Hello everybody
I'm trying to start a two server multimaster installation.
OpenLDAP is 2.4.23 built from sources, bdb 4.8.30
Configure options are: --enable-crypt --enable-overlays -enable-ppolicy --enable-memberof (maybe some are unuseful).
OS is Centos 5.5, patched, virtual machines.
LDAP server are addressed by client thru round-robin DNS registration.
Behaviour: when a ldap user connected to a client try to change it's password thru the passwd command, on the LDAP server connected by the client thru the DNS name resolution, userPassword and shadowLastChange are updated, on the other LDAP server the field userPassword disappear (checked with slapcat).
I suppose that this happen because on userPassword attribute there are ACL's (reported below) that permit only read action to syncuser.
Infact, if I change the syncrepl instances and swap syncuser with admin (rootDN), the password change happens successfully and replica too.
Now the question to the list: if I don't want to have rootDN used for replication, I must give the write permissions to syncuser to guarantee the replica, leaving the "bug" to have the a write account password written in clear text in config file ? There's a smarter method to reach the goal ?
I apologize if solution is written on the documentation, but I've tried to find without success.
Slapd config is still supplied thru slapd.conf.
These are acl on bdb instance on userPassword and shadowLastChange attributes:
access to attrs=userPassword
by dn="cn=admin,dc=somedomain,dc=it" write
by dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read
by anonymous auth
by self write
by * none
access to attrs=shadowLastChange
by dn="cn=admin,dc=somedomain,dc=it" write
by dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read
by self write
by * read
syncrepl is configured as follow:
syncrepl rid=000
provider=ldap://server1.somedomain.it:389
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=somedomain,dc=it"
attrs="*,+"
bindmethod=simple
binddn="cn=syncuser,dc=somedomain,dc=it"
credentials=syncuser_password
syncrepl rid=001
provider=ldap://server2.somedomain.it:389
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=somedomain,dc=it"
attrs="*,+"
bindmethod=simple
binddn="cn=syncuser,dc=somedomain,dc=it"
credentials=syncuser_password
MirrorMode TRUE
Obviously servers are identified as serverID 001 and serverID 002 and both are started to listen only on their FQDN.
Thanks to all for attention and support.
Roberto Nunin
Comifar Service SpA
Italy
Questo messaggio e' indirizzato esclusivamente al destinatario indicato e potrebbe contenere informazioni confidenziali, riservate o proprietarie. Qualora la presente venisse ricevuta per errore, si prega di segnalarlo immediatamente al mittente, cancellando l'originale e ogni sua copia e distruggendo eventuali copie cartacee. Ogni altro uso e' strettamente proibito e potrebbe essere fonte di violazione di legge.
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately, deleting the original and all copies and destroying any hard copies. Any other use is strictly prohibited and may be unlawful.
openldap-technical@openldap.org