On 01/08/2013 05:34 PM, Chris Card wrote:
Hi all,
I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).
I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.
When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like:
dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcRootPW: {SSHA}************** olcRootDN: cn=monitor
When I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2 I see an error in the slapd log on ldap2 like:
olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix
Works for me. The error you post occurs when using slapd.conf and setting rootpw before rootdn; when using slapd-config it should never happen because olcRootPW is listed *after* olcRootDN in olcDatabaseConfig, thus processing should always occur in the right order.
I have an automated process to build the first LDAP server. There is an initial base slapd.d configuration which is then modified by applying a sequence of LDIF files using ldapmodify. The rootdn and rootpw for cn=monitor are added using ldapmodify with this LDIF: dn: olcDatabase={2}monitor,cn=config changetype: modify add: olcRootDN olcRootDN: cn=Monitor - add: olcRootPW olcRootPW: *******
where the values of olcRootDN and olcRootPW are my "factory settings".
The actual rootpw and rootdn to be used for cn=monitor is then read from a configuration file and applied by a script, which hashes the password using slappasswd and then runs ldapmodify with this LDIF: dn: olcDatabase={2}monitor,cn=config changetype: modify replace: olcRootPW olcRootPW: <hashed password> - replace: olcRootDN olcRootDN: cn=Monitor
Once this has been done, ldapsearch always returns the attributes in the order seen above, olcRootPW before olcRootDN. Could this influence the order that syncrepl handles the attributes, when the second LDAP server is built?
Chris