Andrew Findlay <andrew.find...@skills-1st.co.uk> wrote: > > Try fixing the RIDs - use small numbers, all different. The exact values are > not important. > Also try commenting out the second syncrepl clause until you have the others > working properly. > You should be able to merge the first and second clauses as they share a > search-base.
I did both of them, now slave configuration looks this way: ---[ slave configuration quotation start ]---------------------------- syncrepl rid=0 provider=ldap://master.example:389 starttls=critical searchbase="ou=ABC,ou=Sendmail,dc=example" bindmethod=simple binddn="uid=replABC,ou=repl,dc=example" credentials="***" tls_cacert=/usr/local/etc/openldap/ssl/ca.crt tls_cert=/usr/local/etc/openldap/ssl/ABC.crt tls_key=/usr/local/etc/openldap/ssl/ABC.key tls_reqcert=try type=refreshAndPersist retry="60 +" logbase="cn=example-accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog syncrepl rid=1 provider=ldap://master.example:389 starttls=critical searchbase="ou=People,dc=example" bindmethod=simple binddn="uid=replABC,ou=repl,dc=example" credentials="***" filter="(&(objectClass=authorizedServiceObject)(|(authorizedService=m...@foo.bar)(authorizedService=x...@foo.bar)))" attrs="cn,entry,entryCSN,entryUUID,o,uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,userPassword,creatorsName,createTimestamp,modifiersName,modifyTimestamp,mail,rfc822MailMember,sn,authorizedService,mu-mailBox" tls_cacert=/usr/local/etc/openldap/ssl/ca.crt tls_cert=/usr/local/etc/openldap/ssl/ABC.crt tls_key=/usr/local/etc/openldap/ssl/ABC.key tls_reqcert=try type=refreshAndPersist retry="60 +" logbase="cn=example-accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog ---[ slave configuration quotation end ]---------------------------- I separated rid-s and even searchbases, but I still can see complains in slapd.log file, though now it is only rid=0 which is complained on, not both of them ... ---[ slave slapd.log quotation start ]-------------------------------- Jun 29 22:45:30 ABC slapd[12593]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform Jun 29 22:45:30 ABC slapd[12593]: do_syncrep2: rid=000 (53) Server is unwilling to perform Jun 29 22:45:30 ABC slapd[12593]: do_syncrepl: rid=000 rc -2 retrying ---[ slave slapd.log quotation end ]-------------------------------- > > You may also need to put ACLs on the accesslog database. > is it something like this? access to dn.children="cn=example-accesslog" by dn.children="ou=repl,dc=example" read by * break but is not the fact that one replica working confirms, that replication is allowed and I can see the changes for the objects of rid=1 -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
