Thanks a lot for the reply Quanah. Definitely makes sense to not use loglevels that don’t even apply. I was just kinda desperate and tried lots of things.
However I made progress lately and actually got it to work (was an ACL issue after all). So there is currently no need for further assistance. Though I will check if I still have that duplicate entry in the config. Thanks for pointing that out. Unfortunately I didn’t get to write to the list as I wanted to write up something more comprehensive because the documentation on the meta backend is kinda sparse aside from the man page. Hopefully I will get to that in the next days to have something more recent than posts from 10 years ago for people who search for the same issue as I did. Best regards and thanks again, Cyril > On 18 Dec 2024, at 22:59, Quanah Gibson-Mount <[email protected]> wrote: > > > > --On Friday, November 29, 2024 12:37 PM +0100 [email protected] > <mailto:[email protected]> wrote: > >> >> Hi there >> >> Sorry for the long post however I aim to provide as much information as >> possible to help pinpoint the issue. Also sorry for any wrong wording as >> I am still a bit overwhelmed with OpenLDAP and struggle to understand >> everything I need. >> >> From my predecessor I inherited an OpenLDAP 2.4.x cluster running on RHEL >> 7. My job is to migrate this cluster to OpenLDAP 2.6.x on RHEL 8. >> The cluster consists of two provider and four consumer servers. >> The old cluster was based on self-compiled original OpenLDAP binaries. >> For the new cluster I am using the LTB version of OpenLDAP, currently >> with version 2.6.8. >> I also switched from HDB to MDB with the new cluster and am using Let's >> Encrypt instead of DigiCert certificates and upped the TLS version from >> 1.0 to 1.2. And for the default password hashing algorhythm I switched >> from SSHA to ARGON2. >> So there are lots of changes that might potentially influence the meta >> databases though I did not see anything that suggests this. > > I would remove the shell loglevel from your config since you don't use any > shell backends. > > Sometimes I'll use slapd in debug mode (-d -1) to get a full dump of > everything to dig through. > > I noted that you have a duplicate entry for one of the meta backends: > > dn: olcMetaSub={0}uri,olcDatabase={2}meta,cn=config > > dn: olcMetaSub={1}uri,olcDatabase={2}meta,cn=config > > > These appear to have identical configurations, which may be a problem? The > other URIs on a same meta db have different rewrite options, but on the > above, they are the same. > > --Quanah
