Univention Bugzilla – Bug 31422
memberOf overlay: anonymous bind on DC Slave not activated by default, replication fails
Last modified: 2014-09-11 07:56:35 CEST
The documentation of univention-ldap-overlay-memberof recommends to use ldap/acl/read/ips for activating anonymous bind for the local system. This is done on DC Master/Backup by the package itself, but not on DC Slaves. If not activated, DC Slaves can't replicate anymore as the first LDAP-change stalls in the overlay module. Is there any reason for not activating it on a DC Slave by default?
No special reason, see Bug 24433 Comment 3. The problem on UCS Slaves was simply not observed yet during fix and QA (which is strange indeed..).
ldap/acl/read/ips is only required on the DC Master, because it is only required if there is no "rootdn" defined in slapd.conf. On DC Backup and DC Slave systems (ldap/server/type=slave) the rootdn is set, which is used by the memberof overlay to search and is used in the ACL checks. I also cannot reproduce this join/replication issue in ucs_3.2-3.
Works for me too, Master: -> univention-install univention-ldap-overlay-memberof -> /usr/share/univention-ldap-overlay-memberof/univention-update-memberof -> univention-ldapsearch '(uid=*)' memberOf Slave: -> univention-install univention-ldap-overlay-memberof -> univention-ldapsearch '(uid=*)' memberOf
Nothing to release.