Thanks for replying, from what I see in your answer, I have already distracted a and b,   I can say c is also ruled out but I would like to double check it, maybe acls are not processing in the expected order.
What is the best way to troubleshoot acls?? Any recommended log level?



Ulises Gonzalez Horta

Lead Linux Engineer

C: 786 450 2970/ 240 727 6267

E: ugonzalezhorta@breezeline.com

 



On Fri, Dec 27, 2024 at 2:09 PM Quanah Gibson-Mount <quanah@fast-mail.org> wrote:


--On Friday, December 27, 2024 10:34 AM -0500 Ulises Gonzalez Horta
<ugonzalezhorta@breezeline.com> wrote:

>
>
> Good morning
>
> I am trying to setup a replication in ldap 2.5, using syncrepl, I have a
> provider server and a consumer, both of the servers are running 2.5.11
> from Ubuntu 22.04, I followed the admin guide chapter 18.3.1 to do the
> configuration.  I have some information on the provider that is
> successfully being replicated to the consumer without any errors
>
>
> Consumer configuration
> ldapsearch  -Y EXTERNAL -H ldapi:/// -b cn=config olcSyncRepl
> olcUpdateref
> dn: olcDatabase={1}mdb,cn=config
> olcSyncrepl: {0}rid=100 provider=ldap://provider:389 type=refr
>  eshOnly interval=00:00:05:00 retry="300 +"
> searchbase="dc=metrocast,dc=net" f
>  ilter="(|(entryDN:=dc=metrocast,dc=net)(entryDN:dnOneLevelMatch:=dc=met


Why do you have such a complicated filter?



> On the consumer this same query returns error 49
>
> ldapsearch  -Z  -LLL -H ldap://providert:389 -D
> "uid=user1,ou=employees,dc=metrocast,dc=net" -W -b
> "ou=employees,dc=metrocast,dc=net" "(mail=*pepe@breezeline.com)

Either:

a) The user entry doesn't exist
b) The user entry is missing the userPassword attribute
c) The ACLs don't allow anonymous "auth" access on the userPassword
attribute

--Quanah