[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: could not config n-way multi-master because insufficient access


On Mon, Jun 7, 2010 at 6:09 PM, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
On Monday, 7 June 2010 07:10:00 owen nirvana wrote:
> my env is Debian squeeze, OpenLDAP 2.4.17( from packages.debian.org)
> I create an OpenLDAP Server, and try to config N-Wat multi-master,
>  according to OpenLDAP Admin Guide.
>  i  adding init.ldif file on the server , the following is the content
> *dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcServerID: 1
> dn: olcDatabase={0}config,cn=config* *
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcRootPW: secret*
> and I get error --- "insufficient access" , even if I set "acess to * by *
> write" in slapd.conf

i know that. I want to give binddn an enough priviledge

my binddn is rootdn, "cn=admin,dc=example,dc=org"

ldapadd -c -D "cn=admin,dc=example,dc=org" -x -w ${rootpw} -f init.ldif

i think, the content about n-way configuration in guide is a howto , but ${passwd}  should be replaced by mine
One of slapd.conf or this ldif is irrelevant. Only one of them can apply at a
time. Please be careful to check how your slapd is being started (e.g. whether
-f or -F flags are passed or not etc.).

> actually, I don't understand what the guide said.

Maybe you need to read the guide more ...

Also, note that it is not a "HOWTO", but documents how various aspects work,
not necessarily just copy-and-paste examples to use without thinking ...

> '''''''''''''
> This sets up the config database:
>     * dn: cn=config
>      objectClass: olcGlobal
>      cn: config
>      olcServerID: 1
>      dn: olcDatabase={0}config,cn=config
>      objectClass: olcDatabaseConfig
>      olcDatabase: {0}config
>      olcRootPW: secret*
> ''''''''''''''''''''''''''''
> the above configuration block could not be import in my computer, it is
>  said at the begin.
> ''''''''''''''''''''''''''''
> Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc.
>  with your actual ldap urls):
>    *  dn: cn=config
>      changetype: modify
>      replace: olcServerID
>      olcServerID: 1 $URI1
>      olcServerID: 2 $URI2
>      olcServerID: 3 $URI3
>      dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
>      changetype: add
>      objectClass: olcOverlayConfig
>      objectClass: olcSyncProvConfig
>      olcOverlay: syncprov
>      dn: olcDatabase={0}config,cn=config
>      changetype: modify
>      add: olcSyncRepl
>      olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config"
>  bindmethod=simple credentials=secret searchbase="cn=config"
>  type=refreshAndPersist retry="5 5 300 5" timeout=1
>      olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config"
>  bindmethod=simple credentials=secret searchbase="cn=config"
>  type=refreshAndPersist retry="5 5 300 5" timeout=1
>      olcSyncRepl: rid=003 provider=$URI3 binddn="cn=config"
>  bindmethod=simple credentials=secret searchbase="cn=config"
>  type=refreshAndPersist retry="5 5 300 5" timeout=1
>      -
>      add: olcMirrorMode
>      olcMirrorMode: TRUE*
> ''''''''''''''''''''''''''''

Which DN did you bind as when trying to apply this LDIF? E.g., can you supply
the ldapmodify commandline you used?

Note that according to your back-config extract above, you should have bound as
cn=config, but you need to check whether you are using slapd.conf or back-config
for configuration.

> the configuration block seems conflict with the former, why should I write
> "olcServerID: 1 $URI1" into LDAP Server if  "olcServerID: 1" is right, and
> why should I not write an entire configuration, but two configuration file
> which seems conflict separately.

If you are doing configuration replication, the different servers need to be
able to identify which server ID belongs to them. The means for doing this is
providing the URL, which the server will try and match to one of it's
listening addresses (e.g. -h option to slapd).

> I have set up an unlimit previledge, why LDAP Server report "insufficient
> access". what previledge should be set.

Probably with good reason, which we can't determine without answers to the
questions above.


actually , I do dispatch the different serverID to every machine, but 

 dn: cn=config
      changetype: modify
      replace: olcServerID
      olcServerID: 1 $URI1
      olcServerID: 2 $URI2
      olcServerID: 3 $URI3

  dn: cn=config
  objectClass: olcGlobal
  cn: config
  olcServerID: 1

in my opinion, the two blocks is two different entry, why to replace by the former after writing the latter into LDAP Server.