[Samba] Samba LDAP replication weirdness...

Craig White craigwhite at azapple.com
Wed Mar 23 03:09:50 GMT 2005 

On Tue, 2005-03-22 at 20:35 -0600, Mccrory, Kevin B wrote:
> I have the PDC/BDC with a master slave LDAP directory set up and
> operating. 
> 
> One problem is that I've only been able to get the LDAP Master/Slave
> replication working if I use Manager as the binddn for the replication.
> I'm using the IDEALX smbldap tools. If I use another user I get a ERROR:
> Insufficient access: no write access to entry error and a .rej file is
> created. 
> 
> Each entry shows modifiersName: cn=Manager,dc=mphqcops,dc=opmg,dc=local
> for all the change entries. Isn't this supposed to match the binddn
> entry from the slapd.conf file???? 
----
various issues here - you seem to believe that they are related.

in slapd.conf, you have a rootdn - that is a master and probably not the
best dn to use for replication or samba. Also - on ldap-slave, you would
have an updatedn which is the 'user' that the ldap-master would use to
send updates to the slave. On the ldap-master, you would have a 'replica
section that would list a binddn which is for the 'user' that updates
the slave and 'credentials' which is the password for this user. None of
this really has anything to do with samba (yet)

In theory, the ldap-slave should have ACL's that pretty much deny all
client writes except for the rootdn (which can never really be denied)
and the updatedn - which is the 'user' that the ldap-master uses to
propogate changes in the LDAP DSA.

Thus in samba, you should probably use a different dn which can't write
to the ldap-slave but could write to the ldap-master and samba is
supposed to 'chase referrals' back to the master in order to make
changes. Thus the reason for a line similar to this in the ldap-slave
slapd.conf
updateref       ldaps://fqdn-my-ldap-master/

It really helps to have ldap all set up, master, slave, replication,
acl's etc., before you bring samba into the fold.

As for your last question, I would presume that the modifiersName would
be whoever did the modification - i.e. 
(from samba - ldap admin dn = cn=blah,dc=example,dc=com)
(from ldapadd - cn=Manager,dc=example,dc=com)
(from turba - uid=me,ou=People,ou=Accounts,dc=example,dc=com)
(on ldap-slave from ldap-master - cn=updatedn_name,dc=example,dc=com)

Craig

More information about the samba mailing list