Re: Replication account problem

--On Wednesday, January 8, 2020 4:16 PM +0100 Vincent Ducot <vincent.ducot(a)rubycat.eu&gt; wrote: > > Hi all, >  I'm testing multi-master replication between (at least 2) openldap > nodes > (2.4.45, on Ubuntu 18.04) and facing a problem with replication account. > Any idea of what could cause this problem ? > # {1}mdb, config >  dn: olcDatabase={1}mdb,cn=config >  objectClass: olcDatabaseConfig >  objectClass: olcMdbConfig >  olcDatabase: {1}mdb >  olcDbDirectory: /var/lib/ldap >  olcSuffix: dc=nodomain >  olcAccess: {0}to attrs=userPassword by self write by anonymous auth > by * > none >  olcAccess: {1}to attrs=shadowLastChange by self write by * read >  olcAccess: {2}to * by * read > # {2}mdb, config >  dn: olcDatabase={2}mdb,cn=config >  objectClass: olcDatabaseConfig >  objectClass: olcMdbConfig >  olcDatabase: {2}mdb >  olcDbDirectory: /var/lab/ldap >  olcSuffix: dc=foo,dc=bar >  olcAccess: {0}to attrs=userPassword by self =xw by anonymous auth by * > none >  olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self > write by > user >   s read by * none >  olcAccess: {2}to * by dn="uid=rpuser,dc=foo,dc=bar" read >  olcAccess: {3}to * by dn="uid=rpuser,dc=foo,dc=bar" write I see multiple problems with your configuration. a) You have two different databases storing their DBs in the same location (/var/lib/ldap).  I can't even imagine the havoc and destruction that would cause. b) Your ACLs are broken.  The "rpuser" account has no ability to replicate userPassword, since it can't read it.  Also, ACLs #2 and #3 here will never be evaluated, since it's already covered in ACL#1 (by users read).  Since it can't replicate userPassword, that value is getting lost from server#2, explaining why you can't bind to it after replication starts. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>