On 10/25/10 9:22 AM, Jonathan CLARKE wrote:
On 22/10/2010 21:57, Robert Klopotoski, Jr. wrote:
Hello,
I'm running into a problem with syncrepl that I hope someone can help with. I'm hoping it's a simple config problem. There was another thread similar to this one, and I have tried the solutions and still failed.
Running slapd 2.4.11 on both the consumer and the provider. The provider has thousands of records with numerous attributes including 'userPassword'. The consumer got it's start from a direct copy of the database files from the provider. All existing accounts have the userPassword attribute on both the consumer and provider. Any time a new record is added to the provider, it synchronizes all attributes other than the userPassword field.
The provider has an account on it "dc=replica,dc=domain,dc=edu" for the syncrepl to use from the consumer. An ldap search to the provider using this account shows that it can see userPassword:
ldapsearch -x -LLL -b dc=endicott,dc=edu -W -D cn=replica,dc=endicott,dc=edu
returns the dn of dn: uid=112232584,ou=Students,ou=People,dc=endicott,dc=edu including the attribute of: userPassword:: e0NSWVBUfSQxJFZ5TXdTJHJJdS85L0EvWjl6UlZnZ3lKYjNtMjE=
The consumer for whatever reason is not adding this attribute to any records it syncs. All other attributes come over fine.
If I do a complete cleanout of the consumer and have it start it's database directly from the provider, it does the same thing and pulls over everything but userPassword.
The config of the consumer is listed below. Where could the problem lie?
It's most likely that your ACLs on the provider do not allow the "cn=replica, dc=endicott, dc=edu" account to "read" the userPassword attribute.
Hope this helps, Jonathan
Hi Jonathan,
Thanks for the response.
The provider has the following in it:
access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=endicott,dc=edu" write by dn="cn=replica,dc=endicott,dc=edu" read by anonymous auth by self write by * none
A query from the consumer CLI to the provider using the "replica" dn successfully shows the userPassword attribute as part of the result. What else could I be missing?
Rob
The config files on the consumer look like this: **** Start slapd.conf ***** include /etc/ldap/schema/core.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/endicott.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 15000 tool-threads 1 backend bdb database bdb suffix "dc=endicott,dc=edu" checkpoint 512 30 rootdn "cn=admin,dc=endicott,dc=edu" rootpw password directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=endicott,dc=edu" write by dn="cn=replica,dc=endicott,dc=edu" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=endicott,dc=edu" write by dn="cn=replica,dc=endicott,dc=edu" write by * read index entryUUID eq index userPassword eq syncrepl rid=123 provider=ldap://10.1.55.196:389 type=refreshAndPersist interval=00:00:02:00 searchbase="dc=endicott,dc=edu" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=replica, dc=endicott, dc=edu" credentials="password" retry="60 +" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog updateref ldap://10.1.55.196
**** end slapd.conf ****