2013/5/17 Howard Chu <hyc@symas.com>
Igor Zinovik wrote:
   Hello.

I'm trying to replicate access rules and limits for one of my databases, but
with no success:
suse:~ # cat olcAccess-syncrepl.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: {1}rid=002
   provider=ldap://ldap1.local
   bindmethod=simple
   binddn="cn=admin,cn=config"
   credentials="TopSecret"
   searchbase="olcDatabase={1}mdb,cn=config"
   attrs="olcAccess,olcLimits"
   timeout=3
   network-timeout=0
   starttls=yes
   tls_cert="/etc/openldap/ldap.pem"
   tls_key="/etc/openldap/ldap.key"
   tls_cacert="/etc/ssl/local-ca.pem"
   tls_reqcert=demand
   tls_crlcheck=none


suse:~ # ldapmodify -H ldap://ldap2.local -ZZxWD cn=admin,cn=config -f
olcAccess-syncrepl.ldif
Enter LDAP Password:
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
         additional info: Base DN "olcAccess,olcLimits" is not within the
database naming context

> slapd-2.4.33 if it matters.

The error message is a bit garbled (obviously the Base DN is wrong) but the error is basically correct. You're trying to replicate the wrong thing from the wrong place. Setting a syncrepl consumer on the olcDatabase={1}mdb database lets you replicate the *content* of that database. To replicate the *configuration* of that database your consumer must be set where that configuration is stored.

The configuration is stored in olcDatabase={0}config.

Thanks Howard, but I still cannot get things working.

Could you exaplain me following (i read documentation but it is not clear enough for me to understand):
Does parameter `searchbase' in olcSyncrepl configuration statement set search starting point or it sets
just a database name (which is set in olcSuffix) where search is performed?

Here is my configuration provider setup:
ldap1:~ # ldapsearch -H ldap://ldap1.local -LLLZZxWD cn=admin,cn=config -b olcOverlay={0}syncprov,olcDatabase={0}config,cn=config '&'
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Here is my configuration consumer:
ldap2:~ # ldapsearch -H ldap://ldap2.local -LLLZZxWD cn=admin,cn=config -b olcDatabase={0}config,cn=config '&' olcSyncrepl
Enter LDAP Password:
dn: olcDatabase={0}config,cn=config
olcSyncrepl: {0}rid=001 provider=ldap://ldap1.local bindmethod=simple bind
 dn="cn=admin,cn=config" credentials="TopSecret" searchbase="cn=con
 fig" scope=sub filter="(olcDatabase={1}mdb)" attrs="olcAccess,olcLimits" retr
 y="60 +" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/lda
 p.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" t
 ls_reqcert=demand tls_crlcheck=none


A bit offtopic: could you guys implement some kind of human friendly formatting for long line statements and ACLs? So
previous statement would look like this when i fetch it from catalog:
olcSyncrepl: {0}rid=001
 provider=ldap://ldap1.local
 bindmethod=simple
 binddn="cn=admin,cn=config"
 credentials="TopSecret"
 searchbase="cn=config"
 scope=sub
 filter="(olcDatabase={1}mdb)"
 attrs="olcAccess,olcLimits"
 retry="60 +"
 timeout=3
 network-timeout=0
 starttls=yes
 tls_cert="/etc/openldap/ldap.pem"
 tls_key="/etc/openldap/ldap.key"
 tls_cacert="/etc/ssl/local-ca.pem" t
 ls_reqcert=demand
 tls_crlcheck=none