I have set up a slave ldap server for syncrepl and seem to be unable to get it to repicate. There is nothing logged on the slave at all. ACL logging on the master shows the slave connecting and seeming to get access - see below.
On the MAIN SERVER I HAVE access to attrs=userPassword,shadowLastChange by self =xw by anonymous auth by dn="cn=sync,dc=my company,dc=com" read by * none
access to * by self write by dn="cn=sync,dc=my company,dc=com" read by users read by * read
# Replication stuff overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 200
ON THE SLAVE I HAVE access to * by self write by dn="cn=sync,dc=my company,dc=com" write by users read by anonymous auth
loglevel sync config acl logfile /tmp/ldaptmp
syncrepl rid=123 provider=ldaps://envy.my company.com type=refreshOnly interval=01:00:00:00 searchbase="dc=my company,dc=com" filter="(objectClass=*)" scope=sub attrs="*,+" schemachecking=off retry="60 10 300 3" logbase="cn=accesslog" syncdata=accesslog bindmethod=simple binddn="cn=sync,dc=my company,dc=com" credentials="password"
AUTH OUTPUT FROM THE MASTER
Nov 26 10:48:04 envy slapd[19774]: => acl_mask: to value by "", (=0) Nov 26 10:48:04 envy slapd[19774]: <= check a_dn_pat: self Nov 26 10:48:04 envy slapd[19774]: <= check a_dn_pat: cn=sync,dc=imagreendriver,dc=com Nov 26 10:48:04 envy slapd[19774]: <= check a_dn_pat: users Nov 26 10:48:04 envy slapd[19774]: <= check a_dn_pat: * Nov 26 10:48:04 envy slapd[19774]: <= acl_mask: [4] applying read(=rscxd) (stop) Nov 26 10:48:04 envy slapd[19774]: <= acl_mask: [4] mask: read(=rscxd) Nov 26 10:48:04 envy slapd[19774]: => slap_access_allowed: read access granted by read(=rscxd)
AN LDAP SEARCH QUERY produces zip on slave ldapsearch -H ldaps:/// -x -b 'dc=my company,dc=com' '(objectclass=*)' -s sub # extended LDIF # # LDAPv3 # base <dc=my company,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
--On November 26, 2013 at 10:57:59 AM -0800 Tony Chilton tonyc@otsys.com wrote:
I have set up a slave ldap server for syncrepl and seem to be unable to get it to repicate. There is nothing logged on the slave at all. ACL logging on the master shows the slave connecting and seeming to get access - see below.
OpenLDAP version?
On the MAIN SERVER I HAVE access to attrs=userPassword,shadowLastChange by self =xw by anonymous auth by dn="cn=sync,dc=my company,dc=com" read by * none
access to * by self write by dn="cn=sync,dc=my company,dc=com" read by users read by * read
The formatting of your ACLs is really odd, and if this is their actual formatting, I suggest you read up on the significance of spacing in slapd.conf.
--Quanah
It is not related to your problem, but considering your acl, the userpassword (and shadowlastchange) of the cn=sync user won't be replicated. If this behaviour is not intended, you should refer to the openldap admin guide http://www.openldap.org/doc/admin24/access-control.html
On the MAIN SERVER I HAVE
access to attrs=userPassword,shadowLastChange by self =xw by anonymous auth by dn="cn=sync,dc=my company,dc=com" read by * none
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Altere a linha abaixo no servidor master do OpenLDAP. Aqui funcionou.
modulepath syncprov
2013/11/27 Esteban Pereira esteban.pereira@gepsit.fr
It is not related to your problem, but considering your acl, the userpassword (and shadowlastchange) of the cn=sync user won't be replicated. If this behaviour is not intended, you should refer to the openldap admin guide http://www.openldap.org/doc/admin24/access-control.html
On the MAIN SERVER I HAVE
access to attrs=userPassword,shadowLastChange by self =xw by anonymous auth by dn="cn=sync,dc=my company,dc=com" read by * none
--Quanah
-- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Esteban Pereira -
Itamar S. -
Quanah Gibson-Mount -
Tony Chilton