Hi All,
I'm looking for a bit of advice on my LDAP setup to see where I'm
going wrong with this. I have searched high and low all over the internet for
an answer, and I can't see to find anyone having the exact same issue. If
anyone could shed any light on this, it would be great.
I've built two LDAP servers on Centos 7.4/OpenLDAP 2.4.44 running in mirror
mode, and they are working successfully. I can create, delete, and edit entries
on either server using the manager account, and the changes will be instantly
mirrored over to the other server.
However, my problems started when I wanted to introduce two users to have full
control over an OU each within the structure. I have put the ACLs for these
users in place, and they work, but as soon as I do anything, even just an edit
on an existing item in that OU, the change isn't mirrored over to the other
server, and the server being mirrored to no longer replicates as it says the
database is not a shadow.
The users in question are corpadmin and eduadmin, managing the Corporate and
Education OUs respectively.
The ACLs in my databaseconfig file for the two users being place are as follows:
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=wireless,dc=org
structuralObjectClass: olcHdbConfig
creatorsName: cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=wireless,dc=org" write by anonymous auth by self write by *
none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.subtree="ou=Corporate,dc=wireless,dc=org" by
dn="uid=corpadmin,ou=Admins,dc=wireless,dc=org" write by * read
olcAccess: {3}to dn.subtree="ou=Education,dc=wireless,dc=org" by
dn="uid=eduadmin,ou=Admins,dc=wireless,dc=org" write by * read
olcAccess: {4}to * by dn="cn=Manager,dc=wireless,dc=org" write by * read
olcRootDN: cn=manager,dc=wireless,dc=org
The original databaseconfig file, minus the ACLs is like so:
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=wireless,dc=org
structuralObjectClass: olcHdbConfig
creatorsName: cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=wireless,dc=org" write by anonymous auth by self write by *
none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=wireless,dc=org" write by * read
olcRootDN: cn=manager,dc=wireless,dc=org
These ACLs have been added to the same file on the other server, so both ACLs
match.
Is there anywhere else I should be making these ACL changes, such as the
olcDatabase={0}config file (Pasted here for ref)?
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by *
none
olcRootPW:: 213jh287ycshasdkujqy7w483i1234jh123er7qwedfasdf
olcMirrorMode: TRUE
structuralObjectClass: olcDatabaseConfig
entryUUID: 507c5e6e-b24a-1037-9c97-89a2062470b8
creatorsName: cn=config
createTimestamp: 20180302094624Z
olcSyncrepl: {0}rid=001 provider=ldap://ldapauth1.fqdn.org binddn="cn=config"
bindmethod=simple credentials=password searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldap://ldapauth2.fqdn.org binddn="cn=config"
bindmethod=simple credentials=password searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
entryCSN: 20180302133047.428537Z#000000#002#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20180302133047Z
Finally, barring a restore of both servers, is there any way of bringing the
two servers back into sync if I get a database is not a shadow error? Again,
I've had a good look for information, but most posts mentioned that it was a
bug with an earlier version of OpenLDAP and to upgrade to resolve this, rather
than any info on how to resync the databases.
Thanks in advance.
Cheers,
Mark
