I did a lot of changes to my configuration via Ansible. Here is my provider configuration:
--------------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcLogLevel: sync
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem
olcTLSCertificateFile: /etc/ssl/certificates/ldapmaster-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapmaster-key.pem
olcToolThreads: 1
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}syncprov.la
olcModuleLoad: {2}accesslog.la
olcModuleLoad: {3}back_monitor
objectClass: olcSchemaConfig
cn: schema
...
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth write by
dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr
ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
* none
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryCSN,entryUUID eq
olcDbMaxSize: 1073741824
dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 300
dn: olcDatabase={2}Monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}Monitor
olcAccess: {0} to dn.subtree="cn=monitor" by
dn.exact="cn=ldap-admin,ou=users,
dc=example,dc=net" read
dn: olcDatabase={3}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcAccess: {0} to dn.sub=cn=accesslog by
dn.exact=cn=repl-user,ou=users,dc=exa
mple,dc=net read by dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net read
olcDbIndex:
reqStart,reqEnd,reqMod,reqResult,entryCSN,entryUUID,objectClass eq
dn: olcOverlay={0}accesslog,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 01+00:00 00+04:00
olcAccessLogSuccess: TRUE
dn: olcOverlay={1}syncprov,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 300
--------------------
Here the configuration of my consumer:
---------------------
n: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcLogLevel: sync
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcTLSCACertificateFile: /etc/ssl/certificates/cacert.pem
olcTLSCertificateFile: /etc/ssl/certificates/ldapslave-01-cert.pem
olcTLSCertificateKeyFile: /etc/ssl/certificates/ldapslave-01-key.pem
olcToolThreads: 1
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}back_monitor
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
...
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=exte
rnal,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
olcRootPW: {SSHA}VKs74I0HQj84sDa2f8Ie3fwYdEL/BVtb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth write by
dn.exact=cn=ldap-admin,ou=users,dc=example,dc=net wr
ite by dn.exact=cn=repl-user,ou=users,dc=example,dc=net read by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
* none
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}psW8QuHfZE1qFpyXTE8r4RGdzzonln6a
olcSyncrepl: {0}rid=1 provider=ldaps://ldapmaster.example.net
type=refreshAndP
ersist retry="5 5 300 +" filter="(ObjectClass=*)" scope=sub
bindmethod=simple
searchbase="dc=example,dc=net"
binddn="cn=repl-user,ou=users,dc=example,dc=n
et" credentials=geheim syncdata=accesslog logbase="cn=accesslog"
logfilter="(
&(objectClass=auditWriteObject)(reqResult=0))
olcUpdateRef: ldaps://ldapmaster.example.net
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: entryCSN,entryUUID eq
olcDbMaxSize: 1073741824
dn: olcDatabase={2}Monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}Monitor
olcAccess: {0} to dn.subtree="cn=monitor" by
dn.exact="cn=ldap-admin,ou=users,
dc=example,dc=net" read
---------------------
When I restart my consumer I see the following logs on the consumer:
----------
Sep 15 20:42:09 ldapslave-01 systemd[1]: Started LSB: OpenLDAP
standalone server (Lightweight Directory Access Protocol).
Sep 15 20:42:09 ldapslave-01 slapd[2742]: slap_queue_csn: queueing
0x7f4f6011ceb0 20200915172117.549009Z#000000#000#000000
Sep 15 20:42:09 ldapslave-01 slapd[2742]: syncrepl_message_to_op:
rid=001 tid 6e8d4700
Sep 15 20:42:09 ldapslave-01 slapd[2742]: syncrepl_message_to_op:
rid=001 mods check (objectClass: value #0 invalid per syntax)
Sep 15 20:42:09 ldapslave-01 slapd[2742]: slap_graduate_commit_csn:
removing 0x7f4f6011ceb0 20200915172117.549009Z#000000#000#000000
Sep 15 20:42:09 ldapslave-01 slapd[2742]: do_syncrepl: rid=001 rc 21
retrying (4 retries left)
----------
On the provider:
----------
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 fd=14 ACCEPT from
IP=192.168.56.16:38500 (IP=0.0.0.0:636)
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 fd=14 TLS established
tls_ssf=256 ssf=256
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=0 BIND
dn="cn=repl-user,ou=users,dc=example,dc=net" method=128
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=0 BIND
dn="cn=repl-user,ou=users,dc=example,dc=net" mech=SIMPLE ssf=0
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=0 RESULT tag=97
err=0 text=
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=1 SRCH
base="cn=accesslog" scope=2 deref=0
filter="(&(objectClass=auditWriteObject)(reqResult=0))"
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=1 SRCH attr=reqDN
reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN
Sep 15 20:42:14 ldapmaster slapd[2868]: syncprov_search_response:
cookie=rid=001,csn=20200915173214.801545Z#000000#000#000000
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 op=2 UNBIND
Sep 15 20:42:14 ldapmaster slapd[2868]: conn=1002 fd=14 closed
----------
I'm looking at my configuration for days, at the moment "I can't see the
tree in the forrest " :-) (as we say in Germany).
I comared the subschema of both consumer and provider there are the
same. I try to access the accesslog with ldapsearch with my rep-user and
I can access the database.
Can anyone have a look at my configuration please.
Stefan
Am 09.09.20 um 10:39 schrieb Stefan Kania:
> Hi Quanah,
> thank's for the help. Up to now I did the delta-syncreple only via
> slapd.conf, now I'm will get it work with slapd.d AND Ansilble.
> After your posting I looked at my configuration and I saw it. Sometimes
> you need someone to bring you an the right track. Thank's, not only for
> this answer, you are doing a great job on this mailinglist!
>
> Stefan
>
> Am 08.09.20 um 21:35 schrieb Quanah Gibson-Mount:
>> Your configuration has many problems. ;)
smime.p7s
Description: S/MIME Cryptographic Signature
