Op 07-12-15 om 01:09 schreef Quanah Gibson-Mount:
--On Sunday, December 06, 2015 10:43 PM +0100 Paul van der Vlis paul@vandervlis.nl wrote:
Op 06-12-15 om 22:27 schreef Quanah Gibson-Mount:
--On Sunday, December 06, 2015 10:13 PM +0100 Paul van der Vlis paul@vandervlis.nl wrote:
ldapsearch -x -b "cn=admin,dc=domain,dc=nl" -H ldapi:///
The above is an anonymous search. Do your acls actually allow results to be returned with anonymous searches?
Yes. Something like this gives "0 Success" on the replicated server: ldapsearch -x -b "cn=paul,ou=users,dc=domain,dc=nl" -H ldapi:///
Not sure what your point is. Do you mean it actually returns that user entry *as well* as returning success?
Correct.
There are very few instances where it will /not/ return success.
On the replication it says: "no such object". And that's the problem I want to fix.
Do not confuse a success result with meaning that your ACLs are correct.
So far I know the ACL's are correct. This system works many years with many Linux clients, now they also want Windows. On the location of the master, they allready have a few Windows PC's for some years, and the authentication works fine.
And the ldapsearch with cn=admin works fine on the master.
Again, as I noted before, this could be a rootdn that doesn't actually exist in the data backed database.
Again, you should slapcat both the master and replica and confirm their contents match.
I expect they don't match ;-)
You may also which to see if your admin user actually exists in the data db on the master, or if it is a rootdn that only exists in the configuration.
It will be a only in cn=config.
This is the way I create a LDAP admin: ----- cat <<EOF >slapd-database.ldif dn: olcDatabase={1}hdb,cn=config changeType: modify replace: olcDbConfig olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE - replace: olcRootPW olcRootPW: ${LDAP_ADMIN_HASH} EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif -----
See more here: https://wiki.debian.org/nfs4-kerberos-ldap I am the author of the article.
With regards, Paul van der Vlis.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration