(I'm having trouble finding the answer with Google, so inquiring here. If you have RTFM urls I will be quite happy indeed.)
It looks like I'm unable to change syncrepl (client) credentials without restarting slapd. When I tried this I couldn't modify an entry after the change, with an error message apparently indicating that this was a replicated consumer. Things went back to multimaster-normal after restarting both slapd's involved.
My questions (more details are below):
1) Is this intended?
2) Is there something that I can prod slapd with in order to have it change syncrepl credentials without restarting slapd?
(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):
The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.
First I added a new user:
dn: uid=sync,o=base userPassword:: YmFzZQ== objectClass: account objectClass: shadowAccount uid: sync
Then I gave that user read access to everything:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read olcAccess: to dn.subtree="ou=groups,o=base" by * read olcAccess: to dn.subtree="ou=people,o=base" by * read olcAccess: to * by dn=uid=sync,o=base read
The acls for the o=base tree were then:
olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read olcAccess: {3}to dn.subtree="ou=people,o=base" by * read olcAccess: {4}to * by dn=uid=sync,o=base read
So I updated the olcSyncrepl rules:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcSyncRepl olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1 olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...
dn: uid=cwood,ou=people,o=base changetype: modify add: userPassword userPassword: fakefakefake
I got this:
modifying entry "uid=cwood,ou=people,o=base" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
And this is what turned up in the logs:
Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base" Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND
Christopher Wood wrote:
(I'm having trouble finding the answer with Google, so inquiring here. If
you have RTFM urls I will be quite happy indeed.)
It looks like I'm unable to change syncrepl (client) credentials without
restarting slapd. When I tried this I couldn't modify an entry after the change, with an error message apparently indicating that this was a replicated consumer. Things went back to multimaster-normal after restarting both slapd's involved.
My questions (more details are below):
- Is this intended?
- Is there something that I can prod slapd with in order to have it
change
syncrepl credentials without restarting slapd?
There's a bit of a glitch here; when you modify the olcSyncrepl attribute, it is internally a delete followed by an add. When the delete occurs, the olcMirrorMode flag is implicitly turned off. (Because it is only allowed to be On for a database that is being replicated.) When the add occurs, the flag is not automatically turned back on.
The solution is to set it explicitly in your LDAPModify request.
(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):
The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.
First I added a new user:
dn: uid=sync,o=base userPassword:: YmFzZQ== objectClass: account objectClass: shadowAccount uid: sync
Then I gave that user read access to everything:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read olcAccess: to dn.subtree="ou=groups,o=base" by * read olcAccess: to dn.subtree="ou=people,o=base" by * read olcAccess: to * by dn=uid=sync,o=base read
The acls for the o=base tree were then:
olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read olcAccess: {3}to dn.subtree="ou=people,o=base" by * read olcAccess: {4}to * by dn=uid=sync,o=base read
So I updated the olcSyncrepl rules:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcSyncRepl olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1 olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...
dn: uid=cwood,ou=people,o=base changetype: modify add: userPassword userPassword: fakefakefake
I got this:
modifying entry "uid=cwood,ou=people,o=base" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
And this is what turned up in the logs:
Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base" Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND
On Thu, Sep 01, 2011 at 12:20:38PM -0700, Howard Chu wrote:
Christopher Wood wrote:
(I'm having trouble finding the answer with Google, so inquiring here. If
you have RTFM urls I will be quite happy indeed.)
It looks like I'm unable to change syncrepl (client) credentials without
restarting slapd. When I tried this I couldn't modify an entry after the change, with an error message apparently indicating that this was a replicated consumer. Things went back to multimaster-normal after restarting both slapd's involved.
My questions (more details are below):
- Is this intended?
- Is there something that I can prod slapd with in order to have it
change
syncrepl credentials without restarting slapd?
There's a bit of a glitch here; when you modify the olcSyncrepl attribute, it is internally a delete followed by an add. When the delete occurs, the olcMirrorMode flag is implicitly turned off. (Because it is only allowed to be On for a database that is being replicated.) When the add occurs, the flag is not automatically turned back on.
The solution is to set it explicitly in your LDAPModify request.
Thank you. Your solution works whether I update olcMirrorMode in the same ldapmodify request or in a later one.
(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):
The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.
First I added a new user:
dn: uid=sync,o=base userPassword:: YmFzZQ== objectClass: account objectClass: shadowAccount uid: sync
Then I gave that user read access to everything:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read olcAccess: to dn.subtree="ou=groups,o=base" by * read olcAccess: to dn.subtree="ou=people,o=base" by * read olcAccess: to * by dn=uid=sync,o=base read
The acls for the o=base tree were then:
olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read olcAccess: {3}to dn.subtree="ou=people,o=base" by * read olcAccess: {4}to * by dn=uid=sync,o=base read
So I updated the olcSyncrepl rules:
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcSyncRepl olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1 olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...
dn: uid=cwood,ou=people,o=base changetype: modify add: userPassword userPassword: fakefakefake
I got this:
modifying entry "uid=cwood,ou=people,o=base" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
And this is what turned up in the logs:
Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base" Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral Sep 1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org
-
Christopher Wood -
Howard Chu