Hi, thanks for your answer.
a) It's not the same location, it's /var/lib and /var/lab (yeah, tricky) b) I tested several possibilities but I didn't manage to make it work. Either the problem stayed the same, either the replication didn't work anymore, either I couldn't access to rpuser. I understand that : - rpuser should have read/write access to its password (to attrs=userPassword by dn="uid=rpuser,dc=foo,dc=bar" write) - rpuser should have read/write access to all data (to * by dn="uid=rpuser,dc=foo,dc=bar" write) - other users should have read access to their password (I don't want they could change it by themselves) and anonymous should authenticate (to attrs=userPassword by self read by anonymous auth by * none) Am I right ? Regards, Vincent Le 08/01/2020 à 19:13, Quanah Gibson-Mount a écrit : > > > --On Wednesday, January 8, 2020 4:16 PM +0100 Vincent Ducot > <[email protected]> wrote: > >> >> Hi all, >> I'm testing multi-master replication between (at least 2) openldap >> nodes >> (2.4.45, on Ubuntu 18.04) and facing a problem with replication account. > > >> Any idea of what could cause this problem ? > >> # {1}mdb, config >> dn: olcDatabase={1}mdb,cn=config >> objectClass: olcDatabaseConfig >> objectClass: olcMdbConfig >> olcDatabase: {1}mdb >> olcDbDirectory: /var/lib/ldap >> olcSuffix: dc=nodomain >> olcAccess: {0}to attrs=userPassword by self write by anonymous auth >> by * >> none >> olcAccess: {1}to attrs=shadowLastChange by self write by * read >> olcAccess: {2}to * by * read > >> # {2}mdb, config >> dn: olcDatabase={2}mdb,cn=config >> objectClass: olcDatabaseConfig >> objectClass: olcMdbConfig >> olcDatabase: {2}mdb >> olcDbDirectory: /var/lab/ldap >> olcSuffix: dc=foo,dc=bar >> olcAccess: {0}to attrs=userPassword by self =xw by anonymous auth by * >> none >> olcAccess: {1}to * by dn="cn=admin,dc=foo,dc=bar" write by self >> write by >> user >> s read by * none >> olcAccess: {2}to * by dn="uid=rpuser,dc=foo,dc=bar" read >> olcAccess: {3}to * by dn="uid=rpuser,dc=foo,dc=bar" write > > > I see multiple problems with your configuration. > > a) You have two different databases storing their DBs in the same > location (/var/lib/ldap). I can't even imagine the havoc and > destruction that would cause. > > b) Your ACLs are broken. The "rpuser" account has no ability to > replicate userPassword, since it can't read it. Also, ACLs #2 and #3 > here will never be evaluated, since it's already covered in ACL#1 (by > users read). Since it can't replicate userPassword, that value is > getting lost from server#2, explaining why you can't bind to it after > replication starts. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com>
