我正在尝试让 OpenLDAP 主服务器使用 LDAP 后端作为代理,向远程 OpenLDAP 消费者执行仅推送复制。主服务器将能够访问从服务器,但从服务器无法访问主服务器。
我的问题是在复制过程中收到 LDAP 约束错误
Dec 12 11:51:27 rhel7 slapd[1417]: syncprov_search_response: cookie=rid=100,csn=20141211222736.923231Z#000000#000#000000
Dec 12 11:51:27 rhel7 slapd[1417]: do_syncrep2: rid=100 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_message_to_entry: rid=100 DN: dc=example,dc=com, UUID: 56f70834-13d3-1034-9c4b-b9373d9331cc
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 be_search (0)
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 dc=example,dc=com
Dec 12 11:51:27 rhel7 slapd[1417]: null_callback : error code 0x13
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 be_add dc=example,dc=com (19)
Dec 12 11:51:27 rhel7 slapd[1417]: syncrepl_entry: rid=100 be_add dc=example,dc=com failed (19)
从属服务器上的日志显示类似的错误:
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=15 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(entryUUID=56f70834-13d3-1034-9c4b-b9373d9331cc)"
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=15 SRCH attr=* +
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=15 SEARCH RESULT tag=101 err=0 nentries=0 text=
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=16 ADD dn="dc=example,dc=com"
Dec 12 14:13:24 authldap-01-cs slapd[2339]: conn=1004 op=16 RESULT tag=105 err=19 text=structuralObjectClass: no user modification allowed
我的提供商 hdb 配置配置。域组件已替换。
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 7c7ced28
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: f60bed20-13a3-1034-8f7e-113c69ebc9f8
creatorsName: cn=config
createTimestamp: 20141209040239Z
olcRootPW:: e1NTSEF9cVVvVFJQd3BwYWVkcUhRVGdZT1BZV29rcjNTaVhqYks=
olcSuffix: dc=example,dc=com
olcRootDN: cn=manager,dc=example,dc=com
entryCSN: 20141211014727.826962Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20141211014727Z
提供商 ldap 配置
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ff26115e
dn: olcDatabase={3}ldap
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcHidden: TRUE
olcSuffix: dc=example,dc=com
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth manage by * break
olcAccess: {1}to * by * read
olcLastMod: TRUE
olcRestrict: all
olcRootDN: cn=ldap-replroot
olcSyncrepl: {0}rid=100 provider="ldap://rhel7:389" tls_reqcert=never binddn="
cn=replicator,dc=example,dc=com" bindmethod=simple credentials=supersecre
tpassword searchbase="dc=example,dc=com" type=refreshAndPersist retry="5
5 300 +"
olcDbStartTLS: start
olcDbACLBind: bindmethod=simple binddn="cn=replicator,dc=example,dc=com"
credentials=supersecretpassword
structuralObjectClass: olcLDAPConfig
entryUUID: d4b45f1a-1522-1034-8b61-af7acc5313da
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20141211014320Z
olcDbURI: ldap://authldap-01-cs
entryCSN: 20141211052948.885859Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20141211052948Z
我的从属配置
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a539163c
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uid eq,pres,sub
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
structuralObjectClass: olcHdbConfig
entryUUID: a5ede4ec-1420-1034-9ec6-e93109d39d98
creatorsName: cn=config
createTimestamp: 20141209185511Z
olcSuffix: dc=example,dc=com
olcRootDN: cn=manager,dc=example,dc=com
olcRootPW:: e1NTSEF9cVVvVFJQd3BwYWVkcUhRVGdZT1BZV29rcjNTaVhqYks=
olcAccess: {0}to * by dn="cn=replicator,dc=example,dc=com" write by dn="cn
=manager,dc=example,dc=com" write by * read
entryCSN: 20141212193340.646494Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20141212193340Z
我尝试过用 slapcat export 来加盐消费者,也尝试过删除整个域组件,但似乎都不起作用。