[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: change syncrepl creds with no restart?



Christopher Wood wrote:
(I'm having trouble finding the answer with Google, so inquiring here. If
you have RTFM urls I will be quite happy indeed.)

It looks like I'm unable to change syncrepl (client) credentials without
restarting slapd. When I tried this I couldn't modify an entry after the
change, with an error message apparently indicating that this was a replicated
consumer. Things went back to multimaster-normal after restarting both slapd's
involved.

My questions (more details are below):

1) Is this intended?


2) Is there something that I can prod slapd with in order to have it
change
syncrepl credentials without restarting slapd?

There's a bit of a glitch here; when you modify the olcSyncrepl attribute, it is internally a delete followed by an add. When the delete occurs, the olcMirrorMode flag is implicitly turned off. (Because it is only allowed to be On for a database that is being replicated.) When the add occurs, the flag is not automatically turned back on.

The solution is to set it explicitly in your LDAPModify request.




(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):

The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.

First I added a new user:

dn: uid=sync,o=base
userPassword:: YmFzZQ==
objectClass: account
objectClass: shadowAccount
uid: sync

Then I gave that user read access to everything:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read
olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read
olcAccess: to dn.subtree="ou=groups,o=base" by * read
olcAccess: to dn.subtree="ou=people,o=base" by * read
olcAccess: to * by dn=uid=sync,o=base read

The acls for the o=base tree were then:

olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read
olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read
olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read
olcAccess: {3}to dn.subtree="ou=people,o=base" by * read
olcAccess: {4}to * by dn=uid=sync,o=base read

So I updated the olcSyncrepl rules:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1

However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...

dn: uid=cwood,ou=people,o=base
changetype: modify
add: userPassword
userPassword: fakefakefake

I got this:

modifying entry "uid=cwood,ou=people,o=base"
ldap_modify: Server is unwilling to perform (53)
         additional info: shadow context; no update referral

And this is what turned up in the logs:

Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base"
Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword
Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral
Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/