Re: Syncrepl only partially working

On Fri, Oct 28, 2016 at 09:50:30PM -0600, Joshua Schaeffer wrote: You may have done this - I didn't see it - but if you change the suffix this way when there are existing entries in that database, and you don't clear them out, you risk exposing yourself to issues such as <https://bugs.debian.org/546368>;. If you change your suffix this way, after you do it, consider initializing a new, empty database: stop slapd, rm /var/lib/ldap/*, and start it again. I'm bringing this up because it looks like you're using the Debian/Ubuntu package, which does indeed add a couple of entries to the default database during setup. As I understand it, using Kerberos with OpenLDAP already gets you an encrypted transport - I believe using TLS on top of that is redundant. That looks fine, the GSSAPI bind seems to have succeeded. So at this point, based on your ACLs above, I'd expect it to be able to read all of your data (to * by * read), except for the userPassword and shadowLastChange attributes. Odd - I was expecting to see a RESULT line there. Not sure what that means. I guess something goes wrong on the client and it aborts early? It would be interesting to see logs from the syncrepl consumer, at loglevel 'sync', when you bring it up with an empty database. If you do an ldapsearch against the provider as anonymous, or doing a GSSAPI bind using that sevice ticket, do you see all the data returned that you expected? If you want a decent example config to compare your work against, I would suggest rjsystems' articles: http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php It's a little dated, but not too badly. (For example, most or all of the bugs he mentions have since been fixed; and the hdb backend is deprecated now in favour of mdb.)