Openldap 2.4.31
I create my read-only ldap hosts with a stub config that contains a syncrepl statement:
olcSyncrepl: {0}rid=001 provider=ldaps://ldap.savagebeast.com binddn="cn= admin,cn=config,cn=slave" bindmethod=simple credentials=$PW searchbase="cn= config,cn=slave" type=refreshAndPersist retry="60 +" timeout=3 suffixmassage= "cn=config" schemachecking=off
That on first run with a –c ‘rid=001’ flag syncs the rest of the configs and associated databases from the primary servers. Leaving the config database as:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 3c65cc7d dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcUpdateRef: ldaps://ldap.savagebeast.com structuralObjectClass: olcDatabaseConfig entryUUID: fee78e38-2723-1030-8342-0d5a80dcc32a creatorsName: cn=admin,cn=config createTimestamp: 20110609203711Z olcRootPW:: x== olcSyncrepl: {0}rid=001 provider=ldaps://guess-who.savagebeast.com binddn="cn= admin,cn=config,cn=slave" bindmethod=simple credentials=x searchbase ="cn=config,cn=slave" schemachecking=off type=refreshAndPersist retry="60 +" timeout=3 suffixmassage="cn=config" entryCSN: 20151119013205.450738Z#000000#000#000000 modifiersName: cn=admin,dc=savagebeast,dc=com modifyTimestamp: 20151119013205Z
This works great for the first run, but subsequent changes to the cn=config,cn=slave entries on the primary servers generate a replication error on the downstream hosts.
564fc719 syncrepl_entry: rid=001 be_search (0) 564fc719 syncrepl_entry: rid=001 olcDatabase={2}hdb,cn=config 564fc719 <= acl_access_allowed: granted to database root 564fc719 send_ldap_result: conn=-1 op=0 p=3 564fc719 send_ldap_result: err=67 matched="" text="Use modrdn to change the entry name" 564fc719 null_callback : error code 0x43 564fc719 syncrepl_entry: rid=001 be_modify olcDatabase={2}hdb,cn=config (67) 564fc719 syncrepl_entry: rid=001 be_modify failed (67)
Which is LDAP_NOT_ALLOWED_ON_RDN.
The only change to be synced was the addition of an olcDbIndex to one of the databases.
The suffix massage seems to still be in place: 564fc719 syncrepl_message_to_entry: rid=001 DN: olcDatabase={2}hdb,cn=config,cn=slave, UUID: ef2a6d04-b2cf-1033-9ca0-37a633abeda5 564fc719 ==> rewrite_context_apply [depth=1] string='olcDatabase={2}hdb,cn=config,cn=slave' 564fc719 ==> rewrite_rule_apply rule='(.*)cn=config,cn=slave$' string='olcDatabase={2}hdb,cn=config,cn=slave' [1 pass(es)] 564fc719 ==> rewrite_context_apply [depth=1] res={0,'olcDatabase={2}hdb,cn=config'} 564fc719 >>> dnPrettyNormal: <olcDatabase={2}hdb,cn=config>
Any pointers on how to troubleshoot why this error is called?