Yes, I used distro packages for Centos 6; and yes, I understand your point. I may have the luxury of building openldap from scratch for LDAP02, though I don't have the redundancy (the point of this whole exercise) that I need to reinstall LDAP01 by building it from scratch. That was an unfortunate mistake in hindsight that I stuck with the distro package there. I suppose to start over I would have to make a new server and slapcat the LDAP01 config? How would I carry over the existing DB entries without using replication? I'm still a novice when it comes to OLC.
As for the ACL, that was a result of my sloppy email editing. I changed the name of the DNs. They actually match in my config. Once I proof-of-concept the replication I will create replication-only user DNs.
But nothing looks overtly amiss with my CSNs or UUIDs?
Thanks, Josh
On Tue, Sep 16, 2014 at 10:16 AM, Michael Ströder michael@stroeder.com wrote:
Josh Nielsen wrote:
OLC server (LDAP01 - version 2.4.23) the new master and threw up a new VM called LDAP02 (2.4.23) to become the new sync replication slave/consumer.
Don't use such an ancient version which is four years old now. Many syncrepl issues have been fixed since then (and are to be fixed in upcoming 2.4.40).
And better don't argue that you have to use your favourite distribution's packages. We had this discussion here numerous times.
And of course it could be a ACL issue in your particular configuration. In particular you have
olcRootDN: cn=admin,dc=mydomain,dc=org
but
olcSyncrepl: {0} [..] binddn="cn=root,dc=mydomain,dc=org"
Anyway you should not use rootdn for anything. Set up proper group-based ACLs for service accounts instead.
...
Ciao, Michael.