dc=com"
read
by dn="cn=adm-srv,ou=krb5,dc=exemple,dc=com"
write
by dn="cn=kdc-srv,ou=krb5,dc=exemple,dc=com"
read
olcAccess: {2}to attrs=loginShell
by self write
by users read
by * none
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to * by users read by * none
olcLastMod: TRUE
olcRootDN: cn=admin,dc=exemple,dc=com
olcRootPW: {SSHA}cS3TS9Mo5wFbddEWzcNzx5fKLV7Y3AHX
olcSyncrepl: {0}rid=101
provider="ldap://ldap1.vm.exemple.com/"
type=refreshAndPersist
retry="10 30 30 +"
searchbase="dc=exemple,dc=com"
bindmethod=sasl
saslmech=gssapi
olcSyncrepl: {1}rid=102
provider="ldap://ldap2.vm.exemple.com/"
type=refreshAndPersist
retry="10 30 30 +"
searchbase="dc=exemple,dc=com"
bindmethod=sasl
saslmech=gssapi
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: krbPrincipalName eq,pres,sub
olcDbIndex: krbPwdPolicyReference eq
olcDbIndex: entryCSN eq
dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100
=================================================
On ldap2.vm you just need to add this line on the "dn:
olcDatabase={0}config,cn=config" entry :
=================================================
olcSyncrepl: {0}rid=001
provider="ldap://ldap1.vm.exemple.com/"
type=refreshAndPersist
retry="10 30 30 +"
searchbase="cn=config"
bind method=sasl
saslmech=gssapi
=================================================
The syncrepl will perform the replication of your cn=config DIT and,
because you have some others olcSyncrepl on ldap1.vm, replicate
also the dc=exemple,dc=com DIT.
Don't forget the kstart directive in /etc/inittab to get the
necessary ticket :
KS:2345:respawn:/usr/bin/k5start -U -f /etc/ldap/ldap.keytab
-K 10 -l 24h -k /tmp/krb5cc_107 -o openldap
where /etc/ldap/ldap.keytab is my keytab file (see
/etc/default/slapd) and 107 is the uid for openldap (use getent
passwd).
Regards,
Quentin.