At last, I'm trying to setup a consumer to replicate data off of a primary ldap server running the Symas-provided v2.6 packages on Ubuntu 20.04.
The following links were very helpful to me: https://openldap-software.0penldap.narkive.com/VEt6vIEI/syncrepl-ldif-kickst... https://www.openldap.org/pub/hyc/LDAPcon2007s.pdf
I have built an ldif file that I'm trying to slapadd. But when the binddn contains anything other than "cn" attributes, slapadd produces an error.
My Question: Why can I not use a binddn that contains anything other than "cn" attributes, like "uid", "dc", or "ou"?
Specific details with debug below:
The following works perfectly fine:
root@ldapconsumer:/opt/symas/etc/openldap# /opt/symas/sbin/slapadd -l /home/myself/ldap/consumer_sync.ldif -F /opt/symas/etc/openldap/slapd.d/ -w -n0 Closing DB..
root@ldapconsumer:/opt/symas/etc/openldap# cat /home/myself/ldap/consumer_sync.ldif dn: cn=config objectClass: olcGlobal cn: config
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcRootPW: secret olcSyncRepl: rid=001 provider=ldap://172.16.2.5 binddn="cn=admin,cn=example,cn=com" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5"
Alternatively, this works as the binddn: cn=ldap.sync,cn=example,cn=com But the following values in the binddn do NOT work:
- binddn=cn=ldap.sync,dc=example,dc=com - binddn=uid=sync,ou=People,dc=example,dc=com
In either of the examples above that do NOT work, I'm getting an "invalid bind config value" error message. See below for full stdout with 1 example:
root@ldapconsumer:/opt/symas/etc/openldap# /opt/symas/sbin/slapadd -l /home/myself/ldap/consumer_sync.ldif -F /opt/symas/etc/openldap/slapd.d/ -w -n0 invalid bind config value binddn=uid=ldap.sync,ou=People,dc=example,dc=com olcSyncrepl: value #0: Error: parse_syncrepl_line: unable to parse "binddn=uid=ldap.sync,ou=People,dc=example,dc=com" . failed to add syncinfo slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=5): Error: parse_syncrepl_line: unable to parse "binddn=uid=ldap.sync,ou=People,dc=example,dc=com"
Closing DB...
If I run this with debug enabled, below is what I see (not sure if this will be helpful or not, but am providing it just in case). Password has been redacted of course.
root@ldapconsumer:/opt/symas/etc/openldap# /opt/symas/sbin/slapadd -l /home/myself/ldap/consumer_sync.ldif -F /opt/symas/etc/openldap/slapd.d/ -w -n0 -d -1 slapadd init: initiated tool. slap_sasl_init: initialized! backend_startup_one: starting "cn=config" ldif_read_file: no entry file "/opt/symas/etc/openldap/slapd.d//cn=config.ldif" send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=32 matched="" text=""
dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema> matching_rule_use_init
{snip}
slapadd startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open Backend ACL: access to * by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context config_back_db_open: No explicit ACL for back-config configured. Using hardcoded default => str2entry: "dn: cn=config objectClass: olcGlobal cn: config "
dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>, <cn=config> <= str2entry(cn=config) -> 0x5574eedc21b8 oc_check_required entry (cn=config), objectClass "olcGlobal" oc_check_allowed type "objectClass" oc_check_allowed type "cn" oc_check_allowed type "structuralObjectClass" ldif_write_entry: wrote entry "cn=config" => str2entry: "dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=admin,cn=config
olcRootPW: secret olcSyncRepl: rid=001 provider=ldap://172.16.2.5 binddn="uid=ldap.sync,ou=People,dc=example,dc=com" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5""
dnPrettyNormal: <olcDatabase={0}config,cn=config>
<<< dnPrettyNormal: <olcDatabase={0}config,cn=config>, <olcDatabase={0}config,cn=config>
dnNormalize: <cn=admin,cn=config>
<<< dnNormalize: <cn=admin,cn=config> <= str2entry(olcDatabase={0}config,cn=config) -> 0x5574eedc2258 oc_check_required entry (olcDatabase={0}config,cn=config), objectClass "olcDatabaseConfig" oc_check_allowed type "objectClass" oc_check_allowed type "olcDatabase" oc_check_allowed type "olcRootDN" oc_check_allowed type "olcRootPW" oc_check_allowed type "olcSyncrepl" oc_check_allowed type "structuralObjectClass" config_build_entry: "olcDatabase={-1}frontend" slap_get_csn: conn=-1 op=0 generated new csn=20220106202401.439197Z#000000#000#000000 manage=0 ldif_read_file: read entry file: "/opt/symas/etc/openldap/slapd.d//cn=config.ldif" => str2entry: "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 fd732ca0
dn: cn=config
objectClass: olcGlobal
cn: config structuralObjectClass: olcGlobalentryUUID: 54643148-037a-103c-8b74-e78e18fa89a5 creatorsName: cn=config createTimestamp: 20220106202401Z entryCSN: 20220106202401.438467Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20220106202401Z "
dnPrettyNormal: <cn=config>
<<< dnPrettyNormal: <cn=config>, <cn=config>
dnNormalize: <cn=config>
<<< dnNormalize: <cn=config>
dnNormalize: <cn=config>
<<< dnNormalize: <cn=config> <= str2entry(cn=config) -> 0x5574eedc22f8 ldif_write_entry: wrote entry "olcDatabase={-1}frontend,cn=config"
dnPrettyNormal: <cn=admin,cn=config>
<<< dnPrettyNormal: <cn=admin,cn=config>, <cn=admin,cn=config>
dnPrettyNormal: <cn=admin,cn=config>
<<< dnPrettyNormal: <cn=admin,cn=config>, <cn=admin,cn=config>
dnNormalize: <uid=ldap.sync,ou=People,dc=example,dc=com>
invalid bind config value binddn=uid=ldap.sync,ou=People,dc=example,dc=com
olcSyncrepl: value #0: Error: parse_syncrepl_line: unable to parse "binddn=uid=ldap.sync,ou=People,dc=example,dc=com"
.
failed to add syncinfo syncinfo_free: rid=001
slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=5): Error: parse_syncrepl_line: unable to parse "binddn=uid=ldap.sync,ou=People,dc=example,dc=com"
slapadd shutdown: initiatedslapadd destroy: freeing system resources.
Sent with ProtonMail Secure Email.
openldap-technical@openldap.org