[Date Prev][Date Next] [Chronological] [Thread] [Top]

Ldap access lines for replicator



Hi,
 
I've managed to setup slurpd on one of my servers and a slave server on
another one.  The problem I'm having is that the replicator user
(cn=replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za) doesn't seem to be
getting permission to write to the database.

All the data below is for my slave server:

My access lines are as follows:
In slapd.conf:
# Define global ACLs to disable default read access and provide default 
# behaviour for samba/pam use
include         /etc/openldap/slapd.access.conf

# Replicas running syncrepl as non-rootdn need unrestricted size/time
limits:
limits dn.exact="cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za"
 size=unlimited
 time=unlimited


In slapd.access.conf:
# The root DIT should be accessible to all clients
access to dn.exact=""
        by * read

# So should the schema
access to dn.subtree="cn=Subschema"
        by * read


access to dn.regex="^([^,]*,)?ou=exam,ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
 
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,
sambaPwdLastSet
        by dn.exact,expand="cn=root,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
        by dn.exact,expand="cn=Replicator,ou=People,$2" write
        by anonymous auth
        by * none

access to dn.regex="^([^,]*,)+ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
 
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,
sambaPwdLastSet
        by self write
        by dn.exact,expand="cn=root,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
        by dn.exact,expand="cn=Replicator,ou=People,$2" write
        by anonymous auth
        by * none

access to dn.regex="([^,]*,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
        attrs=inetOrgPerson,mail
        by self write
        by dn.exact,expand="cn=root,$2" write
        by group.expand="cn=Domain Controllers,ou=Group,$2" write
        by dn.exact,expand="cn=Replicator,ou=People,$2" write
        by users read
        by anonymous read

# catch-all
access to dn.regex="([^,]*,)?(dc=[^,]+(,dc=[^,]+)*)$"
        by dn.exact,expand="cn=root,$2" write
        by dn.exact,expand="cn=Replicator,ou=People,$2" write
        by * read


## Finished

My error log is as follows (logging 128):

Jan 26 09:31:40 hubble slapd[32237]: => access_allowed: auth access to
"cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za" "userPassword"
requested
Jan 26 09:31:40 hubble slapd[32237]: => dn: [1]
Jan 26 09:31:40 hubble slapd[32237]: => dn: [2] cn=subschema
Jan 26 09:31:40 hubble slapd[32237]: => dnpat: [3]
^([^,]*,)?ou=exam,ou=People,(dc=[^,]+(,dc=[^,]+)*)$ nsub: 3
Jan 26 09:31:40 hubble slapd[32237]: => dnpat: [4]
^([^,]*,)+ou=People,(dc=[^,]+(,dc=[^,]+)*)$ nsub: 3
Jan 26 09:31:40 hubble slapd[32237]: => acl_get: [4] matched
Jan 26 09:31:40 hubble slapd[32237]: => acl_get: [4] attr userPassword
Jan 26 09:31:40 hubble slapd[32237]: access_allowed: no res from state
(userPassword)
Jan 26 09:31:40 hubble slapd[32237]: => acl_mask: access to entry
"cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za", attr "userPassword"
requested
Jan 26 09:31:40 hubble slapd[32237]: => acl_mask: to value by "", (=0)
Jan 26 09:31:40 hubble slapd[32237]: <= check a_dn_pat: self
Jan 26 09:31:40 hubble slapd[32237]: <= check a_dn_pat: cn=root,$2
Jan 26 09:31:40 hubble slapd[32237]: <= acl_mask: no more <who> clauses,
returning =0 (stop)
Jan 26 09:31:40 hubble slapd[32237]: => access_allowed: auth access
denied by =0

## end of log


Any help would be appreciated :)

Thanks
Nolan