[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Incorrect snippet in delta-syncrepl example in admin guide?

To: Brad T Waldorf <bwaldorf@us.ibm.com>
Subject: Re: Incorrect snippet in delta-syncrepl example in admin guide?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 04 Oct 2008 09:54:08 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <OFA0361E4B.D6FA0EB0-ON852574D7.006368BD-852574D8.00112454@us.ibm.com>
References: <OFA0361E4B.D6FA0EB0-ON852574D7.006368BD-852574D8.00112454@us.ibm.com>
User-agent: Thunderbird 2.0.0.16 (X11/20080724)

Brad T Waldorf wrote:

Hi.

I used the Delta-syncrepl configuration example from the admin guide
(http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl) to
create configuration files for a basic 1 Master, 1 Slave configuration.
With a populated & functional master, i started the slave and hit this
error...

slap_client_connect: URI=ldap://9.57.13.249:389
DN="cn=user.replicator,ou=people
,dc=exampleb,dc=com" ldap_sasl_bind_s failed (49)+

(The replicator DN couldn't bind.)  In fact, i couldn't execute a basic
ldapsearch while binding as the replicator DN... kept getting "ldap_bind:
Invalid credentials (49)".


Long story short, the fix was to comment out the following ACL statements
in the master config file ... i could then bind as the replicator DN and
delta-syncrepl worked...

# Give the replica DN unlimited read access.
access to *
        by dn.base="cn=user.replicator,ou=People,dc=exampleb,dc=com" read
        by * break

You ACLs are obviously wrong. The above piece of ACL is intended to exist along with other rules, otherwise it's useless by itself. In fact, in order to check an identity, anonymous must be able to bind, and thus needs auth permission. Posting your hack like it were the solution to a problem is only going to create further confusion in those who didn't understand the ACL model yet.

A minimal ACL design that allows essential operations including replication would need:

- let everyone try to auth
- let replication identity read everthing that needs to be replicated
- let others read/write what they are allowed to read

so:

access to attrs=userPassword
	by <replication identity> read
	by * auth

access to <something else>
	by <replication identity> read
	by <others> <as appropriate>

# catchall for what's left
access to *
	by <replication identity> read

As you may see, you need to repeat the "by <replication identity> read" snippet all times. So a shortcut is:

access to *
	by <replication identity> read
	by * break

access to attrs=userPassword
	by * auth

access to <something else>
	by <others> <as appropriate>

which means: replication identity can read everything, others don't gain any privilege; but don't stop evaluating rules, step to the next one for further permission.

If you don't understand this, please don't try to teach others how ACLs need to be configured to have replication work as intended. You removed from your example the comment "This ACL may need to be merged with other ACL statements." <http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl> (that statement probably needs to be strenghtened, replacing "may" with "must").

Probably this was not your intention, but the consequence is that googling up "openldap delta-syncrepl access" will likely hit your message and propagate false information.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: Incorrect snippet in delta-syncrepl example in admin guide?
  - From: Brad T Waldorf <bwaldorf@us.ibm.com>

References:
- Incorrect snippet in delta-syncrepl example in admin guide?
  - From: Brad T Waldorf <bwaldorf@us.ibm.com>

Prev by Date: Incorrect snippet in delta-syncrepl example in admin guide?
Next by Date: Re: Incorrect snippet in delta-syncrepl example in admin guide?
Index(es):
- Chronological
- Thread