[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cannot replicate userPassword?

Quanah Gibson-Mount wrote:
> --On Tuesday, January 01, 2008 7:16 PM +0100 Thomas Kirchtag
> <tkircht@ipodion.at> wrote:
>> syncrepl rid=667
>>       provider=ldaps://ldap.ipodion.at
>>       type=refreshOnly
>>       interval=01:00:00:00
>>       searchbase="dc=int,dc=ipodion,dc=at"
>>       scope=sub
>>       schemachecking=on
>>       bindmethod=simple
>>       binddn="cn=admin,dc=ipodion,dc=at"
>>       credentials=<secret>
>> access to attrs=userPassword
>>         by dn="cn=admin,dc=int,dc=ipodion,dc=at" write
>>         by anonymous auth
>>         by self write
>>         by * none
> Seems clear to me.  It can't write it.  Note that the identity that can
> write is:
> by dn="cn=admin,dc=int,dc=ipodion,dc=at" write
> but syncrepl is acting as:
> binddn="cn=admin,dc=ipodion,dc=at"

According to the configuration files posted, the user
"cn=admin,dc=ipodion,dc=at" is used as binddn by the consumer, but it is
the rootdn on the producer, so it can read all values (the real,
harmless error is that there's no point in authorizing access for the
rootdn: it has unlimited access privileges).  Local writes by syncrepl
are performed with the local rootdn's identity, so there's no point in
authorizing them either.

Right now, I don't seem to be able to find a reason for the incomplete
replication.  I note that no software version was mentioned, so unless
the latest is used, there might be already resolved issues.  After
checking with the configuration files you provided, I note that OpenLDAP
2.3.40 correctly replicates userPassword as well as all other attrs.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it