Hi all,
This question has to do with syncrepl and the use of the rootdn option in slapd.conf.
My understanding is that on a provider server (where writes are possible), it is not necessary to use the rootdn option in slapd.conf. Instead it is enough to have an account that only exists in the directory, with ACLs that give it the same unrestricted access. This works fine for me.
On syncrepl consumers a rootdn in the local slapd.conf is apparently required (according to the man page for slapd.conf). Why is this, and does it make a difference what the name of the account is? For example, should it be the same as the binddn for syncrepl? For that matter, should rootpw also be set, and should it then be the same as the credentials value used for syncrepl?
Thanks,
Jaap
PS -- I'm using OpenLDAP 2.4.11-1 on Debian lenny.
Jaap Winius jwinius@umrk.nl writes:
Hi all,
This question has to do with syncrepl and the use of the rootdn option in slapd.conf.
My understanding is that on a provider server (where writes are possible), it is not necessary to use the rootdn option in slapd.conf. Instead it is enough to have an account that only exists in the directory, with ACLs that give it the same unrestricted access. This works fine for me.
Any database requires a rootdn but not a rootpw. If no rootdn is defined in slapd.conf it defaults to cn=manager,$suffix, AFAIK. Your question should be "what is the function of rootdn?"
On syncrepl consumers a rootdn in the local slapd.conf is apparently required (according to the man page for slapd.conf). Why is this, and does it make a difference what the name of the account is? For example, should it be the same as the binddn for syncrepl? For that matter, should rootpw also be set, and should it then be the same as the credentials value used for syncrepl?
as the consumer is a database, a rootdn is required. The binddn within syncrepl has to have read access to the provider database and this should not be rootdn of the provider, rootdn of the consumer manages the consumer database only.
-Dieter
Quoting Dieter Kluenter dieter@dkluenter.de:
Any database requires a rootdn but not a rootpw. If no rootdn is defined in slapd.conf it defaults to cn=manager,$suffix, AFAIK. Your question should be "what is the function of rootdn?"
Okay, what's the answer to that question?
as the consumer is a database, a rootdn is required. The binddn within syncrepl has to have read access to the provider database and this should not be rootdn of the provider, rootdn of the consumer manages the consumer database only.
Let me get this straight:
1. Every database needs a rootdn. 2. Provider rootdn can use the default value. 3. Consumer rootdn cannot use the default value. 4. Consumer does not require rootpw. 5. Syncrepl binddn should not be provider rootdn. 6. Syncrepl binddn must have read access to provider database
Why is the third point? Would there otherwise be a naming conflict? If so, what's the best rootdn naming strategy for consumers?
Thanks!
Jaap
Dieter Kluenter wrote:
Jaap Winiusjwinius@umrk.nl writes:
Hi all,
This question has to do with syncrepl and the use of the rootdn option in slapd.conf.
My understanding is that on a provider server (where writes are possible), it is not necessary to use the rootdn option in slapd.conf. Instead it is enough to have an account that only exists in the directory, with ACLs that give it the same unrestricted access. This works fine for me.
Any database requires a rootdn but not a rootpw. If no rootdn is defined in slapd.conf it defaults to cn=manager,$suffix, AFAIK.
No, and no. The only database that has a rootdn by default is back-config.
Your question should be "what is the function of rootdn?"
On syncrepl consumers a rootdn in the local slapd.conf is apparently required (according to the man page for slapd.conf). Why is this, and
Because the consumer needs to be able to store anything it receives, regardless of ACLs.
does it make a difference what the name of the account is?
No.
For example, should it be the same as the binddn for syncrepl?
No.
For that matter, should rootpw also be set,
No, that's not required.
and should it then be the same as the credentials value used for syncrepl?
No.
The binddn within syncrepl has to have read access to the provider database and this should not be rootdn of the provider, rootdn of the consumer manages the consumer database only.
openldap-technical@openldap.org
-
Dieter Kluenter -
Howard Chu -
Jaap Winius