[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Incorrect snippet in delta-syncrepl example in admin guide?

wow.  My intention certainly wasn't to insist that my "hack" was the
absolute solution.  Just saying what seemed to work for me... trying to
give ldap admins some information that i thought might lead to a possible
documentation fix.  Guess i was wrong.  Sorry, just trying to help.

And i definitely wasn't trying to teach others how ACLs need to be
configured.  In my email i said stuff like "I might be missing something",
"incase i'm actually on to something", and "fix the documentation if need
be".  These are not the phrases used by someone who's confident with their
"hack" or trying to teach others about ACLs...  (to me anyway).

I understand your sentiment about misleading others with false fixes...
next time i'll add a specific question to the end, such as "what am i
missing?", or "what have i done wrong?"... so that the thread seems
unresolved and give more chance that googler's will read the follow-up

Anyway, thanks for your thorough ACL information... good stuff.  I would
definitely recommend replacing "may need to" with "must" in the following
statement, as you suggested.  "This ACL may need to be merged with other
ACL statements."

TPF Test and Information Development
(845) 433-8129

"Hey!  Lama!  Hey!  How about a little something, you know, for the effort,
you know?"

             <ando@sys-net.it>                                          To 
                                       Brad T                              
             10/04/2008 03:54          Waldorf/Poughkeepsie/IBM@IBMUS      
             AM                                                         cc 
                                       Re: Incorrect snippet in            
                                       delta-syncrepl example in admin     

Brad T Waldorf wrote:
> Hi.
> I used the Delta-syncrepl configuration example from the admin guide
> (http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl) to
> create configuration files for a basic 1 Master, 1 Slave configuration.
> With a populated & functional master, i started the slave and hit this
> error...
> slap_client_connect: URI=ldap://
> DN="cn=user.replicator,ou=people
> ,dc=exampleb,dc=com" ldap_sasl_bind_s failed (49)+
> (The replicator DN couldn't bind.)  In fact, i couldn't execute a basic
> ldapsearch while binding as the replicator DN... kept getting "ldap_bind:
> Invalid credentials (49)".
> Long story short, the fix was to comment out the following ACL statements
> in the master config file ... i could then bind as the replicator DN and
> delta-syncrepl worked...
> # Give the replica DN unlimited read access.
> access to *
>         by dn.base="cn=user.replicator,ou=People,dc=exampleb,dc=com" read
>         by * break

You ACLs are obviously wrong.  The above piece of ACL is intended to
exist along with other rules, otherwise it's useless by itself.  In
fact, in order to check an identity, anonymous must be able to bind, and
thus needs auth permission.  Posting your hack like it were the solution
to a problem is only going to create further confusion in those who
didn't understand the ACL model yet.

A minimal ACL design that allows essential operations including
replication would need:

- let everyone try to auth
- let replication identity read everthing that needs to be replicated
- let others read/write what they are allowed to read


access to attrs=userPassword
             by <replication identity> read
             by * auth

access to <something else>
             by <replication identity> read
             by <others> <as appropriate>

# catchall for what's left
access to *
             by <replication identity> read

As you may see, you need to repeat the "by <replication identity> read"
snippet all times.  So a shortcut is:

access to *
             by <replication identity> read
             by * break

access to attrs=userPassword
             by * auth

access to <something else>
             by <others> <as appropriate>

which means: replication identity can read everything, others don't gain
any privilege; but don't stop evaluating rules, step to the next one for
further permission.

If you don't understand this, please don't try to teach others how ACLs
need to be configured to have replication work as intended.  You removed
from your example the comment "This ACL may need to be merged with other
ACL statements."
(that statement probably needs to be strenghtened, replacing "may" with

Probably this was not your intention, but the consequence is that
googling up "openldap delta-syncrepl access" will likely hit your
message and propagate false information.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it