[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP ACLs Question



On Thu, Apr 15, 2010 at 01:18:13PM -0700, Tim Gustafson wrote:

> access to *
>  by dn="uid=replicator,ou=People,dc=bar" read
>  by * break

I assume you are using syncrepl here.

It would be worth checking that the replication process really does
bind as that DN. If it does, then all later access clauses are
irrelevant.

> When replication is *not* working in this set-up, re-starting slapd on 10.0.0.3 and 10.0.0.4 (without changing any ACLs anywhere) causes them to suck down all the updates they missed before.
> 
> Am I misunderstanding the way these ACLs work?  Is there any way that giving READ access to the web server (which it already has by virtue of the user having bound themselves to the LDAP server) should cause replication for 10.0.0.3 and 10.0.0.4 to work again?  Or is this perhaps a bug in the version of slapd (2.3.43; yes I know it's old; it's a vendor package and that's how we roll around here at the moment) that we're running?

This does not sound like an ACL problem to me. I would suggest setting
up a test environment with the latest 2.4.x release to see what
happens.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------