Re: Replication and acl: moddn operation problem.

[Konstantin Menshikov]

On 05/29/2012 07:25 PM, Nick Milas wrote:
On 29/5/2012 9:01 πμ, Konstantin Menshikov wrote:
somebody? anybody? 

I would say: if you can use test servers with 2.4.31 and BDB >= 
4.6.21, then you could try to reproduce by doing some experiments 
(moving to branch visible by consumer binddn, moving to branch not 
visible by consumer) and report results with excerpts from the logs.

Nick
Hi.
I try use openldap-server-2.4.31 and db47-4.7.25.4 on FreeBSD 
8.2-RELEASE-p4.
Configufation master and slave attached.
Log fragments also attached.

I try full replication of o=company, but with the help ACL limit access 
of replication binddn only ou=dev,o=company branch.


Testing plan:
move cn=cacti,ou=groups,ou=corp,o=company to 
cn=cacti,ou=groups,ou=dev,o=company.
move group back from dev to corp.

Result:
moving to visible branch (dev): ok.
moving from visible branch to unvisible: error, 
cn=cacti,ou=groups,ou=dev,o=company still exist on slave!

You wrote: "My tests (with v2.4.31 on both provider and consumer) show 
that syncrepl (refreshAndPersist) works correctly when replicating based 
on ACL restrictions. OpenLDAP consumer deletes correctly an entry from a 
branch when the entry is moved to another, invisible by the consumer 
binddn, branch, and it re-creates it correctly when it is moved back to 
a visible (based on ACL) branch."

Please, show your replication setup at which it works correctly.


I fount, that if to add ACL
#access to dn.subtree="o=company" attrs=entry
# by dn.exact="uid=replica,ou=users,o=company" read

moving to unvisible branch working correctly!
That side effect can be?
What level of access allows this ACL?

--
Konstantin Menshikov

ee slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/spamassassin.schema
include         /usr/local/etc/openldap/schema/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/asterisk.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        sync stats

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_hdb
#moduleload     back_ldap
#moduleload     back_perl

sizelimit 5000

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read


access to dn.subtree="ou=users,o=company"  attrs=userPassword 
       by anonymous auth

access to dn.base="o=company"
       by dn.exact="uid=replica,ou=users,o=company" read

access to dn.subtree="ou=dev,o=company"
       by dn.exact="uid=replica,ou=users,o=company" read

#access to dn.subtree="o=company" attrs=entry
#       by dn.exact="uid=replica,ou=users,o=company" read

#access to dn="" by * read
#access to dn="cn=Subschema" by * read 

#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# Enable TLS
TLSCACertificatePath /etc/ssl/certs
TLSCertificateFile /etc/ssl/certs/ro.devel.ldap.hostcomm.ru.crt
TLSCertificateKeyFile /etc/ssl/private/ro.devel.ldap.hostcomm.ru.key

# Here, ssf=128 tells OpenLDAP to require 128-bit encryption for all 
connections, both search and update.
security ssf=128
require bind LDAPv3 

#######################################################################
# BDB database definitions
#######################################################################

database        hdb
suffix          "o=company"
rootdn          "cn=ldapadm,o=company"
rootpw          password
directory       /var/db/openldap-data/o=company

overlay syncprov

index mailLocalAddress pres,eq
index mail pres,eq,sub
index objectClass eq
index uid eq,sub
index entryUUID eq
index cn eq

database config                                                                 
                                        
rootpw PASSW_FOR_CN=CONFIG
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/corba.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/dyngroup.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/java.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/ppolicy.schema
include         /usr/local/etc/openldap/schema/sudo.schema
include         /usr/local/etc/openldap/schema/samba.schema
include         /usr/local/etc/openldap/schema/spamassassin.schema
include         /usr/local/etc/openldap/schema/openssh-lpk.schema
include         /usr/local/etc/openldap/schema/asterisk.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        sync stats

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_bdb
moduleload      back_hdb
# moduleload    back_ldap
#moduleload     back_perl

sizelimit 5000

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
#access to dn.base="" by * read
#access to dn.base="cn=Subschema" by * read
#access to dn="" by * read
#access to dn="cn=Subschema" by * read 

#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# Enable TLS
TLSCACertificatePath /etc/ssl/certs
TLSCertificateFile /etc/ssl/certs/ro.devel.ldap.hostcomm.ru.crt
TLSCertificateKeyFile /etc/ssl/private/ro.devel.ldap.hostcomm.ru.key

# Here, ssf=128 tells OpenLDAP to require 128-bit encryption for all 
connections, both search and update.
security ssf=128
require bind LDAPv3 

#######################################################################
# BDB database definitions
#######################################################################

database        hdb
suffix          "o=company"
rootdn          "cn=ldapadm,o=company"
rootpw          password
directory       /var/db/openldap-data/o=company

index mailLocalAddress pres,eq
index mail pres,eq,sub
index objectClass eq
index uid eq,sub
index entryUUID eq
index cn eq

syncrepl rid=001
                provider=ldap://ro1.devel.ldap.hostcomm.ru:389
                type=refreshAndPersist
                retry="5 10 300 +"
                searchbase="o=company"
        scope=sub
        schemachecking=off
                starttls=critical
                bindmethod=simple
                tls_reqcert=never
                binddn="uid=replica,ou=users,o=company"
                credentials="password"

database config                                                                 
                                        
rootpw PASSW_FOR_CN=CONFIG
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 fd=9 ACCEPT from 
IP=10.14.10.194:58963 (IP=0.0.0.0:389)
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=0 STARTTLS
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=0 RESULT oid= err=0 text=
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 fd=9 TLS established tls_ssf=256 
ssf=256
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=1 BIND 
dn="uid=replica,ou=users,o=company" method=128
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=1 BIND 
dn="uid=replica,ou=users,o=company" mech=SIMPLE ssf=0
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=1 RESULT tag=97 err=0 text=
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=2 SRCH base="o=company" scope=2 
deref=0 filter="(objectClass=*)"
Jun 20 11:29:27 ro1 slapd[12866]: conn=1005 op=2 SRCH attr=* +
Jun 20 11:29:27 ro1 slapd[12866]: syncprov_search_response: 
cookie=rid=001,csn=20120620112919.905327Z#000000#000#000000
Jun 20 11:29:38 ro1 slapd[12866]: conn=1003 op=28 MODRDN 
dn="cn=cacti,ou=groups,ou=corp,o=company"
Jun 20 11:29:38 ro1 slapd[12866]: slap_queue_csn: queing 0x7fffff3fd1d0 
20120620112938.558156Z#000000#000#000000
Jun 20 11:29:38 ro1 slapd[12866]: conn=1003 op=28 RESULT tag=109 err=0 text=
Jun 20 11:29:38 ro1 slapd[12866]: slap_graduate_commit_csn: removing 
0x8019c2190 20120620112938.558156Z#000000#000#000000
Jun 20 11:29:38 ro1 slapd[12866]: syncprov_sendresp: 
cookie=rid=001,csn=20120620112938.558156Z#000000#000#000000
Jun 20 11:29:38 ro1 slapd[12866]: conn=1003 op=29 SRCH 
base="cn=cacti,ou=groups,ou=dev,o=company" scope=0 deref=0 
filter="(objectClass=*)"
Jun 20 11:29:38 ro1 slapd[12866]: conn=1003 op=29 SRCH attr=hasSubordinates 
objectClass
Jun 20 11:29:38 ro1 slapd[12866]: conn=1003 op=29 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=30 MODRDN 
dn="cn=cacti,ou=groups,ou=dev,o=company"
Jun 20 11:29:46 ro1 slapd[12866]: slap_queue_csn: queing 0x7fffff3fd1d0 
20120620112946.619489Z#000000#000#000000
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=30 RESULT tag=109 err=0 text=
Jun 20 11:29:46 ro1 slapd[12866]: slap_graduate_commit_csn: removing 
0x8019c29d0 20120620112946.619489Z#000000#000#000000
Jun 20 11:29:46 ro1 slapd[12866]: syncprov_sendresp: 
cookie=rid=001,csn=20120620112946.619489Z#000000#000#000000
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=31 SRCH 
base="cn=cacti,ou=groups,ou=corp,o=company" scope=0 deref=0 
filter="(objectClass=*)"
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=31 SRCH attr=hasSubordinates 
objectClass
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=31 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=32 SRCH 
base="ou=groups,ou=dev,o=company" scope=1 deref=3 filter="(objectClass=*)"
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=32 SRCH attr=hasSubordinates 
objectClass
Jun 20 11:29:46 ro1 slapd[12866]: conn=1003 op=32 SEARCH RESULT tag=101 err=0 
nentries=0 text=
Jun 20 11:29:27 ro2 slapd[14237]: @(#) $OpenLDAP: slapd 2.4.31 (May  4 2012 
15:09:01) $     
r...@tinderbox.host:/work/a/ports/net/openldap24-server/work/openldap-2.4.31/servers/slapd
Jun 20 11:29:27 ro2 slapd[14238]: hdb_db_open: warning - no DB_CONFIG file 
found in directory /var/db/openldap-data/o=company: (2). Expect poor 
performance for suffix "o=company".
Jun 20 11:29:27 ro2 slapd[14238]: slapd starting
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_message_to_entry: rid=001 DN: 
o=company, UUID: 41a9da6c-39db-1031-9236-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 inserted UUID 
41a9da6c-39db-1031-9236-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_search (32)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 o=company
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_add o=company (0)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_message_to_entry: rid=001 DN: 
ou=dev,o=company, UUID: 6318f12e-39db-1031-9237-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 inserted UUID 
6318f12e-39db-1031-9237-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_search (0)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 ou=dev,o=company
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_add 
ou=dev,o=company (0)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_message_to_entry: rid=001 DN: 
ou=groups,ou=dev,o=company, UUID: e29699ec-39db-1031-923a-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 inserted UUID 
e29699ec-39db-1031-923a-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_search (0)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 
ou=groups,ou=dev,o=company
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_add 
ou=groups,ou=dev,o=company (0)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_message_to_entry: rid=001 DN: 
ou=hosts,ou=dev,o=company, UUID: fcc63502-39db-1031-923b-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 inserted UUID 
fcc63502-39db-1031-923b-a7f15c1ca735
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_search (0)
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 
ou=hosts,ou=dev,o=company
Jun 20 11:29:27 ro2 slapd[14238]: syncrepl_entry: rid=001 be_add 
ou=hosts,ou=dev,o=company (0)
Jun 20 11:29:27 ro2 slapd[14238]: do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - 
REFRESH_DELETE
Jun 20 11:29:27 ro2 slapd[14238]: do_syncrep2: rid=001 
cookie=rid=001,csn=20120620112919.905327Z#000000#000#000000
Jun 20 11:29:27 ro2 slapd[14238]: slap_queue_csn: queing 0x801977640 
20120620112919.905327Z#000000#000#000000
Jun 20 11:29:27 ro2 slapd[14238]: slap_graduate_commit_csn: removing 
0x801977610 20120620112919.905327Z#000000#000#000000
Jun 20 11:29:38 ro2 slapd[14238]: do_syncrep2: rid=001 
cookie=rid=001,csn=20120620112938.558156Z#000000#000#000000
Jun 20 11:29:38 ro2 slapd[14238]: syncrepl_message_to_entry: rid=001 DN: 
cn=cacti,ou=groups,ou=dev,o=company, UUID: 90e9e450-4e80-1031-9b5d-3137231c3ad3
Jun 20 11:29:38 ro2 slapd[14238]: syncrepl_entry: rid=001 
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Jun 20 11:29:38 ro2 slapd[14238]: syncrepl_entry: rid=001 be_search (0)
Jun 20 11:29:38 ro2 slapd[14238]: syncrepl_entry: rid=001 
cn=cacti,ou=groups,ou=dev,o=company
Jun 20 11:29:38 ro2 slapd[14238]: slap_queue_csn: queing 0x801977550 
20120620112938.558156Z#000000#000#000000
Jun 20 11:29:38 ro2 slapd[14238]: slap_graduate_commit_csn: removing 
0x8019eb670 20120620112938.558156Z#000000#000#000000
Jun 20 11:29:38 ro2 slapd[14238]: syncrepl_entry: rid=001 be_add 
cn=cacti,ou=groups,ou=dev,o=company (0)
Jun 20 11:29:38 ro2 slapd[14238]: slap_queue_csn: queing 0x801977550 
20120620112938.558156Z#000000#000#000000
Jun 20 11:29:38 ro2 slapd[14238]: slap_graduate_commit_csn: removing 
0x8019eb5e0 20120620112938.558156Z#000000#000#000000
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 fd=16 ACCEPT from 
IP=10.10.32.66:50899 (IP=0.0.0.0:389)
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=0 STARTTLS
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=0 RESULT oid= err=0 text=
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 fd=16 TLS established tls_ssf=128 
ssf=128
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=1 BIND dn="cn=ldapadm,o=company" 
method=128
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=1 BIND dn="cn=ldapadm,o=company" 
mech=SIMPLE ssf=0
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=1 RESULT tag=97 err=0 text=
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=2 SRCH 
base="ou=groups,ou=dev,o=company" scope=0 deref=3 filter="(objectClass=*)"
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=2 SRCH attr=*
Jun 20 11:30:04 ro2 slapd[14238]: conn=1000 op=2 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jun 20 11:30:05 ro2 slapd[14238]: conn=1000 op=3 SRCH 
base="ou=groups,ou=dev,o=company" scope=1 deref=3 filter="(objectClass=*)"
Jun 20 11:30:05 ro2 slapd[14238]: conn=1000 op=3 SRCH attr=hasSubordinates 
objectClass
Jun 20 11:30:05 ro2 slapd[14238]: conn=1000 op=3 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jun 20 11:30:06 ro2 slapd[14238]: conn=1000 op=4 SRCH 
base="ou=groups,ou=dev,o=company" scope=0 deref=3 filter="(objectClass=*)"
Jun 20 11:30:06 ro2 slapd[14238]: conn=1000 op=4 SRCH attr=*
Jun 20 11:30:06 ro2 slapd[14238]: conn=1000 op=4 SEARCH RESULT tag=101 err=0 
nentries=1 text=
Jun 20 11:30:07 ro2 slapd[14238]: conn=1000 op=5 SRCH 
base="cn=cacti,ou=groups,ou=dev,o=company" scope=0 deref=3 
filter="(objectClass=*)"
Jun 20 11:30:07 ro2 slapd[14238]: conn=1000 op=5 SRCH attr=*
Jun 20 11:30:07 ro2 slapd[14238]: conn=1000 op=5 SEARCH RESULT tag=101 err=0 
nentries=1 text=