2013/5/17 Howard Chu <[email protected]> > Igor Zinovik wrote: > >> Hello. >> >> I'm trying to replicate access rules and limits for one of my databases, >> but >> with no success: >> suse:~ # cat olcAccess-syncrepl.ldif >> dn: olcDatabase={1}mdb,cn=config >> changetype: modify >> add: olcSyncrepl >> olcSyncrepl: {1}rid=002 >> provider=ldap://ldap1.local >> bindmethod=simple >> binddn="cn=admin,cn=config" >> credentials="TopSecret" >> searchbase="olcDatabase={1}**mdb,cn=config" >> attrs="olcAccess,olcLimits" >> timeout=3 >> network-timeout=0 >> starttls=yes >> tls_cert="/etc/openldap/ldap.**pem" >> tls_key="/etc/openldap/ldap.**key" >> tls_cacert="/etc/ssl/local-ca.**pem" >> tls_reqcert=demand >> tls_crlcheck=none >> >> >> suse:~ # ldapmodify -H ldap://ldap2.local -ZZxWD cn=admin,cn=config -f >> olcAccess-syncrepl.ldif >> Enter LDAP Password: >> modifying entry "olcDatabase={1}mdb,cn=config" >> ldap_modify: Other (e.g., implementation specific) error (80) >> additional info: Base DN "olcAccess,olcLimits" is not within the >> database naming context >> > > > slapd-2.4.33 if it matters. > > The error message is a bit garbled (obviously the Base DN is wrong) but > the error is basically correct. You're trying to replicate the wrong thing > from the wrong place. Setting a syncrepl consumer on the olcDatabase={1}mdb > database lets you replicate the *content* of that database. To replicate > the *configuration* of that database your consumer must be set where that > configuration is stored. > > The configuration is stored in olcDatabase={0}config. >
Thanks Howard, but I still cannot get things working. Could you exaplain me following (i read documentation but it is not clear enough for me to understand): Does parameter `searchbase' in olcSyncrepl configuration statement set search starting point or it sets just a database name (which is set in olcSuffix) where search is performed? Here is my configuration provider setup: ldap1:~ # ldapsearch -H ldap://ldap1.local -LLLZZxWD cn=admin,cn=config -b olcOverlay={0}syncprov,olcDatabase={0}config,cn=config '&' dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 Here is my configuration consumer: ldap2:~ # ldapsearch -H ldap://ldap2.local -LLLZZxWD cn=admin,cn=config -b olcDatabase={0}config,cn=config '&' olcSyncrepl Enter LDAP Password: dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=ldap://ldap1.local bindmethod=simple bind dn="cn=admin,cn=config" credentials="TopSecret" searchbase="cn=con fig" scope=sub filter="(olcDatabase={1}mdb)" attrs="olcAccess,olcLimits" retr y="60 +" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/lda p.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" t ls_reqcert=demand tls_crlcheck=none A bit offtopic: could you guys implement some kind of human friendly formatting for long line statements and ACLs? So previous statement would look like this when i fetch it from catalog: olcSyncrepl: {0}rid=001 provider=ldap://ldap1.local bindmethod=simple binddn="cn=admin,cn=config" credentials="TopSecret" searchbase="cn=config" scope=sub filter="(olcDatabase={1}mdb)" attrs="olcAccess,olcLimits" retry="60 +" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/ldap.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" t ls_reqcert=demand tls_crlcheck=none
