[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SyncRepl - no write access
--On Friday, January 07, 2005 3:12 PM +0100 Turbo Fredriksson
<turbo@bayour.com> wrote:
Quoting Quanah Gibson-Mount <quanah@stanford.edu>:
updatedn="cn=Manager,dc=stanford,dc=edu"
What's this? Is this specified with 'root{dn,pw}' on
the provider? It exists (with 'userPassword: {xxx}')
in the DB? Can it be 'kerberized'?
It matches my rootdn on the replica so that the syncRepl thread can make
updates to the database without requiring any ACL permissions to the DB.
I ask because no matter what I do, the consumer can't
update it's database (it tries to write as anonymous).
On the provider I kinit as 'ldap/provider' and then I start
the provider slapd, modify (as myself) an attribute in the
'o=Bortheiry,c=SE' object.
On the consumer I kinit as 'ldap/consumer-1'. After starting
the consumer slapd, I get the following output (slapd w/ '-d 384'):
This doesn't make any sense, if you are using syncRepl, since the master
doesn't talk to the consumer when using syncRepl. I would hazard a guess
that your mix of slurpd and syncRepl is confusing things.
--Quanah
CONSUMER
----- s n i p -----
sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
ldap:///c=SE??sub?krb5PrincipalName=$1@BAYOUR.COM
include <a
href="http://www.bayour.com/slapd.access.txt";>/etc/ldap/slapd.access</a>
access to * by
group.base="cn=Replicators,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
sasl_ssf=56 write by
dn.exact="cn=ldap/provider,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
sasl_ssf=56 write by aci write
syncrepl rid=1
provider=ldaps://pumba.bayour.com
type=refreshAndPersist
searchbase="c=SE"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
updatedn="cn=ldap/provider,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
binddn="cn=ldap/consumer-1,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
bindmethod=sasl
saslmech=GSSAPI
realm=BAYOUR.COM
authcId=ldap/consumer-1
updateref ldaps://pumba.bayour.com
----- s n i p -----
I think you are confused here.
Your syncrepl statement is missing the updatedn clause, which I would make
the same as your rootdn. This is probably where your issue is coming in
from. You also don't need to specify the attrs bit if you want it to do
all updates. Also, you are missing all the SASL bind statements. Please
look at my syncrepl entry for my replica:
syncrepl rid=0
provider=ldap://MASTERALIAS.stanford.edu:389
updatedn="cn=Manager,dc=stanford,dc=edu"
binddn="cn=HOSTNAME,cn=ldap,cn=operational,dc=stanford,dc=edu"
bindmethod=sasl
saslmech=gssapi
searchbase="dc=stanford,dc=edu"
authcId=ldap/HOSTNAME.stanford.edu@stanford.edu
realm=stanford.edu
schemachecking=on
type=refreshAndPersist
retry="60 +"
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin