[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: database meta question

To: openldap-software@openldap.org
Subject: Re: database meta question
From: "D'Arcy Smith" <ds.bcit@gmail.com>
Date: Tue, 28 Aug 2007 08:32:15 -0700
Content-disposition: inline
In-reply-to: <46CFE036.50600@sys-net.it>
References: <895af5c0708242306l2adff160j3fe6a49ce48f2bbc@mail.gmail.com> <46CFE036.50600@sys-net.it>

On 8/25/07, Pierangelo Masarati <ando@sys-net.it> wrote:
> D'Arcy Smith wrote:

> > I am having a terrible time trying to get the meta backend to work
> > with my setup.  If I do not have meta things work as expected.  As
> > soon as I add the meta backend thing go south.

> What version of OpenLDAP are you using?

2.3.35

> ^^^ extra cruft after "#" (included) is invalid, as clearly indicated in
> slapd.conf(5).  This is treated as an error in OpenLDAP 2.4 (finally!)

Good I like it when errors are treated as errors!

after some more searching around I now have this:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema

password-hash {ssha}

pidfile       /var/run/openldap/slapd.pid
argsfile      /var/run/openldap/slapd.args

modulepath    /usr/lib64/openldap/openldap
moduleload    back_null.so
moduleload    back_meta.so

database      ldap
suffix        "o=aaa.yyy.zzz,o=bcit"
uri           ldap://aaa.yyy.zzz:389

idassert-authzFrom "dn:*"
idassert-bind      bindmethod=simple
 binddn="uid=******,ou=people,o=aaa.yyy.zzz,o=yyy"
 credentials="******"
 mode=none

database          bdb
suffix            "o=bbb.yyy.zzz,o=bcit"
rootdn            "cn=Manager,o=bbb.yyy.zzz,o=yyy"
rootpw            {SSHA}******
checkpoint        32 30
directory         /var/lib/openldap-data
index objectClass eq

database      meta
suffix        "dc=yyy,dc=zzz"
uri           ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz
suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=aaa.yyy.zzz,o=yyy"
uri           ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz
suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=bbb.yyy.zzz,o=yyy"

What I am after is having it so that users that exist in the
"aaa.yyy.zzz" LDAP server (that I have no control over) can
authenticate, users in the "bbb.yyy.zzz" LDAP server (that I do
control) can authenticate, and that the groups in the "bbb.yyy.zzz",
which contain users from both "aaa" and "bbb" are able to
authenticate.  Authenticate right now means can access apache via
authnzldap.

Running "/usr/lib64/openldap/slapd -d -{any level}" doesn't seem to
issue any objections, and my testing works (users from both "aaa" and
"bbb" can login either as a by user or group).

If I run "slaptest -f /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d" -d {any level} I get:

   WARNING: No dynamic config support for database meta.
   WARNING: The converted cn=config directory is incomplete and may not work.
   config file testing succeeded

I cannot spot any errors that it is giving me in the config.

then running "/usr/lib64/openldap/slapd -d -{any level}" doesn't work
(it does work if I delete the files in the /etc/openldap/slapd.d
directory.

For example (with -d 64):

@(#) $OpenLDAP: slapd 2.3.35 (Aug 23 2007 11:00:09) $
        root@foo:/var/tmp/portage/net-nds/openldap-2.3.35-r1/work/openldap-2.3.35/servers/slapd
loaded module back_null.so
module back_null.so: null module registered
loaded module back_meta.so
module back_meta.so: null module registered
index objectClass 0x0004
meta_back_db_open: no targets defined
backend_startup_one: bi_db_open failed! (1)
slapd stopped.
connections_destroy: nothing to destroy.

Any thoughts?

Thanks,

..darcy

Follow-Ups:
- Re: database meta question
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- database meta question
  - From: "D'Arcy Smith" <ds.bcit@gmail.com>
- Re: database meta question
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: slapd loses meta backends [auf Viren überprüft]
Next by Date: Re: Question about ldap backend
Index(es):
- Chronological
- Thread