thx for your reply.
do i put in the slave conf file the same thing as the following command?
ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D > 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
------------------------------ On Wed, Nov 19, 2014 9:25 AM GMT Jephte Clain wrote:
hello,
I would say, try to understand the meaning of what you do. The openldap admin guide is a good place to start.
- for instance, on the slave, you bind to the master with dn
uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp and password secretofreplicator does this objet exist *on the master*? with the right password? does this account have the right acl to read everything on the master (i.e., on the master, the acl is defined for cn=replicator,... which is not the same as uid=replicator,...)
- also, why would you use the replicator dn as the rootdn for the slave?
one last thing: I advise you change the password of both the master and slave. posting the file with the hash password of the root dn on the internet is not a good idea :-)
good luck
2014-11-19 11:38 GMT+04:00 wailok tam wailoktam@yahoo.com:
Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up replication but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
slapd.conf of the Master:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
#modulepath /usr/lib/openldap #moduleload syncprov.la
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
#sasl-realm ier.hit-u.ac.jp #sasl-host localhost #authz-regexp uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secret #password-hash {MD5} directory /var/lib/ldap
TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none
access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
sladp.conf of the slave:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" #rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secretofreplicator #password-hash {MD5} directory /var/lib/ldap #TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt #TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt #TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
# Replicas of this database #updatedn cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp #updateref uri=ldap://192.168.84.22
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by anonymous auth # by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by * read
#loglevel stats sync
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
updateref ldap://mail.ier.hit-u.ac.jp/
what puzzles me is that:
I try on the slave to access the master with ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
and it works.
What is wrong? I really need your help.
-- cordialement, Jephté Clain Direction des Systèmes d'Information et des Usages Numériques - 2IG Tél. 0262 93 86 31 Fax. 0262 93 81 06
hello,
well, if the replicator account is cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp yes that is the dn you have to use in the slave configuration. you see, replication is just a particular search that is done by the slave from the master. you have to make sure the replicator account used to connect to the master is able to read all attributes that you want to replicate (hence the acls)
2014-11-19 13:41 GMT+04:00 wailok tam wailoktam@yahoo.com:
thx for your reply.
do i put in the slave conf file the same thing as the following command?
ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D > 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
On Wed, Nov 19, 2014 9:25 AM GMT Jephte Clain wrote:
hello,
I would say, try to understand the meaning of what you do. The openldap admin guide is a good place to start.
- for instance, on the slave, you bind to the master with dn
uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp and password secretofreplicator does this objet exist *on the master*? with the right password? does this account have the right acl to read everything on the master (i.e., on the master, the acl is defined for cn=replicator,... which is not the same as uid=replicator,...)
- also, why would you use the replicator dn as the rootdn for the slave?
one last thing: I advise you change the password of both the master and slave. posting the file with the hash password of the root dn on the internet is not a good idea :-)
good luck
2014-11-19 11:38 GMT+04:00 wailok tam wailoktam@yahoo.com:
Hi, I am new to ldap. I am following the book "Mastering Openldap" to set up replication but I am getting the error given in the title when I start the slave with "splad -d sync" . Replication does not work.
slapd.conf of the Master:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
#modulepath /usr/lib/openldap #moduleload syncprov.la
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
#sasl-realm ier.hit-u.ac.jp #sasl-host localhost #authz-regexp uid=([^,]*),cn=ier.hit-u.ac.jp,cn=DIGEST-MD5,cn=auth cn=$1,dc=ier,dc=hit-u,dc=ac,dc=jp
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secret #password-hash {MD5} directory /var/lib/ldap
TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none
access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
sladp.conf of the slave:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=ier,dc=hit-u,dc=ac,dc=jp" #rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" rootdn "cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" #rootpw {MD5}x1Ktlhm0p7RPnl/G01rhTQ== rootpw secretofreplicator #password-hash {MD5} directory /var/lib/ldap #TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crt #TLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crt #TLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
# Replicas of this database #updatedn cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp #updateref uri=ldap://192.168.84.22
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq idlcachesize 1000
#access to attrs=userPassword # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by anonymous auth # by * none
#access to * # by dn="cn=replicator,dc=ier,dc=hit-u,dc=ac,dc=jp" write # by self write # by * read
#loglevel stats sync
syncrepl rid=001 provider=ldap://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" bindmethod=simple # bindmethod=sasl saslmech=DIGEST-MD5 # authcid=replicator credentials=secretofreplicator
updateref ldap://mail.ier.hit-u.ac.jp/
what puzzles me is that:
I try on the slave to access the master with ldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
and it works.
What is wrong? I really need your help.
-- cordialement, Jephté Clain Direction des Systèmes d'Information et des Usages Numériques - 2IG Tél. 0262 93 86 31 Fax. 0262 93 81 06
openldap-technical@openldap.org
-
Jephte Clain -
wailok tam