[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication Problem



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leonard Tulipan wrote:
| Hi!
|
| First of: I am a relative LDAP Newbie, so please be gentle.
|
| I managed to change an existing LDAP configuration to do replication.
| both "server" and "client" are RedHat 7.3 with
| openldap-servers-2.0.27-2.7.3
|
| Now I also need a RedHat 9 machine (with openldap-servers-2.0.27-8 )
| to be a slave.
|
| I copied the entire /etc/openldap and /var/lib/ldap directories with
| rsync to the new machine.

Hopefully your slapd on the slave wasn't running at the time ...

|
| This is the entry in the master slapd.conf ( I have a second one right
| before this one - and that one works)
| replica host=epimetheus.intern.mpwi.at:389
|        binddn="cn=Manager,dc=intern,dc=mpwi,dc=at"
|        bindmethod=simple credentials=PASSWORD
|
| The client/slave config looks like this:
|
| ===================
| include         /etc/openldap/schema/core.schema
| include         /etc/openldap/schema/cosine.schema
| include         /etc/openldap/schema/nis.schema
| include         /etc/openldap/schema/inetorgperson.schema
| include         /etc/openldap/schema/samba.3.schema
| include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
| include         /etc/openldap/schema/redhat/autofs.schema
| include         /etc/openldap/schema/redhat/kerberosobject.schema
| include         /etc/openldap/schema/qmail.schema
| include /etc/openldap/schema/rolodap.schema
| include /etc/openldap/schema/phpgwaccount.schema
| include /etc/openldap/schema/phpgwcontact.schema
| loglevel        256
| modulepath     /usr/sbin/openldap
| moduleload     back_ldap.la
| moduleload     back_ldbm.la
| moduleload     back_passwd.la
| moduleload     back_shell.la
|
| access to attr=userpassword
|    by self write
|    by anonymous auth
|    by * none
|
| access to attr=lmpassword
|    by self write
|    by anonymous auth
|    by * none

Most likely this will not do what you want, samba cannot "auth" a user
against openldap with an lmpassword, it must read the password, and then
authenticate the user itself. Also, you most likely need to allow samba
to change the password (unless your users can NTLM in their heads ...).

|
| access to attr=ntpassword
|    by self write
|    by anonymous auth
|    by * none
|

Same applies as to lmpassword.

| access to *
|    by self write
|    by dn=".+" read

Why not use "by users read", it does the same ...

|    by * read
|
| access to attr=ntpassword
|    by self write
|    by anonymous auth
|    by * none
|
| access to *
|    by self write
|    by dn=".+" read
|    by * read
|
| database        ldbm
| suffix          "dc=intern,dc=mpwi,dc=at"
| rootdn          "cn=Manager,dc=intern,dc=mpwi,dc=at"
| rootpw          PASSWORD
| directory       /var/lib/ldap
| index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
| index   cn,mail,surname,givenname                       eq,subinitial

You probably want to index some samba attributes as well, especially
sambaSID

|
| updatedn "cn=Manager,dc=intern,dc=mpwi,dc=at"
| referral master://ldap.intern.mpwi.at

This should be:
updateref "ldap://ldap.intern.mpwi.at";

| Now, whatever that means, when the master server is down, I can still
| browse the working replication, but when I look at this second one it
| ALWAYS needs to connect to the master (hence it is not really a usefull
| backup)

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA0xH6rJK6UGDSBKcRAqT+AKCde4dMblOLw//cADB+0Z3GX0/P5QCgj655
xMN1RFF9yGJNxs3aN2riRR4=
=r6PO
-----END PGP SIGNATURE-----