[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rép. : Re: Overlay Chain



Hi,
 
now I have:
 
a referral link like this:
 
dn: o=NDS,dc=eDirectory,dc=fr
objectClass: referral
objectClass: extensibleObject
o: NDS
ref: ldaps://Ip:636/ou=users,o=eDirectory

and on slapd.conf this
 
.....
 
overlay         chain
chain-uri       ldaps://Ip:636/
chain-idassert-bind     bindmethod=simple
                        binddn="cn=ldapappli1,ou=applis,o=eDirectory"
                        credentials=password
                        mode=self
......
 
then I can see on ldap Browser a subtree like : ou=users
 
When I want to see the ou subtree I must re entrer a login and
password, so I don't understand what it's wong
 
Nota:
I can bind all the directories 
 
thx
 
 


>>> "Pierangelo Masarati" <ando@sys-net.it> 01/12 11:20  >>>
> Hi,
>
> thanks, for the help.
>
> I have see the example and tested it like this:
>
> overlay         chain
> chain-uri       ldaps://ip:636
> chain-idassert-bind     bindmethod=simple
>
> binddn="cn=Manager,o=Managers,dc=monAnnuaire,dc=fr"
>                         credentials=secret
>                         mode=self
>
> the server start (i use an openLdap 2.3.13 for the moment) but I
don't
> see any subtree relative to the chainning on ldap Browser  (my
client
> for the moment).

If you ran test032 and it succeeded, this means that chaining works. 
At
this point you should go step by step and check if all the bricks are
in
place or you made any errors in setting the system up.

1) "I don't see any subtree relative to the chainning on ldap Browser"
is
not very useful information to trace the problem; can you produce logs
at
a reasonable level ("stats") of both the local and the remote servers
when
you run a few queries?  Do the logs tell you anything relevant about
the
reason chaining failed?

2) can you query ldaps://ip:636 directly using ldapsearch, simple bind
and
the above identity (to clarify, does:

ldapsearch -x -H ldaps://ip:636 \
    -D "cn=Manager,o=Managers,dc=monAnnuaire,dc=fr" -w secret \
    -b "dc=monAnnuaire,dc=fr"

return anything?  Can you show the __exact__ message you get?  In case
you
get an error, can you retry adding -d -1 and post the __exact output
you
get?)

3) in case (2) passes, can you post the entire content of your
slapd.conf(5) (you may omit comments, schema and other details; the
layout
of the databases, overlays and so should suffice; since you're using
ldaps, you should also include your TLS/SSL configuration parameters).

4) did you try without TLS/SSL?  I'd suggest you first make sure
things
work; then complete them with TLS details, which represent a
completely
different issue.

> if I change the chain-uri like ldaps://ip:636/dc=monAnnuaire2,dc=fr 
it
> don't work.

If you just read slapo-chain(5) it'll point you to slapd-ldap(5) for
the
"uri" directive; slapd-ldap(5) will tell you that the DN in the URI is
strictly prohibited.  I'd first try something smarter before changing
parameters randomly and against their documented usage.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it 
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it 
------------------------------------------