OpenLDAP 的 cn=config 未完全复制

Question

olcDatabase={0}config,cn=config除了中的数据之外，您是否还为 OLC 设置了复制oldDatabase={1}hdb,cn=config？基本上，cn=config复制需要特殊的引导程序手册中解释了。

我的工作配置（在镜像模式下）如下所示：

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcRootDN: cn=config
olcRootPW:: hogehogehogehoge==
olcSyncrepl: {0}rid=001 provider=ldap://server1/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldap://server2/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE

dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=your,dc=domain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by .... read by .... write by dn="cn=config" read
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by .... write by * read
olcLastMod: TRUE
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcSyncrepl: {0}rid=011 provider=ldap://server1/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="dc=your,dc=domain" type=refreshAndPersist retry="60 +" timeout=1
olcSyncrepl: {1}rid=012 provider=ldap://server2/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="dc=your,dc=domain" type=refreshAndPersist retry="60 +" timeout=1
olcMirrorMode: TRUE
olcDb....: ... (other hdb configuration)

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

重点是使用olcRootDN并olcRootPW设置cn=config复制器 ( syncprov) 的凭据以绑定在对等服务器上。您还需要进行适当的设置olcAccess，以便它们可以从对等方获取所有内容。无需向他们授予写入权限，因为他们已经知道如何更新自己的本地数据库。

Answer 1

olcDatabase={0}config,cn=config除了中的数据之外，您是否还为 OLC 设置了复制oldDatabase={1}hdb,cn=config？基本上，cn=config复制需要特殊的引导程序手册中解释了。

我的工作配置（在镜像模式下）如下所示：

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcRootDN: cn=config
olcRootPW:: hogehogehogehoge==
olcSyncrepl: {0}rid=001 provider=ldap://server1/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldap://server2/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE

dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=your,dc=domain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by .... read by .... write by dn="cn=config" read
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by .... write by * read
olcLastMod: TRUE
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcSyncrepl: {0}rid=011 provider=ldap://server1/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="dc=your,dc=domain" type=refreshAndPersist retry="60 +" timeout=1
olcSyncrepl: {1}rid=012 provider=ldap://server2/ starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=config" credentials=secret searchbase="dc=your,dc=domain" type=refreshAndPersist retry="60 +" timeout=1
olcMirrorMode: TRUE
olcDb....: ... (other hdb configuration)

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov

重点是使用olcRootDN并olcRootPW设置cn=config复制器 ( syncprov) 的凭据以绑定在对等服务器上。您还需要进行适当的设置olcAccess，以便它们可以从对等方获取所有内容。无需向他们授予写入权限，因为他们已经知道如何更新自己的本地数据库。

OpenLDAP 的 cn=config 未完全复制

答案1

相关内容