--On Wednesday, March 07, 2018 11:46 AM -0800 Quanah Gibson-Mount quanah@symas.com wrote:
Hi Gerard,
I'll see if I can reproduce via tweaking test059.
I changed test059 to modify an ACL in the cn=config,cn=slave DB, and it works (replicates to the slave) without issue.
Diff is:
diff --git a/tests/scripts/test059-slave-config b/tests/scripts/test059-slave-config index ece5738..a349670 100755 --- a/tests/scripts/test059-slave-config +++ b/tests/scripts/test059-slave-config @@ -319,6 +319,8 @@ olcSuffix: $BASEDN ${nullExclude}olcDbDirectory: $DBDIR1B olcRootDN: $MANAGERDN olcRootPW: $PASSWD +olcAccess: {0}to attrs=userPassword by * manage +olcAccess: {1}to * by * manage olcSyncRepl: rid=002 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" $SYNCTYPE retry="3 5 300 5" timeout=3 @@ -338,7 +340,9 @@ olcSuffix: $BASEDN ${nullExclude}olcDbDirectory: $DBDIR2A olcRootDN: $MANAGERDN olcRootPW: $PASSWD -olcSyncRepl: rid=002 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple +olcAccess: {0}to attrs=userPassword by * manage +olcAccess: {1}to * by * manage +olcSyncRepl: {0}rid=002 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" $SYNCTYPE retry="3 5 300 5" timeout=3 olcUpdateRef: $URI1 @@ -367,6 +371,22 @@ EOF fi fi
+$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >>$TESTOUT 2>&1 +dn: olcDatabase={1}$BACKEND,cn=config,cn=slave +changetype: modify +delete: olcAccess +olcAccess: {0} +- +add: olcAccess +olcAccess: {0}to attrs=userPassword by * write +EOF +RC=$? +if test $RC != 0 ; then + echo "ldapadd modify for database config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + echo "Using ldapadd to populate provider..." $LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDERED \ >> $TESTOUT 2>&1
You would need to provide significantly more detailed information on the state of your database (i.e., what the ACL was you were changing and how you were attempting to change it, etc) to really pursue this further. All I can say at the moment is "works for me".
Warm regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com