Openldap 2.4.31
I create my read-only ldap hosts with a stub config that contains a syncrepl statement:
olcSyncrepl: {0}rid=001 provider=ldaps://ldap.savagebeast.com binddn="cn=
admin,cn=config,cn=slave" bindmethod=simple credentials=$PW searchbase="cn=
config,cn=slave" type=refreshAndPersist retry="60 +" timeout=3 suffixmassage=
"cn=config" schemachecking=off
That on first run with a –c ‘rid=001’ flag syncs the rest of the configs and associated databases from the primary servers. Leaving the config database as:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3c65cc7d
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcUpdateRef: ldaps://ldap.savagebeast.com
structuralObjectClass: olcDatabaseConfig
entryUUID: fee78e38-2723-1030-8342-0d5a80dcc32a
creatorsName: cn=admin,cn=config
createTimestamp: 20110609203711Z
olcRootPW:: x==
olcSyncrepl: {0}rid=001 provider=ldaps://guess-who.savagebeast.com binddn="cn=
admin,cn=config,cn=slave" bindmethod=simple credentials=x searchbase
="cn=config,cn=slave" schemachecking=off type=refreshAndPersist retry="60 +"
timeout=3 suffixmassage="cn=config"
entryCSN: 20151119013205.450738Z#000000#000#000000
modifiersName: cn=admin,dc=savagebeast,dc=com
modifyTimestamp: 20151119013205Z
This works great for the first run, but subsequent changes to the cn=config,cn=slave entries on the primary servers generate a replication error on the downstream hosts.
564fc719 syncrepl_entry: rid=001 be_search (0)
564fc719 syncrepl_entry: rid=001 olcDatabase={2}hdb,cn=config
564fc719 <= acl_access_allowed: granted to database root
564fc719 send_ldap_result: conn=-1 op=0 p=3
564fc719 send_ldap_result: err=67 matched="" text="Use modrdn to change the entry name"
564fc719 null_callback : error code 0x43
564fc719 syncrepl_entry: rid=001 be_modify olcDatabase={2}hdb,cn=config (67)
564fc719 syncrepl_entry: rid=001 be_modify failed (67)
Which is LDAP_NOT_ALLOWED_ON_RDN.
The only change to be synced was the addition of an olcDbIndex to one of the databases.
The suffix massage seems to still be in place:
564fc719 syncrepl_message_to_entry: rid=001 DN: olcDatabase={2}hdb,cn=config,cn=slave, UUID: ef2a6d04-b2cf-1033-9ca0-37a633abeda5
564fc719 ==> rewrite_context_apply [depth=1] string='olcDatabase={2}hdb,cn=config,cn=slave'
564fc719 ==> rewrite_rule_apply rule='(.*)cn=config,cn=slave$' string='olcDatabase={2}hdb,cn=config,cn=slave' [1 pass(es)]
564fc719 ==> rewrite_context_apply [depth=1] res={0,'olcDatabase={2}hdb,cn=config'}
564fc719 >>> dnPrettyNormal: <olcDatabase={2}hdb,cn=config>
Any pointers on how to troubleshoot why this error is called?