[Date Prev][Date Next] [Chronological] [Thread] [Top]

replication question: slave binding to master as anonymous?

To: openldap-software@OpenLDAP.org
Subject: replication question: slave binding to master as anonymous?
From: Jan-Michael Ong <jmong@adobe.com>
Date: Wed, 12 Dec 2001 16:42:04 -0800
In-reply-to: <002d01c18369$ef796680$0c01a8c0@fiddle.symas.com>
References: <1008176613.1339.6.camel@fmedina>

Greetings,

Could someone please offer any suggestions on how I can go about "fixing" this situation?

I have a master server and a slave server. After a lot of help from the kind people in this mailing list I figured out a way for the master to replicate to slave without any problems. I created a "Replicator" account that has access to read/write to any of the branches in my ldap tree.

Now the problem is this:

When I bind as root (cn=root) and send a request to the slave to modify a record, it passes a "Referral" to the master but the update fails. Not because it never gets there but rather it tries to bind anonymously. A snippet is below

From slave: Dec 12 16:25:11 view3 slapd[3990]: conn=4 op=3 MOD dn="cn=mygroup,ou=Marketing,ou=Company,o=EMC" Dec 12 16:25:11 view3 slapd[3990]: conn=4 op=3 RESULT tag=103 err=9 text=Referral: Dec 12 16:25:11 view3 ldap://view2.emc.com:389 Dec 12 16:25:11 view3 slapd[3990]: conn=4 op=4 UNBIND

On master: Dec 12 16:26:00 view2 slapd[4016]: daemon: conn=4 fd=9 connection from IP=153.32.2.146:62261 (IP=0.0.0.0:0) accepted. Dec 12 16:26:00 view2 slapd[4016]: conn=4 op=0 BIND dn="" method=128 Dec 12 16:26:00 view2 slapd[4016]: conn=4 op=0 RESULT tag=97 err=0 text= Dec 12 16:26:00 view2 slapd[4016]: conn=4 op=1 MOD dn="cn=mygroup,ou=Marketing,ou=Company,o=EMC" Dec 12 16:26:00 view2 slapd[4016]: conn=4 op=1 RESULT tag=103 err=50 text= Dec 12 16:26:00 view2 slapd[4016]: conn=4 op=2 UNBIND Dec 12 16:26:00 view2 slapd[4016]: conn=-1 fd=9 closed

Where I'm getting confused is the line here:

Dec 12 16:26:00 lookup2 slapd[4016]: conn=4 op=0 BIND dn="" method=128

I read once in this newsgroup that this is actually necessary but isn't this a security hole? Does anyone know of a "better" way of allowing the slave to modify entries on the master without giving access rights to everyone? And the weird thing (maybe not so weird if someone could just clarify it for me) is the IP address is the IP address of the client that requested the change not the IP address of the slave ldap.

The only way I could think of was

access to *
   by peername="153.32.2.146" write

By I am not too sure of this. If anyone could offer any suggestions on how I can send a request to update a record on the slave and have the slave contact the master and have it update the record and propagate it to the slave that'll be super.

Any tips or leads would be greatly appreciated.

Thanks in advance.

References:
- PHP/Perl scripts for Openldap?
  - From: Fernando Medina <fmedina@nic.pibnet.com>
- RE: PHP/Perl scripts for Openldap?
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: PHP/Perl scripts for Openldap?
Next by Date: So close and yet so annoyed...
Index(es):
- Chronological
- Thread