Thanks for your assistance Quanah! About the userPassword attributes...
On Apache Directory Studio (we only normally use it as a quick visual reference)...but, we bind both servers as cn=ldapadmin,dc=example,dc=ldap & cn=admin,cn=config (plus now uid=replicator,ou=Admins,dc=example,dc=ldap). I just tested an ldapsearch by binding to the uid=replicator and the userPassword attribute returns when searching for it...though both are different from each other (verified with other users "jdoe2" and "jdoe3", etc) Supposedly, if I update one server, the other server should update, too. That is if they are properly talking. Correct? MM-SERVER1: # ldapsearch -H ldap://mm-server1.example.ldap -d 256 -D uid=replicator,ou=Admins,dc=example,dc=ldap -b uid=jdoe,ou=Users,dc=example,dc=ldap userPassword -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=jdoe,ou=Users,dc=example,dc=ldap> with scope subtree # filter: (objectclass=*) # requesting: userPassword # # jdoe, Users, example.ldap dn: uid=jdoe,ou=Users,dc=example,dc=ldap userPassword:: <encrypted_password> # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 MM-SERVER2 # ldapsearch -H ldap://mm-server2.example.ldap -d 256 -D uid=replicator,ou=Admins,dc=example,dc=ldap -b uid=jdoe,ou=Users,dc=example,dc=ldap userPassword -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=jdoe,ou=Users,dc=example,dc=ldap> with scope subtree # filter: (objectclass=*) # requesting: userPassword # # jdoe, Users, example.ldap dn: uid=jdoe,ou=Users,dc=example,dc=ldap userPassword:: <encrypted_password> # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 John -----Original Message----- From: Quanah Gibson-Mount [mailto:[email protected]] Sent: Monday, February 03, 2014 2:44 PM To: Borresen, John - 0442 - MITLL; [email protected] Subject: RE: Syncrepl and mmr --On Monday, February 03, 2014 2:26 PM -0500 "Borresen, John - 0442 - MITLL" <[email protected]> wrote: > Ok, > > Sanity Check, please. Still seeing "empty syncUUID" messages. Also, > the "userPassword" attributes on mm-server2, cannot be seen (via > Apache Directory Studio -- but show up with ldapsearch), but when I > attempt to add (via ldapmodify) it returns value already present. if it shows up with ldapsearch when binding as uid=ldapreplicator,ou=admins,dc=example,dc=ldap then you are set. I have no idea who/what you are binding with via apache dir studio. ># {1}bdb, config > dn: olcDatabase={1}bdb,cn=config > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by >anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by >dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none > olcAccess: {1}to * by * read Unless you plan on doing some really bizarre things, it is unlikely your ldapadmin needs manage access. See <http://www.openldap.org/its/index.cgi/?findid=7795> ># {2}bdb, config > dn: olcDatabase={2}bdb,cn=config > olcAccess: {0}to * by > dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none The replicator only ever needs read access, not write. Also separate nit. You should be doing dn.exact in the first set of ACLs as well (you have it correctly in the second set). --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
