This has been driving me up the wall and I wondered if someone could point out the bit I'm missing - the desk is getting badly damaged by my head bashing it :-)
On our master server I can query the rootdb no problem, but I can't do this on the slaves - this applies whether I use external or ldaps authentication. I've turned on access and search filter debugging and I can't see any rejections. I'm trying to query contextCSN to ensure that the slave is in sync. "slapcat" works, but seems an ugly hack. I can query all the children - just not the root.
The config is the same (ish) on both - here's the slave: dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: ....... olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 structuralObjectClass: olcHdbConfig entryUUID: 07f3fede-c201-1031-8b17-f3837148ab05 creatorsName: cn=config createTimestamp: 20121113171221Z olcSyncrepl: {0}rid=000 provider=ldap://ldap.example.com type=refreshandPers ist interval=00:00:00:60 retry="60 10 300 +" timelimit=10 searchbase="dc=example ,dc=com" binddn="cn=admin,dc=example,dc=com" bindmethod=simple credent ials=..... starttls=critical tls_reqcert=demand attrs="*,+" olcUpdateRef: ldap://ldap.example.com olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: objectClass eq olcDbIndex: cn,sn pres,eq,sub olcDbIndex: uid,uidNumber,gidNumber,memberOf,sudoUser,memberUid pres,eq olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=example,dc=com" manage by group.exact="cn=admins, ou=Group,dc=example,dc=com" manage by dn.exact=gidNumber=0+uidNumber=0,cn=p eercred,cn=external,cn=auth manage by * none olcAccess: {1}to attrs=SambaLMPassword,SambaNTPassword by self write by dn="cn =freenas-auth,ou=services,dc=example,dc=com" read by dn="cn=admin,dc=example ,dc=com" manage by group.exact="cn=admins,ou=Group,dc=example,dc=com" ma nage by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth mana ge by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=com" manage b y group.exact="cn=admins,ou=Group,dc=example,dc=com" manage by dn.exact=gid Number=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * read olcAccess: {4}to dn.base="dc=example,dc=com" by * read
On the slave: ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com -s base -Q# extended LDIF # search result search: 2 result: 0 Success # numResponses: 1
On the master: ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com -s base dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.com dc: example # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1