Hi,
thanks for your answer.
a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky)
b) I tested several possibilities but I didn't manage to make it work.
Either the problem stayed the same, either the replication didn't work
anymore, either I couldn't access to rpuser.
I understand that :
- rpuser should have read/write access to its password (to
attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write)
- rpuser should have read/write access to all data (to * by
dn="uid=rpuser,dc=foo,dc=bar" write)
- other users should have read access to their password (I don't want
they could change it by themselves) and anonymous should authenticate
(to attrs=userPassword by self read by anonymous auth by * none)
Am I right ?
Regards,
Vincent
Le 08/01/2020 à 19:13, Quanah Gibson-Mount a écrit :
--On Wednesday, January 8, 2020 4:16 PM +0100 Vincent Ducot
<vincent.ducot(a)rubycat.eu> wrote:
>
> Hi all,
> I'm testing multi-master replication between (at least 2) openldap
> nodes
> (2.4.45, on Ubuntu 18.04) and facing a problem with replication account.
> Any idea of what could cause this problem ?
> # {1}mdb, config
> dn: olcDatabase={1}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcMdbConfig
> olcDatabase: {1}mdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=nodomain
> olcAccess: {0}to attrs=userPassword by self write by anonymous auth
> by *
> none
> olcAccess: {1}to attrs=shadowLastChange by self write by * read
> olcAccess: {2}to * by * read
> # {2}mdb, config
> dn: olcDatabase={2}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcMdbConfig
> olcDatabase: {2}mdb
> olcDbDirectory: /var/lab/ldap
> olcSuffix: dc=foo,dc=bar
> olcAccess: {0}to attrs=userPassword by self =xw by anonymous auth by *
> none
> olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self
> write by
> user
> s read by * none
> olcAccess: {2}to * by dn="uid=rpuser,dc=foo,dc=bar" read
> olcAccess: {3}to * by dn="uid=rpuser,dc=foo,dc=bar" write
I see multiple problems with your configuration.
a) You have two different databases storing their DBs in the same
location (/var/lib/ldap). I can't even imagine the havoc and
destruction that would cause.
b) Your ACLs are broken. The "rpuser" account has no ability to
replicate userPassword, since it can't read it. Also, ACLs #2 and #3
here will never be evaluated, since it's already covered in ACL#1 (by
users read). Since it can't replicate userPassword, that value is
getting lost from server#2, explaining why you can't bind to it after
replication starts.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<
http://www.symas.com>