Hello,
I cannot figure out why on one of my replicas, I cannot browse the DIT . Apache Directory Studio for example, only show the "root DSE(2)", but the base DN (namingContext or directory suffix, whatever you call it ...) isn't visible !? on my others replicas and the master, everything is fine, I do browse the DIT, the browser shows "root DSE(3)" with the suffix visible. I might be missing something obvious, but cannot figure out what. I checked ACL:
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to dn.subtree="dc=int-evry,dc=fr" by dn="cn=admin,dc=int-evry,dc=fr" write by users read
but still, the suffix dc=int-evry,dc=f doesn't shows up on that particular replica !? I run openldap-servers-2.4.23-20.el6.i686 with cn=config created from a slapd.conf transformed with slaptest -f .
Any help greatly appreciated .
Le 24/02/2012 18:45, Jehan Procaccia a écrit :
Hello,
I cannot figure out why on one of my replicas, I cannot browse the DIT . Apache Directory Studio for example, only show the "root DSE(2)", but the base DN (namingContext or directory suffix, whatever you call it ...) isn't visible !? on my others replicas and the master, everything is fine, I do browse the DIT, the browser shows "root DSE(3)" with the suffix visible. I might be missing something obvious, but cannot figure out what. I checked ACL:
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to dn.subtree="dc=int-evry,dc=fr" by dn="cn=admin,dc=int-evry,dc=fr" write by users read
but still, the suffix dc=int-evry,dc=f doesn't shows up on that particular replica !? I run openldap-servers-2.4.23-20.el6.i686 with cn=config created from a slapd.conf transformed with slaptest -f .
Any help greatly appreciated .
I found the reason why my replica wasn't complete in syncrepl config I had filtered on "filter="(objectclass=interOrgPerson)"" in order to get only people's objects (partial replica) now I modified to filter="(objectClass=*)" and everything is right .
However, I still would like to replicate only some OUs under baseDN (ou=people and ou=group,ou=system) but not the remaining of OUs below ou=system => ou=Hosts , ou=Networks, ou=Protocol. How can I remove those branches to replicate ? my actual syncrepl config that replicate all: syncrepl rid=001 provider=ldaps://master.domain.fr type=refreshAndPersist searchbase="dc=int-evry,dc=fr" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=on bindmethod=simple retry="60 10 300 +" binddn="cn=replic,ou=System,dc=int-evry,dc=fr" credentials="secret" updateref ldaps://master.domain.fr:636
I would like to replicate only some OUs under the baseDN ; ou=people and ou=group,ou=system, but not the remaining of OUs below ou=system => ou=Hosts , ou=Networks, ou=Protocol. How can I remove those branches to replicate ? my actual syncrepl config that replicate all the subtree branches: syncrepl rid=001 provider=ldaps://master.domain.fr type=refreshAndPersist searchbase="dc=int-evry,dc=fr" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=on bindmethod=simple retry="60 10 300 +" binddn="cn=replic,ou=System,dc=int-evry,dc=fr" credentials="secret" updateref ldaps://master.domain.fr:636
On 03/20/2012 10:54 AM, jehan procaccia wrote:
I would like to replicate only some OUs under the baseDN ; ou=people and ou=group,ou=system, but not the remaining of OUs below ou=system => ou=Hosts , ou=Networks, ou=Protocol. How can I remove those branches to replicate ? my actual syncrepl config that replicate all the subtree branches: syncrepl rid=001 provider=ldaps://master.domain.fr type=refreshAndPersist searchbase="dc=int-evry,dc=fr" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=on bindmethod=simple retry="60 10 300 +" binddn="cn=replic,ou=System,dc=int-evry,dc=fr" credentials="secret" updateref ldaps://master.domain.fr:636
Define the ACL for binddn="cn=replic,ou=System,dc=int-evry,dc=fr" such that it cannot access the ou's you don't want to sync.
suomi
Le 20/03/2012 12:37, anax a écrit :
On 03/20/2012 10:54 AM, jehan procaccia wrote:
I would like to replicate only some OUs under the baseDN ; ou=people and ou=group,ou=system, but not the remaining of OUs below ou=system => ou=Hosts , ou=Networks, ou=Protocol. How can I remove those branches to replicate ? my actual syncrepl config that replicate all the subtree branches: syncrepl rid=001 provider=ldaps://master.domain.fr type=refreshAndPersist searchbase="dc=int-evry,dc=fr" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=on bindmethod=simple retry="60 10 300 +" binddn="cn=replic,ou=System,dc=int-evry,dc=fr" credentials="secret" updateref ldaps://master.domain.fr:636
Define the ACL for binddn="cn=replic,ou=System,dc=int-evry,dc=fr" such that it cannot access the ou's you don't want to sync.
suomi
Thanks, I achieved a partial replication to only wanted branches, as you suggested by restricting ACL to the replica's account on the branches/attributes I want. However that's not an easy config to set up , I noticed that as soon as I forgot to mention an attribute in a subtree object, all the objects in that subtree aren't replicate, that's the same for a branches DN node , I initially forgot the attribute associatedDomain which was part of that object for example, then that object node and all subtree objects below weren't replicated . So I ended with many more ACLs like that :
#ou=system,dc=int-evry,dc=fr BaseDN ACL to get ou=system object node access to dn.exact="ou=system,dc=int-evry,dc=fr" by dn="cn=admin,dc=int-evry,dc=fr" write by dn="cn=replic,ou=System,dc=int-evry,dc=fr" read by users read #Goups and associeted attributes access to dn.subtree="ou=Group,ou=System,dc=int-evry,dc=fr" attrs=cn,sn,memberuid,member,mail,description,entry,objectclass,associatedDomain,gidNumber,ou by dn="cn=admin,dc=int-evry,dc=fr" write by dn="cn=replic,ou=System,dc=int-evry,dc=fr" read by users read
How can I check performance issue with all the ACL I added ? is there a program to test / bench the ACLs or optimise them ?
Thanks .
openldap-technical@openldap.org
-
anax -
jehan procaccia -
Jehan Procaccia