Re: [Samba] Samba LDAP replication weirdness...

This is a discussion on Re: [Samba] Samba LDAP replication weirdness... within the Samba forums, part of the Networking and Network Related category; On Tue, 2005-03-22 at 20:35 -0600, Mccrory, Kevin B wrote: > I have the PDC/BDC with ...


Go Back   Usenet Forums > Networking and Network Related > Samba

Reload this Page Re: [Samba] Samba LDAP replication weirdness...

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 03-23-2005
Craig White
 
Posts: n/a
Default Re: [Samba] Samba LDAP replication weirdness...
On Tue, 2005-03-22 at 20:35 -0600, Mccrory, Kevin B wrote:
> I have the PDC/BDC with a master slave LDAP directory set up and
> operating.
>
> One problem is that I've only been able to get the LDAP Master/Slave
> replication working if I use Manager as the binddn for the replication.
> I'm using the IDEALX smbldap tools. If I use another user I get a ERROR:
> Insufficient access: no write access to entry error and a .rej file is
> created.
>
> Each entry shows modifiersName: cn=Manager,dc=mphqcops,dc=opmg,dc=local
> for all the change entries. Isn't this supposed to match the binddn
> entry from the slapd.conf file????
----
various issues here - you seem to believe that they are related.

in slapd.conf, you have a rootdn - that is a master and probably not the
best dn to use for replication or samba. Also - on ldap-slave, you would
have an updatedn which is the 'user' that the ldap-master would use to
send updates to the slave. On the ldap-master, you would have a 'replica
section that would list a binddn which is for the 'user' that updates
the slave and 'credentials' which is the password for this user. None of
this really has anything to do with samba (yet)

In theory, the ldap-slave should have ACL's that pretty much deny all
client writes except for the rootdn (which can never really be denied)
and the updatedn - which is the 'user' that the ldap-master uses to
propogate changes in the LDAP DSA.

Thus in samba, you should probably use a different dn which can't write
to the ldap-slave but could write to the ldap-master and samba is
supposed to 'chase referrals' back to the master in order to make
changes. Thus the reason for a line similar to this in the ldap-slave
slapd.conf
updateref ldaps://fqdn-my-ldap-master/

It really helps to have ldap all set up, master, slave, replication,
acl's etc., before you bring samba into the fold.

As for your last question, I would presume that the modifiersName would
be whoever did the modification - i.e.
(from samba - ldap admin dn = cn=blah,dc=example,dc=com)
(from ldapadd - cn=Manager,dc=example,dc=com)
(from turba - uid=me,ou=People,ou=Accounts,dc=example,dc=com)
(on ldap-slave from ldap-master - cn=updatedn_name,dc=example,dc=com)

Craig

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:45 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0