Hello,
We have two Openldap server in master-slave replication. I just found that a replication issue on the slave and I think it is ACL related.
Few weeks ago I added ACL on the master (ldap-01) to allow user change their own password:
dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: 3b7e5722-d26f-1035-7735-91213c5bb357 creatorsName: cn=config createTimestamp: 20160629180122Z olcSuffix: dc=van,dc=company,dc=com olcRootDN: cn=Manager,dc=van,dc=company,dc=com olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjnvSUl2enZzWTF1akt4Nnd6OTk= olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba se="cn=Manager,dc=van,dc=company,dc=com" write by * none olcAccess: {1}to * by self write by dn="cn=Manager,dc=van,dc=company,dc= com" write by * read entryCSN: 20200504150528.806636Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20200504150528Z
Now I found on the slave(ldap-03) all userPassword attributes is disappeared. So I think the ACL may blocked the replication. I think I need add the replication user (rpuser) to the ACL on the master and allow the rpuser read(or RW?) access.
Could someone check my ACL and see if my guess is correct? If so then how do I add (or append?) the ACL to allow replication of the userPassword?
Thank you in advance.
Gao