Slapd Version: 2.3.25 Perhaps I'm missing something pretty obvious about replicated slapd servers, but I simply cannot get it to work.
My master server has replica uri=ldap://titan.ott.precidia.com binddn="uid=slapd,ou=Services,dc=precidia" bindmethod=simple credentials=secret My slave server has updatedn uid=slapd,ou=Services,dc=precidia updateref ldap://tolkien.ott.precidia.com I've copied the db files by hand and restarted both machines. When I do a password change (via ldappasswd) on the master, I see an attempt to change it on the slave but it fails. Attached is the slave's log( and the slave's full config file). You can see it connect with a DN of "uid=slapd,ou=Services,dc=precidia" and get authenticated. But then when the modify comes it, it fails with: Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] applying none(=0) (stop) Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] mask: none(=0) Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access denied by none(=0) Sep 13 10:44:07 titan slapd[5789]: bdb_modify: modify failed (50) I'd appreciate any help someone can give me! Thanks! Brian ( [EMAIL PROTECTED] ) ------------------------------------------------------------------------------- Relationships go through seasons. Winter often comes before Spring.
Sep 13 10:44:07 titan slapd[5789]: daemon: activity on 1 descriptor Sep 13 10:44:07 titan slapd[5789]: daemon: listen=7, new connection on 12 Sep 13 10:44:07 titan slapd[5789]: daemon: added 12r Sep 13 10:44:07 titan slapd[5789]: conn=0 fd=12 ACCEPT from IP=10.0.1.2:1067 (IP=0.0.0.0:389) Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=6 active_threads=0 tvp=NULL Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 13 10:44:07 titan slapd[5789]: daemon: activity on 1 descriptor Sep 13 10:44:07 titan slapd[5789]: daemon: activity on: Sep 13 10:44:07 titan slapd[5789]: 12r Sep 13 10:44:07 titan slapd[5789]: Sep 13 10:44:07 titan slapd[5789]: daemon: read activity on 12 Sep 13 10:44:07 titan slapd[5789]: connection_get(12) Sep 13 10:44:07 titan slapd[5789]: connection_get(12): got connid=0 Sep 13 10:44:07 titan slapd[5789]: connection_read(12): checking for input on id=0 Sep 13 10:44:07 titan slapd[5789]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=6 active_threads=0 tvp=NULL Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 13 10:44:07 titan slapd[5789]: do_bind Sep 13 10:44:07 titan slapd[5789]: >>> dnPrettyNormal: <uid=slapd,ou=Services,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: <<< dnPrettyNormal: <uid=slapd,ou=Services,dc=precidia>, <uid=slapd,ou=services,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: do_bind: version=3 dn="uid=slapd,ou=Services,dc=precidia" method=128 Sep 13 10:44:07 titan slapd[5789]: conn=0 op=0 BIND dn="uid=slapd,ou=Services,dc=precidia" method=128 Sep 13 10:44:07 titan slapd[5789]: ==> bdb_bind: dn: uid=slapd,ou=Services,dc=precidia Sep 13 10:44:07 titan slapd[5789]: bdb_dn2entry("uid=slapd,ou=services,dc=precidia") Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("dc=precidia") Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x00000001 Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("ou=services,dc=precidia") Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x000000a4 Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("uid=slapd,ou=services,dc=precidia") Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x000000a6 Sep 13 10:44:07 titan slapd[5789]: entry_decode: "uid=slapd,ou=Services,dc=precidia" Sep 13 10:44:07 titan slapd[5789]: <= entry_decode(uid=slapd,ou=Services,dc=precidia) Sep 13 10:44:07 titan slapd[5789]: => access_allowed: auth access to "uid=slapd,ou=Services,dc=precidia" "userPassword" requested Sep 13 10:44:07 titan slapd[5789]: => acl_get: [1] attr userPassword Sep 13 10:44:07 titan slapd[5789]: access_allowed: no res from state (userPassword) Sep 13 10:44:07 titan slapd[5789]: => acl_mask: access to entry "uid=slapd,ou=Services,dc=precidia", attr "userPassword" requested Sep 13 10:44:07 titan slapd[5789]: => acl_mask: to value by "", (=0) Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: anonymous Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [1] applying auth(=xd) (stop) Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [1] mask: auth(=xd) Sep 13 10:44:07 titan slapd[5789]: => access_allowed: auth access granted by auth(=xd) Sep 13 10:44:07 titan slapd[5789]: conn=0 op=0 BIND dn="uid=slapd,ou=Services,dc=precidia" mech=SIMPLE ssf=0 Sep 13 10:44:07 titan slapd[5789]: do_bind: v3 bind: "uid=slapd,ou=Services,dc=precidia" to "uid=slapd,ou=Services,dc=precidia" Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: conn=0 op=0 p=3 Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: err=0 matched="" text="" Sep 13 10:44:07 titan slapd[5789]: send_ldap_response: msgid=1 tag=97 err=0 Sep 13 10:44:07 titan slapd[5789]: conn=0 op=0 RESULT tag=97 err=0 text= Sep 13 10:44:07 titan slapd[5789]: daemon: activity on 1 descriptor Sep 13 10:44:07 titan slapd[5789]: daemon: activity on: Sep 13 10:44:07 titan slapd[5789]: 12r Sep 13 10:44:07 titan slapd[5789]: Sep 13 10:44:07 titan slapd[5789]: daemon: read activity on 12 Sep 13 10:44:07 titan slapd[5789]: connection_get(12) Sep 13 10:44:07 titan slapd[5789]: connection_get(12): got connid=0 Sep 13 10:44:07 titan slapd[5789]: connection_read(12): checking for input on id=0 Sep 13 10:44:07 titan slapd[5789]: ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=6 active_threads=0 tvp=NULL Sep 13 10:44:07 titan slapd[5789]: daemon: select: listen=7 active_threads=0 tvp=NULL Sep 13 10:44:07 titan slapd[5789]: do_modify Sep 13 10:44:07 titan slapd[5789]: do_modify: dn (uid=bcwhite,ou=People,dc=precidia) Sep 13 10:44:07 titan slapd[5789]: => get_ctrls Sep 13 10:44:07 titan slapd[5789]: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) Sep 13 10:44:07 titan slapd[5789]: <= get_ctrls: n=1 rc=0 err="" Sep 13 10:44:07 titan slapd[5789]: >>> dnPrettyNormal: <uid=bcwhite,ou=People,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: <<< dnPrettyNormal: <uid=bcwhite,ou=People,dc=precidia>, <uid=bcwhite,ou=people,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: >>> dnPretty: <cn=root,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: <<< dnPretty: <cn=root,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: >>> dnNormalize: <cn=root,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: <<< dnNormalize: <cn=root,dc=precidia> Sep 13 10:44:07 titan slapd[5789]: modifications: Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: userPassword Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 38 Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: entryCSN Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 32 Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: modifiersName Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 19 Sep 13 10:44:07 titan slapd[5789]: ^Ireplace: modifyTimestamp Sep 13 10:44:07 titan slapd[5789]: ^I^Ione value, length 15 Sep 13 10:44:07 titan slapd[5789]: conn=0 op=1 MOD dn="uid=bcwhite,ou=People,dc=precidia" Sep 13 10:44:07 titan slapd[5789]: conn=0 op=1 MOD attr=userPassword entryCSN modifiersName modifyTimestamp Sep 13 10:44:07 titan slapd[5789]: slap_global_control: unavailable control: 2.16.840.1.113730.3.4.2 Sep 13 10:44:07 titan slapd[5789]: bdb_modify: uid=bcwhite,ou=People,dc=precidia Sep 13 10:44:07 titan slapd[5789]: bdb_dn2entry("uid=bcwhite,ou=people,dc=precidia") Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("ou=people,dc=precidia") Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x00000002 Sep 13 10:44:07 titan slapd[5789]: => bdb_dn2id("uid=bcwhite,ou=people,dc=precidia") Sep 13 10:44:07 titan slapd[5789]: <= bdb_dn2id: got id=0x0000005d Sep 13 10:44:07 titan slapd[5789]: entry_decode: "uid=bcwhite,ou=People,dc=precidia" Sep 13 10:44:07 titan slapd[5789]: <= entry_decode(uid=bcwhite,ou=People,dc=precidia) Sep 13 10:44:07 titan slapd[5789]: bdb_modify_internal: 0x0000005d: uid=bcwhite,ou=People,dc=precidia Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access to "uid=bcwhite,ou=People,dc=precidia" "userPassword" requested Sep 13 10:44:07 titan slapd[5789]: => acl_get: [1] attr userPassword Sep 13 10:44:07 titan slapd[5789]: access_allowed: no res from state (userPassword) Sep 13 10:44:07 titan slapd[5789]: => acl_mask: access to entry "uid=bcwhite,ou=People,dc=precidia", attr "userPassword" requested Sep 13 10:44:07 titan slapd[5789]: => acl_mask: to all values by "uid=slapd,ou=services,dc=precidia", (=0) Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: anonymous Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: self Sep 13 10:44:07 titan slapd[5789]: <= check a_dn_pat: * Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] applying none(=0) (stop) Sep 13 10:44:07 titan slapd[5789]: <= acl_mask: [3] mask: none(=0) Sep 13 10:44:07 titan slapd[5789]: => access_allowed: delete access denied by none(=0) Sep 13 10:44:07 titan slapd[5789]: bdb_modify: modify failed (50) Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: conn=0 op=1 p=3 Sep 13 10:44:07 titan slapd[5789]: send_ldap_result: err=50 matched="" text="" Sep 13 10:44:07 titan slapd[5789]: send_ldap_response: msgid=2 tag=103 err=50 Sep 13 10:44:07 titan slapd[5789]: conn=0 op=1 RESULT tag=103 err=50 text=
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema # Schema check allows for forcing entries to # match schemas for their objectClasses's schemacheck on # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 2047 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=precidia" # Where the database file are physically stored for database #1 directory "/var/lib/slapd" # Indexing options for database #1 index objectClass eq index cn pres,sub,eq,approx index sn pres,sub,eq index givenName pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq #index sambaPrimaryGroups eq index sambaDomainName eq index default sub # Save the time that the entry gets modified, for database #1 lastmod on # This is only a replica. updatedn uid=slapd,ou=Services,dc=precidia updateref ldap://tolkien.ott.precidia.com # password hash algorithm password-hash {SSHA} # Admin (root) access rootdn cn=root,dc=precidia rootpw {crypt}hidden # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword by anonymous auth by self write by * none access to attrs=shadowLastChange by self write by * read # Allow the "ldap admin dn" access, but deny everyone else access to attrs=sambaLMPassword,sambaNTPassword by dn="uid=samba,ou=Services,dc=precidia" write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="uid=slapd,ou=Services,dc=precidia" write by dn="uid=samba,ou=Services,dc=precidia" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,dc=precidia" # by dn="uid=bcwhite,ou=People,dc=precidia" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org"