[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: change syncrepl creds with no restart?



On Thu, Sep 01, 2011 at 12:20:38PM -0700, Howard Chu wrote:
> Christopher Wood wrote:
> >(I'm having trouble finding the answer with Google, so inquiring here. If
> you have RTFM urls I will be quite happy indeed.)
> >
> >It looks like I'm unable to change syncrepl (client) credentials without
> restarting slapd. When I tried this I couldn't modify an entry after the
> change, with an error message apparently indicating that this was a replicated
> consumer. Things went back to multimaster-normal after restarting both slapd's
> involved.
> >
> >My questions (more details are below):
> >
> >1) Is this intended?
> >
> 
> >2) Is there something that I can prod slapd with in order to have it
> >change
> syncrepl credentials without restarting slapd?
> 
> There's a bit of a glitch here; when you modify the olcSyncrepl
> attribute, it is internally a delete followed by an add. When the
> delete occurs, the olcMirrorMode flag is implicitly turned off.
> (Because it is only allowed to be On for a database that is being
> replicated.) When the add occurs, the flag is not automatically
> turned back on.
> 
> The solution is to set it explicitly in your LDAPModify request.

Thank you. Your solution works whether I update olcMirrorMode in
the same ldapmodify request or in a later one.
 
> >
> >
> >
> >(Details caveats: s/${companyname}/base/; munged hostnames too; I have checked that all passwords are the same on the real hosts just like here; I have checked that the syncrepl provider= are correct on the real hosts):
> >
> >The "before" state is me using the olcRootDN for multimaster syncrepl, on the grounds that I wanted to set it up quickly in the lab. Now I want to use a less privileged user. All changes to cn=config were replicated between supplier hosts.
> >
> >First I added a new user:
> >
> >dn: uid=sync,o=base
> >userPassword:: YmFzZQ==
> >objectClass: account
> >objectClass: shadowAccount
> >uid: sync
> >
> >Then I gave that user read access to everything:
> >
> >dn: olcDatabase={1}hdb,cn=config
> >changetype: modify
> >replace: olcAccess
> >olcAccess: to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base by dn=uid=sync,o=base read
> >olcAccess: to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base by dn=uid=sync,o=base read
> >olcAccess: to dn.subtree="ou=groups,o=base" by * read
> >olcAccess: to dn.subtree="ou=people,o=base" by * read
> >olcAccess: to * by dn=uid=sync,o=base read
> >
> >The acls for the o=base tree were then:
> >
> >olcAccess: {0}to dn.subtree="uid=basero,o=base" by anonymous auth by dn=uid=basero,o=base read
> >olcAccess: {1}to attrs="userPassword" by anonymous auth by self read by dn=uid=basero,o=base read
> >olcAccess: {2}to dn.subtree="ou=groups,o=base" by * read
> >olcAccess: {3}to dn.subtree="ou=people,o=base" by * read
> >olcAccess: {4}to * by dn=uid=sync,o=base read
> >
> >So I updated the olcSyncrepl rules:
> >
> >dn: olcDatabase={1}hdb,cn=config
> >changetype: modify
> >replace: olcSyncRepl
> >olcSyncrepl: rid=003 provider=ldap://ldap-supplier-lab-01 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
> >olcSyncrepl: rid=004 provider=ldap://ldap-supplier-lab-02 binddn="uid=sync,o=base" bindmethod=simple credentials=base searchbase="o=base" type=refreshOnly interval=00:00:00:10 retry="5 5 30 +" timeout=1
> >
> >However, when I attempted to change my password on one of the hosts (using o=base not cn=config)...
> >
> >dn: uid=cwood,ou=people,o=base
> >changetype: modify
> >add: userPassword
> >userPassword: fakefakefake
> >
> >I got this:
> >
> >modifying entry "uid=cwood,ou=people,o=base"
> >ldap_modify: Server is unwilling to perform (53)
> >         additional info: shadow context; no update referral
> >
> >And this is what turned up in the logs:
> >
> >Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD dn="uid=cwood,ou=people,o=base"
> >Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 MOD attr=userPassword
> >Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=1 RESULT tag=103 err=53 text=shadow context; no update referral
> >Sep  1 11:34:03 ldap-supplier-lab-01 slapd[8549]: conn=42902 op=2 UNBIND
> >
> >
> 
> 
> -- 
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  http://www.openldap.org/project/
>