Re: Syncrepl Problems for Attribute-Value Pair host=*

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Monday, December 19, 2005 2:30 PM +0100 Pierangelo Masarati 
<ando@sys-net.it> wrote:

> I have no final answer on your main issue, I need to check; however ...
> (se below)
>
> > I'm having a little syncrepl problem here. OL version is 2.3.13 + bdb
> > 4.2.52 with 4 patches + OL transactions patch (is it still need?).
> > We have a master server filled with mostly POSIX account and group data.

The transactions patch is no longer necessary.


> > I was experimenting to set up a slave slapd on a UNIX client which should
> > only contain POSIX accounts that are actually allowed to login on that
> > client (which is defined through the host attribute).
> >
> > So I set up a syncrepl slapd on that machine with a filter diretive that
> > replicates all posix groups and all accounts which are allowed to login
> > along with the dc's and ou's needed to reflect the posix information
> > apropriately:
> > syncrepl rid=999
> >  provider=ldap://<master ip>
> >  type=refreshAndPersist
> >  interval=00:00:00:10
> >  retry="60 10 300 +"
> >  searchbase="dc=o2online,dc=de"
> >
> > filter="(|(objectclass=dcobject)(objectclass=oragnizationalunit)(objectc
> > lass=posixgroup)(&(objectclass=posixaccount)(host=\\*))(&(objectclass=po
> > sixaccount)(host=<hostname>)))"
>
> ^^^ there's a typo here: s/oragnizationalunit/organizationalunit/
>
> >  scope=sub
> >  attrs="*,+"
> >  schemachecking=on
> >  starttls=critical
> >  binddn="<bind dn>"
> >  credentials=<password>

In addition, there is no need to specify the attrs line here, that is the 
default.  The OpenLDAP documentation is wrong in multiple places, I filed 
an ITS (#4146) on it a while ago, but no one seems inclined to actually fix 
it.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html