The correct way to enable replication after cn=config already exists is with ldapmodify:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl
It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with a filter like: olcSyncrepl: {0}rid=001 provider=... binddn=... bindmethod=simple search base="cn=schema,cn=config" filter="(!(cn=core))"
but then the whole olcDatabase={0}config,cn=config becomes a shadow context and I'm unable to ldapmodify anything (olcLoglevel for example).
What am I missing?
You need to set up all rids in your modify operation, each listing provider with their own URI. Optionally, you could even have different credentials pointing in different directions - nothing prevents this. For n-way replication, you need to perform the same modification to n sides. Otherwise your replicas will be read-only as you have seen. This is the same for any database, not just n0. Go back and enable CRL checking after you are sure that it works, if using TLS.
Example, change the macros to suit your setup and apply this same ldif to each of your replicas:
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncrepl: rid=001 provider=%%LDAP_URI_1%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +" olcSyncrepl: rid=002 provider=%%LDAP_URI_2%% bindmethod=simple timeout=0 network-timeout=0 binddn="%%CONFIG_ROOT_DN%%" credentials="%%CONFIG_ROOT_PW%%" keepalive=0:0:0 starttls=critical tls_cert="%%LDAP_SERVER%%/ssl/cert.pem" tls_key="%%LDAP_SERVER%%/ssl/key.pem" tls_cacert="%%CA_CHAIN_SERVERS%%" tls_reqcert=demand tls_crlcheck=none filter="(objectclass=*)" searchbase="cn=config" scope=sub attrs="*,+" schemachecking=off type=refreshAndPersist retry="60 +"
add: olcMirrorMode olcMirrorMode: TRUE
Thank you for answering so quick.
If I understand correctly, this is a n-way multi master layout for the whole cn=config.
Does it mean if I ldapmodify the olcLogLevel on a replica, it will be modified on all other peers as well?
So it's not what I was looking for.
I was looking for a way to replicate (master -> slave) a sub-portion of the cn=config, namely the cn=schema,cn=config.
BTW, olcMirrorMode turns out to be very powerful. In a master slave setup, allows me to ldapmodify slave without incurring in the "err=53 text=shadow context; no update referral".
Am I allowed to insert a olcMirrorMode in a slave while using master slave setup? Or am I just exploiting a grey-zone configuration? I am scared to mark as 'mirror' a slave server. It looks wrong.
If instead is correct, my problem is solved.
thank you,
Francesco