Hello Quanah,

Your domain ACLs should be contained within the domain database section, not in the global configuration section.


Within: dn: olcDatabase={1}mdb,cn=config  ?
Changes this.
This second syncprov overlay needs to be removed.  It should only occur once.

Removed the second syncprov section. Was already under the impression that I had a duplicate declaration, but wasn't sure. Thanks for confirming this for me.


dn: olcDatabase={1}bdb,cn=config

back-bdb is deprecated and should not be used.  back-mdb should be used instead.

Changed it to: dn: olcDatabase={1}mdb,cn=config

 

Something else I see, when I use jxplorer to look at the content of  a
server using the cn=config credentials I would expect to see all values
including the empty values. On a server without olcAccess lines I see
this, but when there are olcAccess lines I only see the configured
values. All unset values are not visible.

I have no idea what this statement means.  All values of what?  What's an empty/unset value mean?

Ok, let me give you a quick example:
Normally I would expect to see something like this for all my tables in my cn=config tree:



But when I had the olcAccess lines in the frontend tree I didn't see all the entries in the bottom.
I could only see the entries with a value.

Finally, with OpenLDAP 2.4, YMMV with cn=config replication as there are missing rules necessary for it to work correctly.  This has been fixed for OpenLDAP 2.5.  Unless you really need to replicate cn=config, I advise against it.

Ok, but the 2.5 tree is currently development tree as far as I can see and nothing close to production ready. Or am I missing something there?

My cn=config Syncrepl is still not working, which probably means I have to drop that requirement for now.


Jan Hugo Prins