Quanah Gibson-Mount wrote:
--On Tuesday, January 01, 2008 7:16 PM +0100 Thomas Kirchtag tkircht@ipodion.at wrote:
syncrepl rid=667 provider=ldaps://ldap.ipodion.at type=refreshOnly interval=01:00:00:00 searchbase="dc=int,dc=ipodion,dc=at" scope=sub schemachecking=on bindmethod=simple binddn="cn=admin,dc=ipodion,dc=at" credentials=<secret> access to attrs=userPassword by dn="cn=admin,dc=int,dc=ipodion,dc=at" write by anonymous auth by self write by * none
Seems clear to me. It can't write it. Note that the identity that can write is:
by dn="cn=admin,dc=int,dc=ipodion,dc=at" write
but syncrepl is acting as:
binddn="cn=admin,dc=ipodion,dc=at"
According to the configuration files posted, the user "cn=admin,dc=ipodion,dc=at" is used as binddn by the consumer, but it is the rootdn on the producer, so it can read all values (the real, harmless error is that there's no point in authorizing access for the rootdn: it has unlimited access privileges). Local writes by syncrepl are performed with the local rootdn's identity, so there's no point in authorizing them either.
Right now, I don't seem to be able to find a reason for the incomplete replication. I note that no software version was mentioned, so unless the latest is used, there might be already resolved issues. After checking with the configuration files you provided, I note that OpenLDAP 2.3.40 correctly replicates userPassword as well as all other attrs.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------