--On Monday, February 03, 2014 1:06 PM -0500 "Borresen, John - 0442 - MITLL" John.Borresen@ll.mit.edu wrote:
The "cn=replicator,cn=accesslog" was the olcRootDN for the accesslog.
Rather that was my intent.
Rereading documentation...and the script you shared with me a few weeks back.
Currently, my set up is:
- The rootDN for the cn=config is cn=admin (cn=admin,cn=config)
- the rootDN for my primary dbase is cn=ldapadmin
(cn=ldapadmin,dc=example,dc=ldap) 3) the rootDN for the accesslog, as mentioned above, is/was cn=replicator (cn=replicator,cn=accesslog)
My ou=Users,dc=example,dc=ldap has all the End-Users uids for logins.
Noticed you have a cn=admins,cn=zimbra.
Bear with the stupid question, this is more of a sanity check for me (getting pressure from my side to get this project done -- so very rushed).
I could/should create an "ou=Admins,dc=example,dc=ldap", on both MM-Servers
In that ou create/move the replicator that I wrongfully created in cn=accesslog:
uid=replicator,ou=Admins,dc=example,dc=ldap
That will get this user in the dbase.
Modify, the olcSyncrepl, olcAccess, etc on both MM-Servers.
Is that basically, correct?
Yes. For replication, you need one single replication DN to be used for replication, that has read access into both your primary DB and your accesslog DB. The rootdns are entirely separate from any of that.
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Ok,
Sanity Check, please. Still seeing "empty syncUUID" messages. Also, the "userPassword" attributes on mm-server2, cannot be seen (via Apache Directory Studio -- but show up with ldapsearch), but when I attempt to add (via ldapmodify) it returns value already present.
MM-Server1: # ldapsearch -H ldap://mm-server1.example.ldap -d 256 -D cn=admin,cn=config -W -b cn=config olcAccess Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcAccess #
# config dn: cn=config
# module{0}, config dn: cn=module{0},cn=config
# schema, config dn: cn=schema,cn=config
# {0}core, schema, config dn: cn={0}core,cn=schema,cn=config
# {1}cosine, schema, config dn: cn={1}cosine,cn=schema,cn=config
# {2}inetorgperson, schema, config dn: cn={2}inetorgperson,cn=schema,cn=config
# {3}java, schema, config dn: cn={3}java,cn=schema,cn=config
# {4}misc, schema, config dn: cn={4}misc,cn=schema,cn=config
# {5}nis, schema, config dn: cn={5}nis,cn=schema,cn=config
# {6}openldap, schema, config dn: cn={6}openldap,cn=schema,cn=config
# {7}ppolicy, schema, config dn: cn={7}ppolicy,cn=schema,cn=config
# {8}2307bis, schema, config dn: cn={8}2307bis,cn=schema,cn=config
# {9}printers, schema, config dn: cn={9}printers,cn=schema,cn=config
# {10}sudo, schema, config dn: cn={10}sudo,cn=schema,cn=config
# {-1}frontend, config dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to * by self write by users read by anonymous auth
# {0}config, config dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by * none
# {1}bdb, config dn: olcDatabase={1}bdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none olcAccess: {1}to * by * read
# {0}syncprov, {1}bdb, config dn: olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config
# {1}accesslog, {1}bdb, config dn: olcOverlay={1}accesslog,olcDatabase={1}bdb,cn=config
# {2}bdb, config dn: olcDatabase={2}bdb,cn=config olcAccess: {0}to * by dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none
# {0}syncprov, {2}bdb, config dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config
# search result search: 2 result: 0 Success
# numResponses: 22 # numEntries: 21
MM-Server2: # ldapsearch -H ldap://mm-server2.example.ldap -d 256 -D cn=admin,cn=config -W -b cn=config olcAccess Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcAccess #
# config dn: cn=config
# module{0}, config dn: cn=module{0},cn=config
# schema, config dn: cn=schema,cn=config
# {0}core, schema, config dn: cn={0}core,cn=schema,cn=config
# {1}cosine, schema, config dn: cn={1}cosine,cn=schema,cn=config
# {2}inetorgperson, schema, config dn: cn={2}inetorgperson,cn=schema,cn=config
# {3}java, schema, config dn: cn={3}java,cn=schema,cn=config
# {4}misc, schema, config dn: cn={4}misc,cn=schema,cn=config
# {5}nis, schema, config dn: cn={5}nis,cn=schema,cn=config
# {6}openldap, schema, config dn: cn={6}openldap,cn=schema,cn=config
# {7}ppolicy, schema, config dn: cn={7}ppolicy,cn=schema,cn=config
# {8}2307bis, schema, config dn: cn={8}2307bis,cn=schema,cn=config
# {9}printers, schema, config dn: cn={9}printers,cn=schema,cn=config
# {10}sudo, schema, config dn: cn={10}sudo,cn=schema,cn=config
# {-1}frontend, config dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to * by self write by users read by anonymous auth
# {0}config, config dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by * none
# {0}syncprov, {0}config, config dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
# {1}bdb, config dn: olcDatabase={1}bdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none olcAccess: {1}to * by * read
# {0}accesslog, {1}bdb, config dn: olcOverlay={0}accesslog,olcDatabase={1}bdb,cn=config
# {1}syncprov, {1}bdb, config dn: olcOverlay={1}syncprov,olcDatabase={1}bdb,cn=config
# {2}bdb, config dn: olcDatabase={2}bdb,cn=config olcAccess: {0}to * by dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none
# {0}syncprov, {2}bdb, config dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config
# {3}monitor, config dn: olcDatabase={3}monitor,cn=config olcAccess: {0}to dn.children="cn=monitor" by dn.children="cn=admin,cn=config" read
# search result search: 2 result: 0 Success
# numResponses: 24 # numEntries: 23
Log snippet from mm-server1 52efebcb >>> dnPrettyNormal: <uid=replicator,ou=admins,dc=example,dc=ldap> => ldap_bv2dn(uid=replicator,ou=admins,dc=example,dc=ldap,0) <= ldap_bv2dn(uid=replicator,ou=admins,dc=example,dc=ldap)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=replicator,ou=admins,dc=example,dc=ldap)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=replicator,ou=admins,dc=example,dc=ldap)=0 52efebcb <<< dnPrettyNormal: <uid=replicator,ou=admins,dc=example,dc=ldap>, <uid=replicator,ou=admins,dc=example,dc=ldap> 52efebcb conn=5640 op=0 BIND dn="uid=replicator,ou=admins,dc=example,dc=ldap" method=128 52efebcb do_bind: version=3 dn="uid=replicator,ou=admins,dc=example,dc=ldap" method=128 52efebcb ==> bdb_bind: dn: uid=replicator,ou=admins,dc=example,dc=ldap 52efebcb bdb_dn2entry("uid=replicator,ou=admins,dc=example,dc=ldap") 52efebcb => access_allowed: result not in cache (userPassword) 52efebcb => access_allowed: auth access to "uid=replicator,ou=Admins,dc=example,dc=ldap" "userPassword" requested 52efebcb => acl_get: [1] attr userPassword 52efebcb => acl_mask: access to entry "uid=replicator,ou=Admins,dc=example,dc=ldap", attr "userPassword" requested 52efebcb => acl_mask: to value by "", (=0) 52efebcb <= check a_dn_pat: self 52efebcb <= check a_dn_pat: anonymous 52efebcb <= acl_mask: [2] applying auth(=xd) (stop) 52efebcb <= acl_mask: [2] mask: auth(=xd) 52efebcb => slap_access_allowed: auth access granted by auth(=xd) 52efebcb => access_allowed: auth access granted by auth(=xd) 52efebcb => access_allowed: result was in cache (userPassword) 52efebcb conn=5640 op=0 BIND dn="uid=replicator,ou=Admins,dc=example,dc=ldap" mech=SIMPLE ssf=0 52efebcb do_bind: v3 bind: "uid=replicator,ou=admins,dc=example,dc=ldap" to "uid=replicator,ou=Admins,dc=example,dc=ldap" 52efebcb send_ldap_result: conn=5640 op=0 p=3 52efebcb send_ldap_result: err=0 matched="" text="" 52efebcb send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 32 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ 52efebcb conn=5640 op=0 RESULT tag=97 err=0 text= 52efebcb daemon: activity on 1 descriptor 52efebcb daemon: activity on:52efebcb 52efebcb daemon: epoll: listen=7 active_threads=0 tvp=zero 52efebcb daemon: activity on 1 descriptor 52efebcb daemon: activity on:52efebcb 32r52efebcb 52efebcb daemon: read active on 32 52efebcb daemon: epoll: listen=7 active_threads=0 tvp=zero 52efebcb connection_get(32) 52efebcb connection_get(32): got connid=5640 52efebcb connection_read(32): checking for input on id=5640 ber_get_next ldap_read: want=8, got=8
If you need more info, let me know.
Thank you in advance.
John
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, February 03, 2014 1:14 PM To: Borresen, John - 0442 - MITLL; openldap-technical@openldap.org Subject: RE: Syncrepl and mmr
--On Monday, February 03, 2014 1:06 PM -0500 "Borresen, John - 0442 - MITLL" John.Borresen@ll.mit.edu wrote:
The "cn=replicator,cn=accesslog" was the olcRootDN for the accesslog.
Rather that was my intent.
Rereading documentation...and the script you shared with me a few weeks back.
Currently, my set up is:
- The rootDN for the cn=config is cn=admin (cn=admin,cn=config)
- the rootDN for my primary dbase is cn=ldapadmin
(cn=ldapadmin,dc=example,dc=ldap) 3) the rootDN for the accesslog, as mentioned above, is/was cn=replicator (cn=replicator,cn=accesslog)
My ou=Users,dc=example,dc=ldap has all the End-Users uids for logins.
Noticed you have a cn=admins,cn=zimbra.
Bear with the stupid question, this is more of a sanity check for me (getting pressure from my side to get this project done -- so very rushed).
I could/should create an "ou=Admins,dc=example,dc=ldap", on both MM-Servers
In that ou create/move the replicator that I wrongfully created in cn=accesslog:
uid=replicator,ou=Admins,dc=example,dc=ldap
That will get this user in the dbase.
Modify, the olcSyncrepl, olcAccess, etc on both MM-Servers.
Is that basically, correct?
Yes. For replication, you need one single replication DN to be used for replication, that has read access into both your primary DB and your accesslog DB. The rootdns are entirely separate from any of that.
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Borresen, John - 0442 - MITLL -
Quanah Gibson-Mount