|
Hello everybody I’m trying to start a two server
multimaster installation. OpenLDAP is 2.4.23 built from sources, bdb
4.8.30 Configure options are: --enable-crypt
--enable-overlays -enable-ppolicy --enable-memberof (maybe some are unuseful). OS is Centos 5.5, patched, virtual
machines. LDAP server are addressed by client thru
round-robin DNS registration. Behaviour: when a ldap user connected to a
client try to change it’s password thru the passwd command, on the LDAP
server connected by the client thru the DNS name resolution, userPassword and
shadowLastChange are updated, on the other LDAP server the field userPassword
disappear (checked with slapcat). I suppose that this happen because on
userPassword attribute there are ACL’s (reported below) that permit only
read action to syncuser. Infact, if I change the syncrepl instances
and swap syncuser with admin (rootDN), the password change happens successfully
and replica too. Now the question to the list: if I don’t
want to have rootDN used for replication, I must give the write permissions to
syncuser to guarantee the replica, leaving the “bug” to have the a
write account password written in clear text in config file ? There’s a
smarter method to reach the goal ? I apologize if solution is written on the
documentation, but I’ve tried to find without success. Slapd config is still supplied thru
slapd.conf. These are acl on bdb instance on
userPassword and shadowLastChange attributes: access to attrs=userPassword by dn="cn=admin,dc=somedomain,dc=it"
write by
dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read by anonymous auth by self write by * none access to attrs=shadowLastChange by dn="cn=admin,dc=somedomain,dc=it"
write by
dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read by self write by * read syncrepl is configured as follow: syncrepl rid=000 provider=ldap://server1.somedomain.it:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=somedomain,dc=it" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=somedomain,dc=it" credentials=syncuser_password syncrepl rid=001 provider=ldap://server2.somedomain.it:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=somedomain,dc=it" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=somedomain,dc=it" credentials=syncuser_password MirrorMode TRUE Obviously servers are identified as serverID
001 and serverID 002 and both are started to listen only on their FQDN. Thanks to all for attention and support. Roberto Nunin Comifar Service SpA Italy Questo messaggio e' indirizzato esclusivamente al destinatario indicato e potrebbe contenere informazioni confidenziali, riservate o proprietarie. Qualora la presente venisse ricevuta per errore, si prega di segnalarlo immediatamente al mittente, cancellando l'originale e ogni sua copia e distruggendo eventuali copie cartacee. Ogni altro uso e' strettamente proibito e potrebbe essere fonte di violazione di legge. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately, deleting the original and all copies and destroying any hard copies. Any other use is strictly prohibited and may be unlawful. |