Estou tentando fazer com que um mestre do OpenLDAP execute a replicação somente de envio para os consumidores remotos do OpenLDAP usando o back-end do LDAP como um proxy. O mestre será capaz de alcançar os escravos, mas os escravos não podem chegar ao mestre.
Meu problema é que estou recebendo um erro de restrição LDAP durante a replicação
Dec 12 11:51:27 rhel7 slapd[1417]: syncprov_search_response: cookie=rid=100,csn=20141211222736.923231Z#000000#000#000000
Dec 12 11:51:27 rhel7 slapd[1417]: do_syncrep2: rid=100 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_message_to_entry: rid=100 DN: dc=example,dc=com, UUID: 56f70834-13d3-1034-9c4b-b9373d9331cc
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 be_search (0)
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 dc=example,dc=com
Dec 12 11:51:27 rhel7 slapd[1417]: null_callback : error code 0x13
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 be_add dc=example,dc=com (19)
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 be_add dc=example,dc=com failed (19)
Os registros no escravo mostram um erro semelhante:
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=15 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(entryUUID=56f70834-13d3-1034-9c4b-b9373d9331cc)"
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=15 SRCH attr=* +
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=15 SEARCH RESULT tag=101 err=0 nentries=0 text=
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=16 ADD dn="dc=example,dc=com"
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=16 RESULT tag=105 err=19 text=structuralObjectClass: no user modification allowed
Meu provedor hdb config config. Componentes do domínio substituídos.
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 7c7ced28
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: f60bed20-13a3-1034-8f7e-113c69ebc9f8
creatorsName: cn=config
createTimestamp: 20141209040239Z
olcRootPW:: e1NTSEF9cVVvVFJQd3BwYWVkcUhRVGdZT1BZV29rcjNTaVhqYks=
olcSuffix: dc=example,dc=com
olcRootDN: cn=manager,dc=example,dc=com
entryCSN: 20141211014727.826962Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20141211014727Z
Configuração do ldap do provedor
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ff26115e
dn: olcDatabase={3}ldap
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcHidden: TRUE
olcSuffix: dc=example,dc=com
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth manage by * break
olcAccess: {1}to * by * read
olcLastMod: TRUE
olcRestrict: all
olcRootDN: cn=ldap-replroot
olcSyncrepl: {0}rid=100 provider="ldap://rhel7:389" tls_reqcert=never binddn="
cn=replicator,dc=example,dc=com" bindmethod=simple credentials=supersecre
tpassword searchbase="dc=example,dc=com" type=refreshAndPersist retry="5
5 300 +"
olcDbStartTLS: start
olcDbACLBind: bindmethod=simple binddn="cn=replicator,dc=example,dc=com"
credentials=supersecretpassword
structuralObjectClass: olcLDAPConfig
entryUUID: d4b45f1a-1522-1034-8b61-af7acc5313da
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20141211014320Z
olcDbURI: ldap://authldap-01-cs
entryCSN: 20141211052948.885859Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20141211052948Z
Minha configuração de escravo
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a539163c
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid eq,pres,sub
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
structuralObjectClass: olcHdbConfig
entryUUID: a5ede4ec-1420-1034-9ec6-e93109d39d98
creatorsName: cn=config
createTimestamp: 20141209185511Z
olcSuffix: dc=example,dc=com
olcRootDN: cn=manager,dc=example,dc=com
olcRootPW:: e1NTSEF9cVVvVFJQd3BwYWVkcUhRVGdZT1BZV29rcjNTaVhqYks=
olcAccess: {0}to * by dn="cn=replicator,dc=example,dc=com" write by dn="cn
=manager,dc=example,dc=com" write by * read
entryCSN: 20141212193340.646494Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20141212193340Z
Eu tentei salgar o consumidor com a exportação de slapcat e tentei remover todo o componente de domínio, e nenhum deles parece estar funcionando para mim.