I am using OpenLDAP 2.3.25 (most current in Debian stable). I tried to follow Quanahs suggestion and added
access to *
by dn="cn=admin,dc=int,dc=ipodion,dc=at" write
by * readThanks for your help so far!
Thomas
Quanah Gibson-Mount wrote:
--On Tuesday, January 01, 2008 7:16 PM +0100 Thomas Kirchtag <tkircht@ipodion.at> wrote:
syncrepl rid=667
provider=ldaps://ldap.ipodion.at
type=refreshOnly
interval=01:00:00:00
searchbase="dc=int,dc=ipodion,dc=at"
scope=sub
schemachecking=on
bindmethod=simple
binddn="cn=admin,dc=ipodion,dc=at"
credentials=<secret>
access to attrs=userPassword
by dn="cn=admin,dc=int,dc=ipodion,dc=at" write
by anonymous auth
by self write
by * none
Seems clear to me. It can't write it. Note that the identity that can write is:
by dn="cn=admin,dc=int,dc=ipodion,dc=at" write
but syncrepl is acting as:
binddn="cn=admin,dc=ipodion,dc=at"
According to the configuration files posted, the user "cn=admin,dc=ipodion,dc=at" is used as binddn by the consumer, but it is the rootdn on the producer, so it can read all values (the real, harmless error is that there's no point in authorizing access for the rootdn: it has unlimited access privileges). Local writes by syncrepl are performed with the local rootdn's identity, so there's no point in authorizing them either.
Right now, I don't seem to be able to find a reason for the incomplete replication. I note that no software version was mentioned, so unless the latest is used, there might be already resolved issues. After checking with the configuration files you provided, I note that OpenLDAP 2.3.40 correctly replicates userPassword as well as all other attrs.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature