Quanah Gibson-Mount wrote:
--On January 2, 2008 2:22:20 PM +0100 Pierangelo Masarati ando@sys-net.it wrote:
According to the configuration files posted, the user "cn=admin,dc=ipodion,dc=at" is used as binddn by the consumer, but it is the rootdn on the producer, so it can read all values (the real, harmless error is that there's no point in authorizing access for the rootdn: it has unlimited access privileges). Local writes by syncrepl are performed with the local rootdn's identity, so there's no point in authorizing them either.
Hm, I thought at least at one point in time, syncrepl used the identity it bound as to make the updates in the local DB, but I guess not. Maybe that was just a holdover in my ACL files from when I used slurpd.
I recall something similar: at some point, syncrepl switched to using the consumer database's rootdn. However, the only mention of something related to syncrepl and rootdn I could find in CHANGES was in 2.3.25, so it should already be in the version in use. What I believe is most likely is that at some point replication was initiated with an identity that couldn't read userPassword; eventually the ACL about userPassword was broadened, but the database was not re-sync'ed. In any case, the configuration files posted in the original message worked with 2.3.40.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------