thx for your reply.
do i put in the slave conf file the same thing as the following command?
ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D > 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
------------------------------ On Wed, Nov 19, 2014 9:25 AM GMT Jephte Clain wrote:
hello,
I would say, try to understand the meaning of what you do. The openldap admin guide is a good place to start.
- for instance, on the slave, you bind to the master with dn
uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp and password secretofreplicator does this objet exist *on the master*? with the right password? does this account have the right acl to read everything on the master (i.e., on the master, the acl is defined for cn=replicator,... which is not the same as uid=replicator,...)
- also, why would you use the replicator dn as the rootdn for the slave?
one last thing: I advise you change the password of both the master and slave. posting the file with the hash password of the root dn on the internet is not a good idea :-)
good luck
2014-11-19 11:38 GMT+04:00 wailok tam wailoktam@yahoo.com:
Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up replication but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
slapd.conf of the Master:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
#modulepath /usr/lib/openldap #moduleload syncprov.la
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
#sasl-realm ier.hit-u.ac.jp #sasl-host localhost #authz-regexp uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secret #password-hash {MD5} directory /var/lib/ldap
TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none
access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
sladp.conf of the slave:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" #rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secretofreplicator #password-hash {MD5} directory /var/lib/ldap #TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt #TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt #TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
# Replicas of this database #updatedn cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp #updateref uri=ldap://192.168.84.22
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by anonymous auth # by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by * read
#loglevel stats sync
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
updateref ldap://mail.ier.hit-u.ac.jp/
what puzzles me is that:
I try on the slave to access the master with ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
and it works.
What is wrong? I really need your help.
-- cordialement, Jephté Clain Direction des Systèmes d'Information et des Usages Numériques - 2IG Tél. 0262 93 86 31 Fax. 0262 93 81 06