[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Antw: ldaps replication question
>>> wailok tam <wailoktam@yahoo.com> schrieb am 26.11.2014 um 07:39 in Nachricht
<645659927.713985.1416983965481.JavaMail.yahoo@jws10067.mail.ne1.yahoo.com>:
> Hi, all,
> I cannot get replication to work even I get no error message. I change a
> record on the Master but when I check it on the slave, it remains unchanged.
> (Is it immediate?)
I can recommand to activate these (at least) while you are wondering what's going on:
olcLogLevel: config
olcLogLevel: sync
And don't forget to examine syslog then. Every sync-related change to the database is logged then.
> The following command on slave: ldapsearch -x -h [MASTER HOST NAME] -W -D
> 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=tam)'
> returns no error message and gives the expected record.
Maybe try this on all your servers and compare the results; if different start with a configuration where all the contextCSNs are identical:
ldapsearch -Y EXTERNAL -H ldapi:/// -b '<your_base>' -s base 'objectClass=dcObject' contextCSN
> I am suspecting I may have screwed up the ssl/tls setting for the slave as I
> dont know what to put there. The master is set to use ssl/tls and it
> communicates fine with the client thru the ldaps protocol.
Why not use TLS? These were enough for me:
olcTLSCACertificatePath: /etc/ssl/certs
olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
olcTLSCertificateKeyFile: /etc/ssl/.../slapd.key
> Your help is much needed.
> First come the slapd.conf of the slave (I dont have the lines for ssl certs.
> I just use the ldaps address in the replication directive. Is that enough?):
How should SSL work without certificates? (last comment)
> ### configuration for IER### writeen by T.Tanaka
> include /etc/openldap/schema/core.schemainclude
> /etc/openldap/schema/cosine.schemainclude
> /etc/openldap/schema/inetorgperson.schemainclude
> /etc/openldap/schema/nis.schemainclude
> /etc/openldap/schema/samba.schema
> # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
> # Do not enable referrals until AFTER you have a working directory# service
> AND an understanding of referrals.#referral ldap://root.openldap.org
> pidfile /var/run/openldap/slapd.pidargsfile
> /var/run/openldap/slapd.args
> ########################################################################
> ldbm and/or bdb database
> definitions##################################################################
> #####
> database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
> "cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw SLAVEPWdirectory
> /var/lib/ldap
>
> # Replicas of this database
>
> # Indices to maintain for this databaseindex objectClass
> eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex
> uidNumber,gidNumber,loginShell eq,presindex uid,memberUid
> eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex
> entryCSN,entryUUID eq idlcachesize 1000
>
> access to attrs=userPassword by
> dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write by self write
> by anonymous auth by * none
>
> access to * by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"
> write by self write by * read
>
>
>
> #loglevel stats sync
> syncrepl rid=001
> provider=ldaps://mail.ier.hit-u.ac.jp type=refreshAndPersist
> interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp"
> binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"
> credentials=SLAVEPW
>
> Next come the slapd.conf of the master:
> ### configuration for IER### writeen by T.Tanaka### edited by WL.Tam
>
>
> include /etc/openldap/schema/core.schemainclude
> /etc/openldap/schema/cosine.schemainclude
> /etc/openldap/schema/inetorgperson.schemainclude
> /etc/openldap/schema/nis.schemainclude
> /etc/openldap/schema/samba.schema
>
> # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
> pidfile /var/run/openldap/slapd.pidargsfile
> /var/run/openldap/slapd.args
>
> ########################################################################
> ldbm and/or bdb database
> definitions##################################################################
> #####
> database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn
> "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw MASTERPWdirectory
> /var/lib/ldap
>
> TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile
> /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile
> /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
>
> overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
>
>
>
> # Indices to maintain for this databaseindex objectClass
> eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex
> uidNumber,gidNumber,loginShell eq,presindex uid,memberUid
> eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex
> entryCSN,entryUUID eq idlcachesize 1000
>
> access to attrs=userPassword by self write by
> dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
> dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> anonymous auth by * none
>
>
> access to attrs=SambaLMPassword,SambaNTPassword by
> dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by
> dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by
> dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self
> read by anonymous auth by * none
> access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"
> write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read
> by * read