Hi,
I am trying setup replication of two subtrees: olcDatabase={-1}frontend,cn=config cn=schema,cn=config
I was advised at #openldap channel to set syncrepl for whole cn=config and restrict it by ACL at provider side. Which looks like elegant solution to me.
I tried it, but without success. As long, as replication user does not have access to cn=config, replication fails. And I don`t want replicate it, because of TLS settings etc.
So I tried this: olcAccess: {0}to dn.subtree="olcDatabase={-1}frontend,cn=config" by dn.exact="uid=replicator,dc=ententee,dc=com" read by * break olcAccess: {1}to dn.subtree="cn=schema,cn=config" by dn.exact="uid=replicator,dc=ententee,dc=com" read by * break olcAccess: {2}to dn.subtree="cn=config" by dn.exact="uid=replicator,dc=ententee,dc=com" search by * break
But it didn`t help either.
Does anyone have any advice please?
Thank you, Miroslav Misek
Unfortunately replication of cn=config, even at the subtree level, is broken. An ITS has been opened requesting a fix. Sincerely, Jason Trupp Symas
Pardon typos. Sent from smartphone. -------- Original message --------From: Miroslav Misek miroslav.misek@netgarden.cz Date: 10/23/18 10:21 AM (GMT-06:00) To: openldap-technical@openldap.org Subject: two subtrees replication Hi,
I am trying setup replication of two subtrees: olcDatabase={-1}frontend,cn=config cn=schema,cn=config
I was advised at #openldap channel to set syncrepl for whole cn=config and restrict it by ACL at provider side. Which looks like elegant solution to me.
I tried it, but without success. As long, as replication user does not have access to cn=config, replication fails. And I don`t want replicate it, because of TLS settings etc.
So I tried this: olcAccess: {0}to dn.subtree="olcDatabase={-1}frontend,cn=config" by dn.exact="uid=replicator,dc=ententee,dc=com" read by * break olcAccess: {1}to dn.subtree="cn=schema,cn=config" by dn.exact="uid=replicator,dc=ententee,dc=com" read by * break olcAccess: {2}to dn.subtree="cn=config" by dn.exact="uid=replicator,dc=ententee,dc=com" search by * break
But it didn`t help either.
Does anyone have any advice please?
Thank you, Miroslav Misek
--On Tuesday, October 23, 2018 6:21 PM +0200 Miroslav Misek miroslav.misek@netgarden.cz wrote:
Does anyone have any advice please?
You can replicate a server specific cn=config tree from the master, see test059, rather than attempting to do partial replication of cn=config.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thank you, this seems to be solution for me.
One more question please. Can I set replication within one openldap instance? So master could also replicate data from cn=fakeConfig to cn=config within itself? I would like to avoid setting things on master twice.
Thank you, Miroslav
On 24. 10. 18 15:58, Quanah Gibson-Mount wrote:
openldap-technical@openldap.org
-
Jason Trupp -
Miroslav Misek -
Quanah Gibson-Mount