Brad T Waldorf wrote:
Hi.
I used the Delta-syncrepl configuration example from the admin guide (http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl) to create configuration files for a basic 1 Master, 1 Slave configuration. With a populated & functional master, i started the slave and hit this error...
slap_client_connect: URI=ldap://9.57.13.249:389 DN="cn=user.replicator,ou=people ,dc=exampleb,dc=com" ldap_sasl_bind_s failed (49)+
(The replicator DN couldn't bind.) In fact, i couldn't execute a basic ldapsearch while binding as the replicator DN... kept getting "ldap_bind: Invalid credentials (49)".
Long story short, the fix was to comment out the following ACL statements in the master config file ... i could then bind as the replicator DN and delta-syncrepl worked...
# Give the replica DN unlimited read access. access to * by dn.base="cn=user.replicator,ou=People,dc=exampleb,dc=com" read by * break
You ACLs are obviously wrong. The above piece of ACL is intended to exist along with other rules, otherwise it's useless by itself. In fact, in order to check an identity, anonymous must be able to bind, and thus needs auth permission. Posting your hack like it were the solution to a problem is only going to create further confusion in those who didn't understand the ACL model yet.
A minimal ACL design that allows essential operations including replication would need:
- let everyone try to auth - let replication identity read everthing that needs to be replicated - let others read/write what they are allowed to read
so:
access to attrs=userPassword by <replication identity> read by * auth
access to <something else> by <replication identity> read by <others> <as appropriate>
# catchall for what's left access to * by <replication identity> read
As you may see, you need to repeat the "by <replication identity> read" snippet all times. So a shortcut is:
access to * by <replication identity> read by * break
access to attrs=userPassword by * auth
access to <something else> by <others> <as appropriate>
which means: replication identity can read everything, others don't gain any privilege; but don't stop evaluating rules, step to the next one for further permission.
If you don't understand this, please don't try to teach others how ACLs need to be configured to have replication work as intended. You removed from your example the comment "This ACL may need to be merged with other ACL statements." http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl (that statement probably needs to be strenghtened, replacing "may" with "must").
Probably this was not your intention, but the consequence is that googling up "openldap delta-syncrepl access" will likely hit your message and propagate false information.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------