Hello,
I have 3 installations of openldap-server-2.3.33 running on FreeBSD
6.1-REL: ldap-master, ldap1, ldap2. I am using syncrepl to replicate
ldap-master to ldap1 and ldap2. The replicated directory is missing
entire ou branches in my tree.
I have created the following objects in my directory:
cn=syncrepl-ldap1,dc=example,dc=com
cn=syncrepl-ldap2,dc=example,dc=com
I've made the following configurations on the provider:
| access to *
| by dn.regex="cn=syncrepl-(ldap1|ldap2),dc=example,dc=com" read
| by * break
|
| # More ACLs Follow
|
| # For Sync Replication
| overlay syncprov
| syncprov-checkpoint 100 10
| syncprov-sessionlog 100
And on the consumer (ldap1):
| # Sync Replication
| syncrepl rid=001
| provider=ldaps://ldap-master.example.com/
| type=refreshAndPersist
| interval=00:01:00:00
| searchbase="dc=example,dc=com"
| scope=sub
| schemachecking=off
| bindmethod=simple
| binddn="cn=syncrepl-ldap1,dc=example,dc=com"
| credentials=supersecret
Now, when I query:
$ ldapsearch -D 'cn=admin,dc=example,dc=com' -Wx -H \
'ldaps://ldap-master.example.com/' '(ou=*)' ou | grep '^ou'
| ou: People
| ou: Roaming
| ou: Group
| ou: Reshall People
| ou: Reshall Group
| ou: Services
| ou: System Accounts
| ou: System Groups
But:
$ ldapsearch -D 'cn=admin,dc=example,dc=com' -Wx -H \
'ldaps://ldap1.example.com/' '(ou=*)' ou | grep '^ou'
| ou: People
| ou: Roaming
| ou: Group
| ou: Reshall People
| ou: Reshall Group
| ou: Services
You'll notice that the "System Accounts" and "System Groups" ou's are
not visible in the replicated directory. Odd.
Next, I run the query:
$ ldapsearch -D 'cn=admin,dc=example,dc=com' -Wx -H \
'ldaps://ldap-master.example.com/' '(objectClass=*)' ou | grep '^ou'
| ou: People
| ou: Roaming
| ou: Group
| ou: Reshall People
| ou: Reshall Group
| ou: Services
| ou: System Accounts
| ou: System Groups
But the syncrepl process is binding as "cn=syncrepl-ldap1":
$ ldapsearch -D 'cn=syncrepl-ldap1,dc=example,dc=com' -Wx -H \
'ldaps://ldap-master.example.com/' '(objectClass=*)' ou | grep '^ou'
| ou: People
| ou: Roaming
| ou: Group
| ou: Reshall People
| ou: Reshall Group
| ou: Services
So, if I configure the consumer to bind as my rootdn (cn=admin), the
entire directory gets replicated (as the final ldapsearch's would
imply). My question is how do I properly configure the ACLs here?
Shouldn't the 'read *' at the beginning of my ACL declarations match?
I'm attaching the full list of my ACLs to the message.
Thanks for any help or pointers you can offer.
--
Chris Cowart
Network and Infrastructure Systems Administrator
RSSP-IT, UC Berkeley
"May all your pushes be popped"
access to *
by dn.regex="cn=syncrepl-(ldap1|ldap2),dc=example,dc=com" read
by * break
access to attrs=userPassword
by dn.regex="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
access to attrs=gecos
by dn.regex="cn=admin,dc=example,dc=com" write
by anonymous read
by self write
by * none
access to *
by dn.regex="cn=admin,dc=example,dc=com" write
by * read
Attachment:
signature.asc
Description: Digital signature