--On Monday, February 03, 2014 2:26 PM -0500 "Borresen, John - 0442 - MITLL" John.Borresen@ll.mit.edu wrote:
Ok,
Sanity Check, please. Still seeing "empty syncUUID" messages. Also, the "userPassword" attributes on mm-server2, cannot be seen (via Apache Directory Studio -- but show up with ldapsearch), but when I attempt to add (via ldapmodify) it returns value already present.
if it shows up with ldapsearch when binding as uid=ldapreplicator,ou=admins,dc=example,dc=ldap then you are set. I have no idea who/what you are binding with via apache dir studio.
# {1}bdb, config dn: olcDatabase={1}bdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none olcAccess: {1}to * by * read
Unless you plan on doing some really bizarre things, it is unlikely your ldapadmin needs manage access. See http://www.openldap.org/its/index.cgi/?findid=7795
# {2}bdb, config dn: olcDatabase={2}bdb,cn=config olcAccess: {0}to * by dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none
The replicator only ever needs read access, not write.
Also separate nit. You should be doing dn.exact in the first set of ACLs as well (you have it correctly in the second set).
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Thanks for your assistance Quanah!
About the userPassword attributes...
On Apache Directory Studio (we only normally use it as a quick visual reference)...but, we bind both servers as cn=ldapadmin,dc=example,dc=ldap & cn=admin,cn=config (plus now uid=replicator,ou=Admins,dc=example,dc=ldap).
I just tested an ldapsearch by binding to the uid=replicator and the userPassword attribute returns when searching for it...though both are different from each other (verified with other users "jdoe2" and "jdoe3", etc)
Supposedly, if I update one server, the other server should update, too. That is if they are properly talking. Correct?
MM-SERVER1: # ldapsearch -H ldap://mm-server1.example.ldap -d 256 -D uid=replicator,ou=Admins,dc=example,dc=ldap -b uid=jdoe,ou=Users,dc=example,dc=ldap userPassword -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=jdoe,ou=Users,dc=example,dc=ldap> with scope subtree # filter: (objectclass=*) # requesting: userPassword #
# jdoe, Users, example.ldap dn: uid=jdoe,ou=Users,dc=example,dc=ldap userPassword:: <encrypted_password>
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
MM-SERVER2 # ldapsearch -H ldap://mm-server2.example.ldap -d 256 -D uid=replicator,ou=Admins,dc=example,dc=ldap -b uid=jdoe,ou=Users,dc=example,dc=ldap userPassword -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=jdoe,ou=Users,dc=example,dc=ldap> with scope subtree # filter: (objectclass=*) # requesting: userPassword #
# jdoe, Users, example.ldap dn: uid=jdoe,ou=Users,dc=example,dc=ldap userPassword:: <encrypted_password>
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
John
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, February 03, 2014 2:44 PM To: Borresen, John - 0442 - MITLL; openldap-technical@openldap.org Subject: RE: Syncrepl and mmr
--On Monday, February 03, 2014 2:26 PM -0500 "Borresen, John - 0442 - MITLL" John.Borresen@ll.mit.edu wrote:
Ok,
Sanity Check, please. Still seeing "empty syncUUID" messages. Also, the "userPassword" attributes on mm-server2, cannot be seen (via Apache Directory Studio -- but show up with ldapsearch), but when I attempt to add (via ldapmodify) it returns value already present.
if it shows up with ldapsearch when binding as uid=ldapreplicator,ou=admins,dc=example,dc=ldap then you are set. I have no idea who/what you are binding with via apache dir studio.
# {1}bdb, config dn: olcDatabase={1}bdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none olcAccess: {1}to * by * read
Unless you plan on doing some really bizarre things, it is unlikely your ldapadmin needs manage access. See http://www.openldap.org/its/index.cgi/?findid=7795
# {2}bdb, config dn: olcDatabase={2}bdb,cn=config olcAccess: {0}to * by dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none
The replicator only ever needs read access, not write.
Also separate nit. You should be doing dn.exact in the first set of ACLs as well (you have it correctly in the second set).
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Borresen, John - 0442 - MITLL -
Quanah Gibson-Mount