I did a lot of changes to my configuration via Ansible. Here is my provider configuration:
-------------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcLogLevel: sync olcLogLevel: stats olcPidFile: /var/run/slapd/slapd.pid olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem olcTLSCertificateFile: /etc/ssl/certificates/ldapmaster-cert.pem olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapmaster-key.pem olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}syncprov.la olcModuleLoad: {2}accesslog.la olcModuleLoad: {3}back_monitor objectClass: olcSchemaConfig cn: schema ... dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte rnal,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte rnal,cn=auth manage by * break olcRootDN: cn=admin,cn=config olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth write by dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbIndex: entryCSN,entryUUID eq olcDbMaxSize: 1073741824
dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 300
dn: olcDatabase={2}Monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}Monitor olcAccess: {0} to dn.subtree="cn=monitor" by dn.exact="cn=ldap-admin,ou=users, dc=example,dc=net" read
dn: olcDatabase={3}mdb,cn=config objectClass: olcMdbConfig objectClass: olcDatabaseConfig olcDatabase: mdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcAccess: {0} to dn.sub=cn=accesslog by dn.exact=cn=repl-user,ou=users,dc=exa mple,dc=net read by dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net read olcDbIndex: reqStart,reqEnd,reqMod,reqResult,entryCSN,entryUUID,objectClass eq
dn: olcOverlay={0}accesslog,olcDatabase={3}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 01+00:00 00+04:00 olcAccessLogSuccess: TRUE
dn: olcOverlay={1}syncprov,olcDatabase={3}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 300 --------------------
Here the configuration of my consumer: --------------------- n: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcLogLevel: sync olcLogLevel: stats olcPidFile: /var/run/slapd/slapd.pid olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem olcTLSCertificateFile: /etc/ssl/certificates/ldapslave-01-cert.pem olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapslave-01-key.pem olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_monitor
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ...
dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte rnal,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte rnal,cn=auth manage by * break olcRootDN: cn=admin,cn=config olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth write by dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * none olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a olcSyncrepl: {0}rid=1 provider=ldaps://ldapmaster.example.net type=refreshAndP ersist retry="5 5 300 +" filter="(ObjectClass=*)" scope=sub bindmethod=simple searchbase="dc=example,dc=net" binddn="cn=repl-user,ou=users,dc=example,dc=n et" credentials=geheim syncdata=accesslog logbase="cn=accesslog" logfilter="( &(objectClass=auditWriteObject)(reqResult=0)) olcUpdateRef: ldaps://ldapmaster.example.net olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbIndex: entryCSN,entryUUID eq olcDbMaxSize: 1073741824
dn: olcDatabase={2}Monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}Monitor olcAccess: {0} to dn.subtree="cn=monitor" by dn.exact="cn=ldap-admin,ou=users, dc=example,dc=net" read ---------------------
When I restart my consumer I see the following logs on the consumer: ---------- Sep 15 20:42:09 ldapslave-01 systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Sep 15 20:42:09 ldapslave-01 slapd[2742]: slap_queue_csn: queueing 0x7f4f6011ceb0 20200915172117.549009Z#000000#000#000000 Sep 15 20:42:09 ldapslave-01 slapd[2742]: syncrepl_message_to_op: rid=001 tid 6e8d4700 Sep 15 20:42:09 ldapslave-01 slapd[2742]: syncrepl_message_to_op: rid=001 mods check (objectClass: value #0 invalid per syntax) Sep 15 20:42:09 ldapslave-01 slapd[2742]: slap_graduate_commit_csn: removing 0x7f4f6011ceb0 20200915172117.549009Z#000000#000#000000 Sep 15 20:42:09 ldapslave-01 slapd[2742]: do_syncrepl: rid=001 rc 21 retrying (4 retries left) ----------
On the provider: ---------- Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 fd=14 ACCEPT from IP=192.168.56.16:38500 (IP=0.0.0.0:636) Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 fd=14 TLS established tls_ssf=256 ssf=256 Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=0 BIND dn="cn=repl-user,ou=users,dc=example,dc=net" method=128 Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=0 BIND dn="cn=repl-user,ou=users,dc=example,dc=net" mech=SIMPLE ssf=0 Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=0 RESULT tag=97 err=0 text= Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=1 SRCH base="cn=accesslog" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=1 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN Sep 15 20:42:14 ldapmaster slapd[2868]: syncprov_search_response: cookie=rid=001,csn=20200915173214.801545Z#000000#000#000000 Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=2 UNBIND Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 fd=14 closed ---------- I'm looking at my configuration for days, at the moment "I can't see the tree in the forrest " :-) (as we say in Germany).
I comared the subschema of both consumer and provider there are the same. I try to access the accesslog with ldapsearch with my rep-user and I can access the database.
Can anyone have a look at my configuration please.
Stefan
Am 09.09.20 um 10:39 schrieb Stefan Kania:
Hi Quanah, thank's for the help. Up to now I did the delta-syncreple only via slapd.conf, now I'm will get it work with slapd.d AND Ansilble. After your posting I looked at my configuration and I saw it. Sometimes you need someone to bring you an the right track. Thank's, not only for this answer, you are doing a great job on this mailinglist!
Stefan
Am 08.09.20 um 21:35 schrieb Quanah Gibson-Mount:
Your configuration has many problems. ;)