[Date Prev][Date Next] [Chronological] [Thread] [Top]

replication and referral madness

pulling my hair out trying to get everything to work - I guess there's
something not clicking - anyway, RH AS 3 / ldap 2.0.27-11 on two
machines - let's call them thing 1 and thing 2

thing 1 - ldap master - everything works
thing 2 - ldap slave - it seems like everything works but rej file keeps

What is the way to configure?

Thing 2 ACL's - the slave...

access to dn=".*,ou=People,o=Domain,c=US"
by dn="cn=root,o=Domain,c=US" read
by dn="cn=admin,o=Domain,c=US" write
by * auth

access to dn=".*,ou=People,o=Domain,c=US"
by dn="cn=root,o=Domain,c=US" read
by dn="cn=admin,o=Domain,c=US" write
by * read

access to dn=".*,o=Domain,c=US"
by dn="cn=root,o=Domain,c=US" read
by dn="cn=admin,o=Domain,c=US" write
by * read

where cn=admin,o=Domain,c=US is the binddn in the replica section of the

If I use it as per above (and I recognize that the line for
dn="cn=root..." read would be handled 2 steps below but I find it easier
to change to 'write' for testing purposes) - changes made to the master
or slave are indeed made but I get listings in the
/var/lib/ldap/replica/server_port.rej file anyway.

If I change the above 'reads' to 'write' for the dn="cn=root...", then I
don't get rejections  

What I am figuring - is that this setup on thing 2 allows me to have the
local nsswitch/ldap.conf use the rootdn which is only allowed read
access per acl and thus should follow the updateref to the ldap master
for write operations. Samba 3.0 does exactly that - it works. The unix
command of 'passwd some_ldap_user' is where things get goofy and the
updates are obviously tracking the updateref server but still getting
into the rejections. It's making me crazy.

my ldap.conf is included here because it's small and gives some
completeness but I can't see that it's important unless someone wants to
tell me why my logic is faulty...

host linserv1.Domain.com
base o=Domain,c=US
binddn o=Domain,c=US
rootbinddn cn=root,o=Domain,c=US
scope sub
pam_login_attribute uid
pam_filter objectclass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password md5
nss_base_passwd ou=People,o=Domain,c=US?one
nss_base_shadow ou=People,o=Domain,c=US?one
nss_base_group ou=Groups,o=Domain,c=US?one
nss_base_hosts ou=Hosts,o=Domain,c=US?one
ssl start_tls



ps, I was thinking that since this really is a setup problem with
referrals and replication, that this was a fair question to ask.