[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap slave master relationship

> on the fear of sounding like an idiot, it didnt work. i have the 
> following missing in my understanding:
>  >>do both provider and consumer have the same name?
>  >>I'm using ssl start_tls, but the consumer has his cacert that he 
> passes to its clients and the provider has his, do i make one cacert 
> that will work on both?

I've never configured SSL/TLS for openldap and don't know what
implications or configuration changes are required to use it with
syncrepl. Someone else may better be able to answer this.

>  >>and the binddn "slave_reader" has the bind password in the 
> slapd.conf, but the updatedn doesnt, so how is it gona bind and
update?

I wondered this myself. I assume that because syncrepl actually runs
inside the server daemon and the updatedn is configured from within the
slapd.conf it's considered safe. So the syncrepl part of the daemon just
uses that as the dn which is making mods for internal calls to check
permissions to modify objects.

If it's not working perhaps you could enable some trace debugging and
send that to the list. "it's not working" doesn't provide a great deal
of information to go off of. It could be SSL related however. You may
need to alter your provider configuration for the provider or
something. 

Do you have at least the master running with clients able to connect etc
using SSL? Perhaps you should break it down. Make sure SSL is configured
and working properly and then set up syncrepl. Or in reverse set up
syncrepl and test it out then enable SSL and realize you'll probably
need to modify the config a little.

Lee

>  >>and i believe this line "limits 
> dn.exact="cn=slave_writer,dc=directory,dc=com" size=unlimited 
> time=unlimited" doesnt work on my version of openldap
"openldap      : 
> slapd 2.2.13", do this line matter much or not?
> this is my simple ACL in the master slapd.conf:
> 
> access to *
>   by dn.exact="cn=reader,dc=xxx,dc=mycompany,dc=com" read stop
>   by * none break
> access to attr=userPassword
>         by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
>         by self write
>         by anonymous auth
>         by * none
> access to *
>         by dn="cn=manager,dc=xxx,dc=mycompany,dc=com" write
>         by * read
> 
> and this is the slapd.conf in the slave:
> 
> access to *
>   by dn.exact="cn=writer,dc=yyy,dc=mycompany,dc=com" write stop
>   by * none break
> access to attr=userPassword
>         by dn="cn=manager,dc=yyy,dc=mycompany,dc=com" write
>         by self write
>         by anonymous auth
>         by * none
> access to *
>         by dn="cn=manager,dc=yyy,dc=mycompany,dc=com" write
>         by * read
> 
> and the Syncrepl in the slave is:
> syncrepl rid=1
>   provider=ldap://zlato.batelco.jo:389
>   type=refreshOnly
>   interval=00:01:00:00
>   searchbase="dc=xxx,dc=mycompany,dc=com"
>   filter="(objectClass=*)"
>   scope=sub
>   attrs="*"
>   schemachecking=off
>   updatedn="cn=writer,dc=yyy,dc=mycompany,dc=com"
>   bindmethod=simple
>   binddn="cn=reader,dc=xxx,dc=mycompany,dc=com"
>   credentials=slave_reader_password
>   
>
starttls=yes                                                                  
> 
> updateref ldap://xxx.mycompany.com
> 
> I cant seem to make it work?
> thanks.