--On Friday, February 14, 2020 8:51 AM +0100 Jehan PROCACCIA jehan.procaccia@imtbs-tsp.eu wrote:
indeed , https://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl seems to be far more efficient in most cases, I'll give it a try , thanks
Hi,
I have the following notes:
This ACL on the replica (and similar one on the master) is non-sensical:
{0}to attrs=userPassword,sambaNTPassword,sambaPwdLastSet by self auth by anonymous auth by dn.base="cn=repint,ou=dsa,dc=int,dc=fr" r ead by * none
"by self auth" doesn't do anything, since you have to already be authenticated to be "self". This should be fixed on both the master and the replica.
You also switch format on the replica in ACLs {1} and {2}, although they are covering the same namespace. You could make them read cleaner by being consistent (Either use * or dn.subtree="dc=int,dc=fr" consistently).
On the replica, your syncrepl stanza is a bit odd. You specify you want to use a simple bind, and then you provide a TLS key and TLS cert, which would be used for client side cert auth. If you're doing a simple bind, you should only need to set the tls_cacert and tls_reqcert parameters here. I would also strongly advise setting a keepalive (I usually use 240:10:30)
You also seem to have three different replication accounts in use, as the master has ACLs for these identities:
cn=repint,ou=dsa,dc=int,dc=fr cn=replicator,ou=system,dc=int,dc=fr cn=repz,ou=system,dc=int,dc=fr
On the master, ACL {1} is a bit odd, in that you list a bunch of entities as having read access, and then end with "by * read". You could drastically simplify this ACL by making it just list your write access for the ldapadmin group followed with by * read
On the master, ACL {3} is problematic as it grants write access to internal attributes that only the slapd process should be modifying, such as: modifyTimestamp,createTimestamp,structuralObjectClass,creatorsName,entryCSN,modifiersName,subschemaSubentry,hasSubordinates,ObjectClass
ACL {6} has a similar bit I noted previously about by * read.
ACL {7} should just be "by * read"
on the master, the olcLimits could be simplified to just be:
olcLimits: {0}dn.base="cn=repint,ou=dsa,dc=int,dc=fr" size=unlimited time=unlimited
I would note that there are missing limit exceptions for the other 2 replicator accounts if that is indeed what they are.
Generally I don't see anything obviously incorrect as far as the replication portion goes, so it's not clear to me why you're seeing the behavior you got. I've never set schemachecking to be on when configuring sync replication of either type, so I wonder if there's a bug in there. The OpenLDAP test suite also does not set schema checking to be on, so I'll see if tweaking it there causes any incorrect failures.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com