Hi Quanah. Thanks for your reply! I was following this link to configure the provider/consumer: http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php.
Under item "2. Kerberos client install", at the end, I was guided to create a principal starting with ldap/dns02... But... I created 3 principals: host/dns02... ldap/dns02.. and ldaps/dns02... And under item "8. Provider modifications" I was instruted to map uid=ldap/... to ou=consumers # 1.2.1. add: olcAuthzRegexp olcAuthzRegexp: uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth cn=$1,ou=consumers,dc=example,dc=com I deleted the principals host/dns02... and ldaps/dns02... and the replication started to work. Thanks very mch! Daniel -- Daniel Lopes de Carvalho [email protected] daniellopescarvalho (skype) 19 9357-5618 (claro) 19 8251-6023 (tim) On Thu, Oct 4, 2012 at 2:57 PM, Quanah Gibson-Mount <[email protected]> wrote: > --On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho > <[email protected]> wrote: > >> Hi >> >> I try to configure two openldap/kerberos server (provider and >> consumer), but I'm having some issues about replication. Under LDAP >> log, I have many entries like this: "slap_access_allowed: search >> access denied by none(=0)" >> >> These messages are related to consumer access to the Kerberos database >> on provider and the kerberos database can't be replicated to the >> consumer. The others data are replicated normaly. >> >> These are the ACL under privider: >> olcAccess: {0}to attrs=userPassword,shadowLastChange >> by >> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp, >> dc=br" read >> by anonymous auth by * none >> >> olcAccess: {1}to >> dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" >> by >> dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc= >> br" write >> by >> dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc= >> br" read >> by >> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp, >> dc=br" read by * none >> >> olcAccess: {2}to attrs=loginShell >> by self write >> by users read >> by * none >> >> olcAccess: {3}to dn.base="" >> by * read >> >> olcAccess: {4}to * >> by users read >> by * none > > > This is the entity asking permission: > > > Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by > "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br", > (=0) > > This does not match > > by > dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" > > It looks like you put the host entry in the users tree and not the consumer > tree. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration
