i'm trying to set up the repliacation with openldap 2.3 (using the one debian etch), when i add things to master everything is fine, it replicates it to slave just fine, on the other hand when i add things to slave it simply writes it to it's own tree.
here is slapd.conf of the slave (stripped of any comments):
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem loglevel stats database bdb suffix "dc=kiberpipa,dc=org" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=kiberpipa,dc=org" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=kiberpipa,dc=org" write by * read updatedn "cn=admin,dc=kiberpipa,dc=org" updateref "ldaps://chat.kiberpipa.org:636"
with this command "ldapadd -d 65535 -WxD 'cn=admin,dc=kiberpipa,dc=org' -f /tmp/b00" (on slave) i'm getting http://static.kiberpipa.org/~redduck666/local_adding.txt with "ldapadd -d 65535 -WxD 'cn=admin,dc=kiberpipa,dc=org' -f /tmp/b00 -H ldaps://chat.kiberpipa.org:636" i get http://static.kiberpipa.org/~redduck666/add_to_master.txt (passing it the same password they write to
i have seen the certificate error there, if i change the ldap.conf on slave to point to ldap:// instead of ldaps:// that error goes away, however it still doesn't touch master.
i also read i really shouldn't set updatedn to be the same as rootdn, well, tried changing it and granting full priviledges to the newly created account, no difference
any pointers appreciated :-)
"TLS: unable to get peer certificate." - check if your name resolution is working correct and if the cn in the user certificates are identical to the fqhns of the hosts.
refereral chasing: - check if you used the correct fqhn in the referral object in the the dit of the master. and it looks like you got no superior referral-statement in your slaves slapd.conf.
overlay chain offers an easy way to setup automatic referral chasing and id assertion to get a "writeable" slave or consumer.
anyway you should upgrade to the lastest 2.3.* version, and compile it from the scratch, because the openldap packages from most distributions are out of date an compiled with unnecessary dependencies.
and think about changing your replication to syncrepl, since slurpd is really outdated, and syncrepl is way more stable and flexible.
Almir Karic schrieb:
i'm trying to set up the repliacation with openldap 2.3 (using the one debian etch), when i add things to master everything is fine, it replicates it to slave just fine, on the other hand when i add things to slave it simply writes it to it's own tree.
here is slapd.conf of the slave (stripped of any comments):
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem loglevel stats database bdb suffix "dc=kiberpipa,dc=org" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=kiberpipa,dc=org" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=kiberpipa,dc=org" write by * read updatedn "cn=admin,dc=kiberpipa,dc=org" updateref "ldaps://chat.kiberpipa.org:636"
with this command "ldapadd -d 65535 -WxD 'cn=admin,dc=kiberpipa,dc=org' -f /tmp/b00" (on slave) i'm getting http://static.kiberpipa.org/~redduck666/local_adding.txt with "ldapadd -d 65535 -WxD 'cn=admin,dc=kiberpipa,dc=org' -f /tmp/b00 -H ldaps://chat.kiberpipa.org:636" i get http://static.kiberpipa.org/~redduck666/add_to_master.txt (passing it the same password they write to
i have seen the certificate error there, if i change the ldap.conf on slave to point to ldap:// instead of ldaps:// that error goes away, however it still doesn't touch master.
i also read i really shouldn't set updatedn to be the same as rootdn, well, tried changing it and granting full priviledges to the newly created account, no difference
any pointers appreciated :-)
____________ Virus checked by G DATA AntiVirusKit Version: AVK 18.3959 from 30.05.2008 Virus news: www.antiviruslab.com
openldap-technical@openldap.org