Quoting Francesco Malvezzi francesco.malvezzi@unimore.it:
good morning,
I would like to be able to replicate the schema info only from cn=config.
I tried to add the olcSyncrepl to cn=schema
dn: cn=schema,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: ....
but doesn't work: <olcSyncrepl> only allowed within database declaration
The correct way to enable replication after cn=config already exists is with ldapmodify:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl
It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with a filter like: olcSyncrepl: {0}rid=001 provider=... binddn=... bindmethod=simple search base="cn=schema,cn=config" filter="(!(cn=core))"
but then the whole olcDatabase={0}config,cn=config becomes a shadow context and I'm unable to ldapmodify anything (olcLoglevel for example).
What am I missing?
You need to set up all rids in your modify operation, each listing provider with their own URI. Optionally, you could even have different credentials pointing in different directions - nothing prevents this. For n-way replication, you need to perform the same modification to n sides. Otherwise your replicas will be read-only as you have seen. This is the same for any database, not just n0. Go back and enable CRL checking after you are sure that it works, if using TLS.
Example, change the macros to suit your setup and apply this same ldif to each of your replicas:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncrepl: rid=001 provider=%%LDAP_URI_1%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +" olcSyncrepl: rid=002 provider=%%LDAP_URI_2%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +" - add: olcMirrorMode olcMirrorMode: TRUE
-mike