Am Tue, 27 Feb 2018 09:42:12 +0100 schrieb Giuseppe Civitella <gcivite...@enter.eu>:
> Hi all, > > I've got a master / slave replica setup. I did use this tutorial to > set up the replica: > > https://wiki.debian.org/LDAP/OpenLDAPSetup > > My ldap tree is something like: Root -> o=(first level local branch), > o=(first level replicated branch). > > The local branch is just a cut and paste of the replicated branch. > > On the slave server I can use the replicated branch to authenticate > against a Radius server. > > On the master server I realized I cannot let web users authenticate > against the replicated branch. > > If I try to bind as a user from the replicated branch, on both the > master and the slave, I get: > > ldapwhoami -H ldap://localhost -D > "uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W > > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > On the master, on the local branch, I get: > > ldapwhoami -H ldap://localhost -D > "cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W > > Enter LDAP Password: > dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is > > > I did try to configure the acl on the server to disallow anonymous > bind. > > And, once found this problem, I did try to create a bind user > (uid=read_only) able to read the replicated branch, userPassword attrs > included. > > Unfortunately this did not solve the problem. > > My acl on the master are: > > dn: olcDatabase={1}mdb > objectClass: olcDatabaseConfig > objectClass: olcMdbConfig > olcDatabase: {1}mdb > olcDbDirectory: /var/lib/ldap > olcSuffix: dc=who,dc=is > olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by > dn="uid=read_only,ou =binds,dc=who,dc=is" read > olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by > dn="uid=isi_replica, ou=binds,dc=who,dc=is" read > olcAccess: {2}to attrs=userPassword by self write by anonymous auth > by * non e > olcAccess: {3}to attrs=shadowLastChange by self write by * read > olcAccess: {4}to * by users read > > > I'm quite new to this kind of setup, is this something to be expected? > Is there a way to bind directly on the replicated branch? Run slapd(8) in debug mode acl. Note debuging is not equal to loging! -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E