Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
Try fixing the RIDs - use small numbers, all different. The exact values are not important. Also try commenting out the second syncrepl clause until you have the others working properly. You should be able to merge the first and second clauses as they share a search-base.
I did both of them, now slave configuration looks this way:
---[ slave configuration quotation start ]---------------------------- syncrepl rid=0 provider=ldap://master.example:389 starttls=critical searchbase="ou=ABC,ou=Sendmail,dc=example" bindmethod=simple binddn="uid=replABC,ou=repl,dc=example" credentials="***" tls_cacert=/usr/local/etc/openldap/ssl/ca.crt tls_cert=/usr/local/etc/openldap/ssl/ABC.crt tls_key=/usr/local/etc/openldap/ssl/ABC.key tls_reqcert=try type=refreshAndPersist retry="60 +" logbase="cn=example-accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog
syncrepl rid=1 provider=ldap://master.example:389 starttls=critical searchbase="ou=People,dc=example" bindmethod=simple binddn="uid=replABC,ou=repl,dc=example" credentials="***" filter="(&(objectClass=authorizedServiceObject)(|(authorizedService=mail@foo.bar)(authorizedService=xmpp@foo.bar)))" attrs="cn,entry,entryCSN,entryUUID,o,uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,userPassword,creatorsName,createTimestamp,modifiersName,modifyTimestamp,mail,rfc822MailMember,sn,authorizedService,mu-mailBox" tls_cacert=/usr/local/etc/openldap/ssl/ca.crt tls_cert=/usr/local/etc/openldap/ssl/ABC.crt tls_key=/usr/local/etc/openldap/ssl/ABC.key tls_reqcert=try type=refreshAndPersist retry="60 +" logbase="cn=example-accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog ---[ slave configuration quotation end ]----------------------------
I separated rid-s and even searchbases, but I still can see complains in slapd.log file, though now it is only rid=0 which is complained on, not both of them ...
---[ slave slapd.log quotation start ]-------------------------------- Jun 29 22:45:30 ABC slapd[12593]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform Jun 29 22:45:30 ABC slapd[12593]: do_syncrep2: rid=000 (53) Server is unwilling to perform Jun 29 22:45:30 ABC slapd[12593]: do_syncrepl: rid=000 rc -2 retrying ---[ slave slapd.log quotation end ]--------------------------------
You may also need to put ACLs on the accesslog database.
is it something like this?
access to dn.children="cn=example-accesslog" by dn.children="ou=repl,dc=example" read by * break
but is not the fact that one replica working confirms, that replication is allowed and I can see the changes for the objects of rid=1