my env is Debian squeeze, OpenLDAP 2.4.17( from packages.debian.org) I create an OpenLDAP Server, and try to config N-Wat multi-master, according to OpenLDAP Admin Guide. i adding init.ldif file on the server , the following is the content
*dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1
dn: olcDatabase={0}config,cn=config* * objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret*
and I get error --- "insufficient access" , even if I set "acess to * by * write" in slapd.conf
actually, I don't understand what the guide said.
'''''''''''''
This sets up the config database:
* dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config
olcRootPW: secret*
'''''''''''''''''''''''''''' the above configuration block could not be import in my computer, it is said at the begin.
''''''''''''''''''''''''''''
Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
* dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 $URI1 olcServerID: 2 $URI2 olcServerID: 3 $URI3
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl
olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
- add: olcMirrorMode olcMirrorMode: TRUE*
''''''''''''''''''''''''''''
the configuration block seems conflict with the former, why should I write "olcServerID: 1 $URI1" into LDAP Server if "olcServerID: 1" is right, and why should I not write an entire configuration, but two configuration file which seems conflict separately.
I have set up an unlimit previledge, why LDAP Server report "insufficient access". what previledge should be set.
thanks for help
gtalk:freeespeech@gmail.com gtalk%3Afreeespeech@gmail.com
On Monday, 7 June 2010 07:10:00 owen nirvana wrote:
my env is Debian squeeze, OpenLDAP 2.4.17( from packages.debian.org) I create an OpenLDAP Server, and try to config N-Wat multi-master, according to OpenLDAP Admin Guide. i adding init.ldif file on the server , the following is the content
*dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1
dn: olcDatabase={0}config,cn=config* * objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret*
and I get error --- "insufficient access" , even if I set "acess to * by * write" in slapd.conf
One of slapd.conf or this ldif is irrelevant. Only one of them can apply at a time. Please be careful to check how your slapd is being started (e.g. whether -f or -F flags are passed or not etc.).
actually, I don't understand what the guide said.
Maybe you need to read the guide more ...
Also, note that it is not a "HOWTO", but documents how various aspects work, not necessarily just copy-and-paste examples to use without thinking ...
'''''''''''''
This sets up the config database:
* dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret*
'''''''''''''''''''''''''''' the above configuration block could not be import in my computer, it is said at the begin.
''''''''''''''''''''''''''''
Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 $URI1 olcServerID: 2 $URI2 olcServerID: 3 $URI3
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl
olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config"
bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config"
bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config"
bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
- add: olcMirrorMode olcMirrorMode: TRUE*
''''''''''''''''''''''''''''
Which DN did you bind as when trying to apply this LDIF? E.g., can you supply the ldapmodify commandline you used?
Note that according to your back-config extract above, you should have bound as cn=config, but you need to check whether you are using slapd.conf or back-config for configuration.
the configuration block seems conflict with the former, why should I write "olcServerID: 1 $URI1" into LDAP Server if "olcServerID: 1" is right, and why should I not write an entire configuration, but two configuration file which seems conflict separately.
If you are doing configuration replication, the different servers need to be able to identify which server ID belongs to them. The means for doing this is providing the URL, which the server will try and match to one of it's listening addresses (e.g. -h option to slapd).
I have set up an unlimit previledge, why LDAP Server report "insufficient access". what previledge should be set.
Probably with good reason, which we can't determine without answers to the questions above.
Regards, Buchan
gtalk:freeespeech@gmail.com gtalk%3Afreeespeech@gmail.com
On Mon, Jun 7, 2010 at 6:09 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Monday, 7 June 2010 07:10:00 owen nirvana wrote:
my env is Debian squeeze, OpenLDAP 2.4.17( from packages.debian.org) I create an OpenLDAP Server, and try to config N-Wat multi-master, according to OpenLDAP Admin Guide. i adding init.ldif file on the server , the following is the content
*dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1
dn: olcDatabase={0}config,cn=config* * objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret*
and I get error --- "insufficient access" , even if I set "acess to * by
write" in slapd.conf
i know that. I want to give binddn an enough priviledge
my binddn is rootdn, "cn=admin,dc=example,dc=org"
*ldapadd -c -D "cn=admin,dc=example,dc=org" -x -w ${rootpw} -f init.ldif*
i think, the content about n-way configuration in guide is a howto , but ${passwd} should be replaced by mine
One of slapd.conf or this ldif is irrelevant. Only one of them can apply at a time. Please be careful to check how your slapd is being started (e.g. whether -f or -F flags are passed or not etc.).
actually, I don't understand what the guide said.
Maybe you need to read the guide more ...
Also, note that it is not a "HOWTO", but documents how various aspects work, not necessarily just copy-and-paste examples to use without thinking ...
'''''''''''''
This sets up the config database:
* dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: secret*
'''''''''''''''''''''''''''' the above configuration block could not be import in my computer, it is said at the begin.
''''''''''''''''''''''''''''
Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. with your actual ldap urls):
dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 $URI1 olcServerID: 2 $URI2 olcServerID: 3 $URI3
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl
olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config"
bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config"
bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config"
bindmethod=simple credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
- add: olcMirrorMode olcMirrorMode: TRUE*
''''''''''''''''''''''''''''
Which DN did you bind as when trying to apply this LDIF? E.g., can you supply the ldapmodify commandline you used?
Note that according to your back-config extract above, you should have bound as cn=config, but you need to check whether you are using slapd.conf or back-config for configuration.
the configuration block seems conflict with the former, why should I
write
"olcServerID: 1 $URI1" into LDAP Server if "olcServerID: 1" is right,
and
why should I not write an entire configuration, but two configuration
file
which seems conflict separately.
If you are doing configuration replication, the different servers need to be able to identify which server ID belongs to them. The means for doing this is providing the URL, which the server will try and match to one of it's listening addresses (e.g. -h option to slapd).
I have set up an unlimit previledge, why LDAP Server report "insufficient access". what previledge should be set.
Probably with good reason, which we can't determine without answers to the questions above.
Regards, Buchan
actually , I do dispatch the different serverID to every machine, but
dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 $URI1 olcServerID: 2 $URI2 olcServerID: 3 $URI3
dn: cn=config objectClass: olcGlobal cn: config olcServerID: 1
in my opinion, the two blocks is two different entry, why to replace by the former after writing the latter into LDAP Server.
openldap-technical@openldap.org