[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: setting rootpw for cn=monitor

> On 01/08/2013 05:34 PM, Chris Card wrote:
> >
> > Hi all,
> >
> > I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl).
> >
> > I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available.
> >
> > When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like:
> >
> > dn: olcDatabase={2}monitor,cn=config
> > objectClass: olcDatabaseConfig
> > olcDatabase: {2}monitor
> > olcAddContentAcl: FALSE
> > olcLastMod: TRUE
> > olcMaxDerefDepth: 15
> > olcReadOnly: FALSE
> > olcSyncUseSubentry: FALSE
> > olcMonitoring: FALSE
> > olcRootPW: {SSHA}**************
> > olcRootDN: cn=monitor
> >
> > When I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2
> > I see an error in the slapd log on ldap2 like:
> >
> > olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix
> Works for me. The error you post occurs when using slapd.conf and
> setting rootpw before rootdn; when using slapd-config it should never
> happen because olcRootPW is listed *after* olcRootDN in
> olcDatabaseConfig, thus processing should always occur in the right order.
I have an automated process to build the first LDAP server. There is an initial base slapd.d configuration which is then modified by applying a sequence of LDIF files using ldapmodify.
The rootdn and rootpw for cn=monitor are added using ldapmodify with this LDIF:
dn: olcDatabase={2}monitor,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=Monitor
add: olcRootPW
olcRootPW: *******

where the values of olcRootDN and olcRootPW are my "factory settings". 

The actual rootpw and rootdn to be used for cn=monitor is then read from a configuration file and applied by a script, which hashes the password using slappasswd and then runs ldapmodify 
with this LDIF:
dn: olcDatabase={2}monitor,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <hashed password>
replace: olcRootDN
olcRootDN: cn=Monitor

Once this has been done, ldapsearch always returns the attributes in the order seen above, olcRootPW before olcRootDN. 
Could this influence the order that syncrepl handles the attributes, when the second LDAP server is built?