Re: olcAccess replication - error 80 attributes not within database namespace

[Igor Zinovik <zinovik.igor@gmail.com>]

2013/5/17 Howard Chu <hyc@symas.com>

Igor Zinovik wrote:

 ÂHello.

I'm trying to replicate access rules and limits for one of my databases, but
with no success:
suse:~ # cat olcAccess-syncrepl.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: {1}rid=002
 Âprovider=ldap://ldap1.local
 Âbindmethod=simple
 Âbinddn="cn=admin,cn=config"
 Âcredentials="TopSecret"
 Âsearchbase="olcDatabase={1}mdb,cn=config"
 Âattrs="olcAccess,olcLimits"
 Âtimeout=3
 Ânetwork-timeout=0
 Âstarttls=yes
 Âtls_cert="/etc/openldap/ldap.pem"
 Âtls_key="/etc/openldap/ldap.key"
 Âtls_cacert="/etc/ssl/local-ca.pem"
 Âtls_reqcert=demand
 Âtls_crlcheck=none


suse:~ # ldapmodify -H ldap://ldap2.local -ZZxWD cn=admin,cn=config -f
olcAccess-syncrepl.ldif
Enter LDAP Password:
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
    Âadditional info: Base DN "olcAccess,olcLimits" is not within the
database naming context

> slapd-2.4.33 if it matters.

The error message is a bit garbled (obviously the Base DN is wrong) but the error is basically correct. You're trying to replicate the wrong thing from the wrong place. Setting a syncrepl consumer on the olcDatabase={1}mdb database lets you replicate the *content* of that database. To replicate the *configuration* of that database your consumer must be set where that configuration is stored.

The configuration is stored in olcDatabase={0}config.

Thanks Howard, but I still cannot get things working.

Could you exaplain me following (i read documentation but it is not clear enough for me to understand):
Does parameter `searchbase' in olcSyncrepl configuration statement set search starting point or it sets
just a database name (which is set in olcSuffix) where search is performed?

Here is my configuration provider setup:
ldap1:~ # ldapsearch -H ldap://ldap1.local -LLLZZxWD cn=admin,cn=config -b olcOverlay={0}syncprov,olcDatabase={0}config,cn=config '&'
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Here is my configuration consumer:
ldap2:~ # ldapsearch -H ldap://ldap2.local -LLLZZxWD cn=admin,cn=config -b olcDatabase={0}config,cn=config '&' olcSyncrepl
Enter LDAP Password:
dn: olcDatabase={0}config,cn=config
olcSyncrepl: {0}rid=001 provider=ldap://ldap1.local bindmethod=simple bind
Âdn="cn=admin,cn=config" credentials="TopSecret" searchbase="cn=con
Âfig" scope=sub filter="(olcDatabase={1}mdb)" attrs="olcAccess,olcLimits" retr
Ây="60 +" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/lda
Âp.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" t
Âls_reqcert=demand tls_crlcheck=none


A bit offtopic: could you guys implement some kind of human friendly formatting for long line statements and ACLs? So
previous statement would look like this when i fetch it from catalog:
olcSyncrepl: {0}rid=001
Âprovider=ldap://ldap1.local
Âbindmethod=simple
Âbinddn="cn=admin,cn=config"
Âcredentials="TopSecret"
Âsearchbase="cn=config"
Âscope=sub
Âfilter="(olcDatabase={1}mdb)"
Âattrs="olcAccess,olcLimits"
Âretry="60 +"
Âtimeout=3
Ânetwork-timeout=0
Âstarttls=yes
Âtls_cert="/etc/openldap/ldap.pem"
Âtls_key="/etc/openldap/ldap.key"
Âtls_cacert="/etc/ssl/local-ca.pem" t
Âls_reqcert=demand
Âtls_crlcheck=none