Hi all, I've got a master / slave replica setup. I did use this tutorial to set up the replica:
https://wiki.debian.org/LDAP/OpenLDAPSetup My ldap tree is something like: Root -> o=(first level local branch), o=(first level replicated branch). The local branch is just a cut and paste of the replicated branch. On the slave server I can use the replicated branch to authenticate against a Radius server. On the master server I realized I cannot let web users authenticate against the replicated branch. If I try to bind as a user from the replicated branch, on both the master and the slave, I get: ldapwhoami -H ldap://localhost -D "uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) On the master, on the local branch, I get: ldapwhoami -H ldap://localhost -D "cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W Enter LDAP Password: dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is I did try to configure the acl on the server to disallow anonymous bind. And, once found this problem, I did try to create a bind user (uid=read_only) able to read the replicated branch, userPassword attrs included. Unfortunately this did not solve the problem. My acl on the master are: dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=who,dc=is olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=read_only,ou =binds,dc=who,dc=is" read olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=isi_replica, ou=binds,dc=who,dc=is" read olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * non e olcAccess: {3}to attrs=shadowLastChange by self write by * read olcAccess: {4}to * by users read I'm quite new to this kind of setup, is this something to be expected? Is there a way to bind directly on the replicated branch? Regards, Giuseppe
