[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: top-level data entries not replicating, 2.4.15, now 2.4.17

To: openldap-technical@openldap.org, Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: top-level data entries not replicating, 2.4.15, now 2.4.17
From: Brian Neu <proclivity76@yahoo.com>
Date: Fri, 21 Aug 2009 16:15:40 -0700 (PDT)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1250896541; bh=gKJa0Pa/SWB/8kz6Fh36kDlX1CjV8iRigyroiMkYzcU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=O5IkVqr0uTaTg9WHrPZm/WXJf1U/JRC22jLkgY578ynOga9dSToa4oD1CqF/2IGGUHK26senk2V07/b3qYkq1LKRF7/fhQot2BHym6+NIQfI1A9ND4xY5pWLPrn+KSyzB8su9Grm7LIS25euK1eC4Iq3pPTWaITy+6tRTtzuOrE=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=uPwFnUKcXVyYZbzmebmopCMlmIEoMntQE51+cBiyXiHIWusH5mI19FY05fSl2gPAKahzOvwyPSt6t3g7tf1Kn1+Geln7kt9RxYzU3md/1I3srSBubEawdGiB5nltCmXqbnX1gVhBgH/wAiyXJkPbPkVS83tq+aUMVeANRN6dbF8=;

--- On Fri, 8/21/09, Quanah Gibson-Mount <quanah@zimbra.com> wrote:

> From: Quanah Gibson-Mount <quanah@zimbra.com>
> Subject: Re: top-level data entries not replicating, 2.4.15, now 2.4.17
> To: "Brian Neu" <proclivity76@yahoo.com>, openldap-technical@openldap.org
> Date: Friday, August 21, 2009, 12:05 PM
> --On Friday, August 21, 2009 8:52 AM
> -0700 Brian Neu <proclivity76@yahoo.com>
> wrote:
> 
> > I really only created the test2 record to find out why
> the
> > 
> >    sambaDomainName=SRG,dc=srg,dc=com
> > 
> > record wasn't replicating.
> > 
> > This entry won't replicate either, even with a cn
> attribute . . .
> >    dn:cn=test3,dc=srg,dc=com
> >    objectclass: top
> >    objectclass: person
> >    userpassword:blah
> >    sn:test3
> >    cn:test3
> 
> Please don't top post.
> 
> Your config is a little... odd.  You have per-db
> access rules, and yet you break them like you expect more:
> 
> database    hdb
> suffix        "cn=accesslog"
> ...
> access to *
>     by dn.base="cn=replicator,dc=srg,dc=com"
> read
>     by * break
> 
> 
> Not that this hurts anything, but it is a weird read.
> 
> Also, I don't see *any* access rules on the main DB. 
> You have:
> 
> database    hdb
> suffix       
> "dc=srg,dc=com"
> ....
> database monitor
> access to *
>     by dn.exact="cn=Manager,dc=srg,dc=com"
> write
>     by
> dn.exact="uid=root,ou=People,dc=srg,dc=com" write
>     by dn.base="cn=replicator,dc=srg,dc=com"
> read
>     by * break
> 
> 
> Which means you just gave a lot of access to the *monitor*
> database but not your *primary* database.  I suggest go
> re-read the slapd.access(5) man page.  If you want
> global ACLs, they need to come before any "database xyz"
> line.  If you want per-db ACLs, which I think is what
> you're trying to do, then you need to do them
> *per-db*.  Not the odd acl in accesslog, none in your
> main db, and some for your monitor database.
> 
> 
> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra ::  the leader in open source messaging and
> collaboration


OK, my sloppy ACL is cleaned up and makes much more sense now -- but the problem remains.

Attachment: slapd.conf
Description: Binary data

Follow-Ups:
- Re: top-level data entries not replicating, 2.4.15, now 2.4.17
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: top-level data entries not replicating, 2.4.15, now 2.4.17
Next by Date: Re: top-level data entries not replicating, 2.4.15, now 2.4.17
Index(es):
- Chronological
- Thread