Hello everybody

 

I’m trying to start a two server multimaster installation.

OpenLDAP is 2.4.23 built from sources, bdb 4.8.30

Configure options are: --enable-crypt --enable-overlays -enable-ppolicy  --enable-memberof (maybe some are unuseful).

OS is Centos 5.5, patched, virtual machines.

LDAP server are addressed by client thru round-robin DNS registration.

 

Behaviour: when a ldap user connected to a client try to change it’s password thru the passwd command, on the LDAP server connected by the client  thru the DNS name resolution, userPassword and shadowLastChange are updated, on the other LDAP server the field userPassword disappear (checked with slapcat).

 

I suppose that this happen because on userPassword attribute there are ACL’s (reported below) that permit only read action to syncuser.

Infact, if I change the syncrepl instances and swap syncuser with admin (rootDN), the password change happens successfully and replica too.

 

Now the question to the list: if I don’t want to have rootDN used for replication, I must give the write permissions to syncuser to guarantee the replica, leaving the “bug” to have the a write account password written in clear text in config file ? There’s a smarter method to reach the goal ?

 

I apologize if solution is written on the documentation, but I’ve tried to find without success.

 

Slapd config is still supplied thru slapd.conf.

 

These are acl on bdb instance on userPassword and shadowLastChange attributes:

 

access to attrs=userPassword

       by dn="cn=admin,dc=somedomain,dc=it" write

       by dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read

       by anonymous auth

       by self write

       by * none

 

access to attrs=shadowLastChange

       by dn="cn=admin,dc=somedomain,dc=it" write

       by dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read

       by self write

       by * read

 

syncrepl is configured as follow:

 

syncrepl rid=000

  provider=ldap://server1.somedomain.it:389

  type=refreshAndPersist

  retry="5 5 300 +"

  searchbase="dc=somedomain,dc=it"

  attrs="*,+"

  bindmethod=simple

  binddn="cn=syncuser,dc=somedomain,dc=it"

  credentials=syncuser_password

 

syncrepl rid=001

  provider=ldap://server2.somedomain.it:389

  type=refreshAndPersist

  retry="5 5 300 +"

  searchbase="dc=somedomain,dc=it"

  attrs="*,+"

  bindmethod=simple

  binddn="cn=syncuser,dc=somedomain,dc=it"

  credentials=syncuser_password

 

MirrorMode TRUE

 

Obviously servers are identified as serverID 001 and serverID 002 and both are started to listen only on their FQDN.

 

Thanks to all for attention and support.

 

 

 

Roberto Nunin

Comifar Service SpA

Italy

 

Questo messaggio e' indirizzato esclusivamente al destinatario indicato e
potrebbe contenere informazioni confidenziali, riservate o proprietarie.
Qualora la presente venisse ricevuta per errore, si prega di segnalarlo
immediatamente al mittente, cancellando l'originale e ogni sua copia e
distruggendo eventuali copie cartacee. Ogni altro uso e' strettamente
proibito e potrebbe essere fonte di violazione di legge.

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately, deleting the
original and all copies and destroying any hard copies. Any other use is
strictly prohibited and may be unlawful.