[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can't replicate using updatedn

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: Can't replicate using updatedn
From: Peter Traub <peter@vindicia.com>
Date: Thu, 22 Jan 2004 12:35:15 -0500
In-reply-to: <400FF048.9000506@vindicia.com>
References: <400ED815.3070809@vindicia.com> <6.0.1.1.0.20040121175249.03ba0fd8@127.0.0.1> <400FF048.9000506@vindicia.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Hello,

I am also apparently having another small problem now since the rootdn and updatedn on the slave are the same. If I make a modification directly to the slave, it makes the modification on there instead of referring me back to the master (the updateref is set to point to the master). I am guessing this is because it treats the modification as if it were coming from the rootdn rather than the updatedn and consequently doesn't send back the referral. Also, I read in a doc somewhere that readonly should be 'on' on slaves, but this apparently prevents slurpd from writing to the slave as well. Any and all assistance is much appreciated.

Best,

Peter

Peter Traub wrote:

Hi Kurt,
Thank you for the assistance. First off, I got TLS working between the master and slave. Apparently the master had to refer to the ca.key and ca.pem files in all of its slapd.conf TLS entries, even though, after making the CA, I created a local key for the master server and signed it with the CA (was getting unrecognized CA errors when using those keys/certs).

As far as the rootdn being different on the slave than on the master, I am wondering what specific disadvantages that will create if the master cannot have root privelege on the slave? If its only purpose is to update the slave through slurpd, I would think we'll be ok, but am still curious as to where this may be a problem in the future.

Finally, if I store updatedn's credentials in the updatedn directive (assuming i want a different password from the rootdn), would it just look something like this:

updatedn "cn=fs01_Replicator,dc=vindicia,dc=com,credentials=myPassword"
Many thanks once again.
Best,
Peter
Kurt D. Zeilenga wrote:
At 11:50 AM 1/21/2004, Peter Traub wrote:
Hello,
I am using OpenLDAP 2.1.25 on RH9 and have been unable to get replication working if I tell the replica directive in the master slapd.conf to connect through the updatedn on the slave server. If I set the updatedn on the slave to the same dn as the rootdn and change the master replica directive accordingly, then it works. However, as the official docs say to avoid doing this, I am attempting to go through a unique updatedn instead. The critical directives from my master slapd.conf are below:
The current guide (for 2.2, the 2.1 guide likely wasn't updated
with this guidance) says that you avoid using the master's rootdn
as the binddn/updatedn for the slave.  The easiest way to follow
this guidance is to simply pick a different DN for the
binddn/updatedn than that used for the master's rootdn, and then
use this binddn/updatedn as the slave's rootdn.
This as the advantage that updatedn will have rootdn access
at the slave (where it needs it).
Of course, this means the master's rootdn won't have rootdn
access at the slave.  Depending on your needs, that could be
an advantage or a disadvantage to you.
It is my understandstanding that the credentials that the master uses for the updatedn are the same as the credentials/password for the rootdn on the slave server.
If the rootdn is the updatedn, yes.  But if they differ, as you
have in your slave configuration, then the credentials are (assuming
simple bind) stored in the entry named by the updatedn.
however, in the replica directive, they are supposed to be given in the clear, even if the rootpw on the slave is encrypted. this is what i have tried, but continue to get the following error from slurpd:

bind to fs01.sm.vindicia.com:389 as cn=fs01_Replicator,dc=vindicia,dc=com (simple) request 1 done Error: ldap_simple_bind_s for fs01.sm.vindicia.com:389 failed: Invalid credentials
Check the slaves log for details.
Also, after much reading and searching, I am still confused as to how the TLS directives on the slave should be configured, and what certs or keys, if any, need to be present on the slave for slurpd to work over TLS. I have TLS working successfully on the master server. Any and all help would be greatly appreciated. Many thanks.
Set up the slave for client TLS as you did with the master.
The configure slurpd (via the master's slapd.conf) to use TLS.
kurt

References:
- Can't replicate using updatedn
  - From: Peter Traub <peter@vindicia.com>
- Re: Can't replicate using updatedn
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Can't replicate using updatedn
  - From: Peter Traub <peter@vindicia.com>

Prev by Date: ldap_add: Unknown error additional info: SQL-backend error
Next by Date: rootdn DN is invalid.
Index(es):
- Chronological
- Thread