[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can't replicate using updatedn

To: Peter Traub <peter@vindicia.com>
Subject: Re: Can't replicate using updatedn
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 21 Jan 2004 18:13:19 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <400ED815.3070809@vindicia.com>
References: <400ED815.3070809@vindicia.com>

At 11:50 AM 1/21/2004, Peter Traub wrote:
>Hello,
>
>I am using OpenLDAP 2.1.25 on RH9 and have been unable to get replication working if I tell the replica directive in the master slapd.conf to connect through the updatedn on the slave server. If I set the updatedn on the slave to the same dn as the rootdn and change the master replica directive accordingly, then it works. However, as the official docs say to avoid doing this, I am attempting to go through a unique updatedn instead. The critical directives from my master slapd.conf are below:

The current guide (for 2.2, the 2.1 guide likely wasn't updated
with this guidance) says that you avoid using the master's rootdn
as the binddn/updatedn for the slave.  The easiest way to follow
this guidance is to simply pick a different DN for the
binddn/updatedn than that used for the master's rootdn, and then
use this binddn/updatedn as the slave's rootdn.

This as the advantage that updatedn will have rootdn access
at the slave (where it needs it).

Of course, this means the master's rootdn won't have rootdn
access at the slave.  Depending on your needs, that could be
an advantage or a disadvantage to you.

>It is my understandstanding that the credentials that the master uses for the updatedn are the same as the credentials/password for the rootdn on the slave server.

If the rootdn is the updatedn, yes.  But if they differ, as you
have in your slave configuration, then the credentials are (assuming
simple bind) stored in the entry named by the updatedn.

>however, in the replica directive, they are supposed to be given in the clear, even if the rootpw on the slave is encrypted. this is what i have tried, but continue to get the following error from slurpd:
>
>bind to fs01.sm.vindicia.com:389 as cn=fs01_Replicator,dc=vindicia,dc=com (simple)
>request 1 done
>Error: ldap_simple_bind_s for fs01.sm.vindicia.com:389 failed: Invalid credentials

Check the slaves log for details.

>Also, after much reading and searching, I am still confused as to how the TLS directives on the slave should be configured, and what certs or keys, if any, need to be present on the slave for slurpd to work over TLS. I have TLS working successfully on the master server. Any and all help would be greatly appreciated. Many thanks.

Set up the slave for client TLS as you did with the master.
The configure slurpd (via the master's slapd.conf) to use TLS.

kurt

Follow-Ups:
- Re: Can't replicate using updatedn
  - From: Peter Traub <peter@vindicia.com>

References:
- Can't replicate using updatedn
  - From: Peter Traub <peter@vindicia.com>

Prev by Date: Re: Problems sending requests to the list server.
Next by Date: Re: Redhat 9 problems
Index(es):
- Chronological
- Thread