[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: setting rootpw for cn=monitor

On 01/08/2013 05:34 PM, Chris Card wrote:

Hi all,

I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).

I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.

When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like:

    dn: olcDatabase={2}monitor,cn=config
    objectClass: olcDatabaseConfig
    olcDatabase: {2}monitor
    olcAddContentAcl: FALSE
    olcLastMod: TRUE
    olcMaxDerefDepth: 15
    olcReadOnly: FALSE
    olcSyncUseSubentry: FALSE
    olcMonitoring: FALSE
    olcRootPW: {SSHA}**************
    olcRootDN: cn=monitor

When I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2
I see an error in the slapd log on ldap2 like:

     olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix

Works for me. The error you post occurs when using slapd.conf and setting rootpw before rootdn; when using slapd-config it should never happen because olcRootPW is listed *after* olcRootDN in olcDatabaseConfig, thus processing should always occur in the right order.

No olcSuffix is set for the cn=monitor database in the cn=config, but all the cn=monitor DNs are of the form cn=X,cn=Y,...,cn=monitor,
so it seems that the suffix of the cn=monitor database is effectively cn=monitor.

The suffix of cn=monitor is indeed cn=monitor, and is hardcoded.


Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano