--On Monday, February 03, 2014 2:26 PM -0500 "Borresen, John - 0442 - MITLL" John.Borresen@ll.mit.edu wrote:
Ok,
Sanity Check, please. Still seeing "empty syncUUID" messages. Also, the "userPassword" attributes on mm-server2, cannot be seen (via Apache Directory Studio -- but show up with ldapsearch), but when I attempt to add (via ldapmodify) it returns value already present.
if it shows up with ldapsearch when binding as uid=ldapreplicator,ou=admins,dc=example,dc=ldap then you are set. I have no idea who/what you are binding with via apache dir studio.
# {1}bdb, config dn: olcDatabase={1}bdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none olcAccess: {1}to * by * read
Unless you plan on doing some really bizarre things, it is unlikely your ldapadmin needs manage access. See http://www.openldap.org/its/index.cgi/?findid=7795
# {2}bdb, config dn: olcDatabase={2}bdb,cn=config olcAccess: {0}to * by dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none
The replicator only ever needs read access, not write.
Also separate nit. You should be doing dn.exact in the first set of ACLs as well (you have it correctly in the second set).
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration