[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Replication/update dn entry
- To: OpenLDAP software list <openldap-software@OpenLDAP.org>
- Subject: Re: LDAP Replication/update dn entry
- From: Moe <moe_w90@yahoo.com>
- Date: Tue, 23 Aug 2005 10:42:25 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=1f4l2NgddwZUgjFChtx2ueQe6zKHhFA+BjuFB54M4UTl7EFjH8yBrkkNc8xx98Rbe+6/oYZvuFmW4JGtmt+LDwcscyV94okD60amUvXLrIMH3zSGaKlm4jSLPaceYlZT+YEXAKlwFKwKnA/FzV72Cvs4v8fOej3Zj2jf5jmtTrU= ;
- In-reply-to: <7A2BC3B94D210E77B7C0ECA0@[10.0.0.1]>
Im getting the following in the slurpd replica folder on the master ldap.
[root@HOSTMASTER001 replica]# cat 10.101.2.10\:389.rej
ERROR: Insufficient access: no write access to parent
replica: 10.101.2.10:389
time: 1124818381.0
dn: cn=test3,dc=local,dc=gov
changetype: add
cn: test3
objectClass: top
objectClass: person
sn: test3
userPassword:: YWRtaW4=
structuralObjectClass: person
entryUUID: b2c5e8d0-a847-1029-8c36-b5add10b8e8a
creatorsName: cn=admin,dc=local,dc=gov
createTimestamp: 20050823173301Z
entryCSN: 20050823173301Z#000001#00#000000
modifiersName: cn=admin,dc=local,dc=gov
modifyTimestamp: 20050823173301Z
the updatedn and binddn have an entry that has write access to the slave database.
access to *
by dn.base=" " write
The replica entry exists on the slave and master. my master slapd.conf looks like this:
database bdb
suffix "dc=local,dc=gov"
rootdn "cn=admin,dc=local,dc=gov"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw admin
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
replogfile /usr/local/var/openldap-data/replication.log
replica uri=ldap://10.101.2.10:389
binddn="cn=Replicator,dc=local,dc=gov"
bindmethod=simple credentials=admin
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
My slave slapd:
access to *
by dn.base="cn=Replicator,dc=local,dc=gov" write
by anonymous auth
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
database bdb
suffix "dc=local,dc=gov"
rootdn "cn=admin,dc=local,dc=gov"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw admin
updatedn "cn=Replicator,dc=local,dc=gov"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
Thanks
Moe
Quanah Gibson-Mount <quanah@stanford.edu> wrote:
--On Wednesday, August 17, 2005 1:55 PM -0700 Moe wrote:
> Hi,
>
> Im doing a master slave replication. In the updatedn, openldap Admin
> guide says that updatedn entry: 1- should not generally be the rootdn
> 2- have write permission to the slave database
> updatedn "cn=replica,dc=elawsbs,dc=local"
>
> - Should replcia be an entry in the slave database only or in the master
your master and replica databases should be exactly the same, so it would
be an entry in both.
> and slave database? - How do i give replica entry write access to the
> slave database?
You use ACL's. I suggest you read up on how to define ACLs.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
---------------------------------
Start your day with Yahoo! - make it your home page