[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl Problems for Attribute-Value Pair host=*

To: Michael.Heep@o2.com
Subject: Re: Syncrepl Problems for Attribute-Value Pair host=*
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 19 Dec 2005 14:30:33 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <OFE62B817D.058AB62A-ONC12570DC.003492C3-C12570DC.0034D83D@viaginterko m.de>
References: <OFE62B817D.058AB62A-ONC12570DC.003492C3-C12570DC.0034D83D@viaginterkom.de>
User-agent: SquirrelMail/1.4.3a-1

I have no final answer on your main issue, I need to check; however ...
(se below)

> I'm having a little syncrepl problem here. OL version is 2.3.13 + bdb
> 4.2.52 with 4 patches + OL transactions patch (is it still need?).
> We have a master server filled with mostly POSIX account and group data.
>
> I was experimenting to set up a slave slapd on a UNIX client which should
> only contain POSIX accounts that are actually allowed to login on that
> client (which is defined through the host attribute).
>
> So I set up a syncrepl slapd on that machine with a filter diretive that
> replicates all posix groups and all accounts which are allowed to login
> along with the dc's and ou's needed to reflect the posix information
> apropriately:
> syncrepl rid=999
>  provider=ldap://<master ip>
>  type=refreshAndPersist
>  interval=00:00:00:10
>  retry="60 10 300 +"
>  searchbase="dc=o2online,dc=de"
>
> filter="(|(objectclass=dcobject)(objectclass=oragnizationalunit)(objectclass=posixgroup)(&(objectclass=posixaccount)(host=\\*))(&(objectclass=posixaccount)(host=<hostname>)))"

^^^ there's a typo here: s/oragnizationalunit/organizationalunit/

>  scope=sub
>  attrs="*,+"
>  schemachecking=on
>  starttls=critical
>  binddn="<bind dn>"
>  credentials=<password>
>
> I added a few testusers of this kind to the directory:
> dn: uid=test,ou=People,dc=o2online,dc=de
> cn: TestO Steron
> gecos: TestO Steron
> loginShell: /bin/bash
> homeDirectory: /home/test
> shadowWarning: 7
> shadowInactive: -1
> shadowFlag: 0
> shadowMin: 0
> shadowMax: 40
> objectClass: top
> objectClass: shadowAccount
> objectClass: posixAccount
> objectClass: account
> objectClass: ldapPublicKey
> uid: test
> gidNumber: 20000
> uidNumber: 10099
> shadowLastChange: 13056
> sshPublicKey: ssh-rsa...
> userPassword: {SSHA}...
> shadowExpire: 99999
> host: * (or host: <hostname>)
>
> The first thing I stumbled upon was the fact that i had to escape the "*"
> twice

No surprise, as '\' is also the escape char for slapd.conf(5), so you need
to escape it twice to make one '\' appear in the string that will be
passed to syncrepl as filter.

> in the syncrepl's filter directive as opposed to nly once when using
> ldapsearch.
> But the real troublemaker is the "host: *" part in the above LDIF. When I
> completely remove the "host: *" attribute from a user entry on the master
> it doesn't get deleted on the slave, which on the other hand works
> perfectly fine when removing "host: <hostname>" from an entry. While on
> the other hand modifyinbg "host: *" to sth. like "host: <not the slave's
> hostname>" the entry gets removed on the slave.
>
> So aparently syncrepl doesn't handle attribute-value pairs of the type
> <attribute>=* properly if used in a syncrepl filter directive.

As I said, I need to check.  Stay tuned.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: Syncrepl Problems for Attribute-Value Pair host=*
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Syncrepl Problems for Attribute-Value Pair host=*
  - From: Michael.Heep@o2.com

Prev by Date: Syncrepl Problems for Attribute-Value Pair host=*
Next by Date: LDAP to RADIUS authentication bridge
Index(es):
- Chronological
- Thread