[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapo-chain - can't get it working



I sent this two days ago, from an unsubscribed account and it still hasn't shown
up... don't know if moderation is hampered, or if it just didn't make through...

I have the basics covered - 1 master, 4 syncrepl slaves (going to 2-3 MM, 1-2
slaves).  This setup has been working quite well - supporting AIX, Linux user
data, Samba PDC/BDCs, and Kerberos (slapd 2.4.7  Debian Sid/unstable)

The only issue I have now, is having to find the master to perform any updates.

I'd like to use slapo-chain so that update referrals are automatically handled,
especially since so little stuff supports referrals - even things that should.

There are a few examples here and there, and unfortunately, some of them
contradict others (probably written to different ldap levels).

As an example of my plight, here is the output of ldappasswd on a slave machine
(ldapmodify shows the same issue, but isn't as easy to show)

#
# on the slave, when trying a ldappasswd:
$ ldappasswd  -Ydigest-md5 -w<my passwd>
SASL/DIGEST-MD5 authentication started
SASL username: renegade
SASL SSF: 128
SASL data security layer installed.
Result: Referral (10)
Referral: ldap://ldap-master.cobpli.svl.ibm.com

#
# The following is the slave ldap trace, and there is *no* traffic to the master...
conn=0 op=1 BIND authcid="renegade@COBPLI.SVL.IBM.COM"
authzid="renegade@COBPLI.SVL.IBM.COM"
conn=0 op=1 BIND dn="uid=renegade,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com"
mech=DIGEST-MD5 sasl_ssf=128 ssf=128
conn=0 op=1 RESULT tag=97 err=0 text=
conn=0 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=0 op=2 PASSMOD
conn=0 op=2 RESULT oid= err=10 text=

#
# The basics work:
$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: renegade@COBPLI.SVL.IBM.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=renegade,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com

#
# Proxy authentication works:
$ ldapwhoami -Uproxy -Ydigest-md5 -w<passwd>  -Xu:cowboy
SASL/DIGEST-MD5 authentication started
SASL username: u:cowboy
SASL SSF: 128
SASL data security layer installed.
dn:uid=cowboy,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com

#
# Here is the likely relevant ldap sections (chain overlay, syncprop, updatref):
#
overlay chain
chain-uri               "ldap://ldap-master.cobpli.svl.ibm.com/";
# Neither of these lines make a difference
chain-rebind-as-user    TRUE
#chain-rebind-as-user   FALSE
# Here, I've tried simple/sasl, varied saslmech, etc...
chain-idassert-bind     bindmethod="simple"
                        saslmech=digest-md5
                        authz=proxyauthz
                      binddn="uid=proxy,ou=users,dc=cobpli,dc=svl,dc=ibm,dc=com"
                        credentials="<passwd>"
                        mode=self
chain-idassert-authzFrom "*"

syncrepl rid=1
    provider=ldap://ldap-master.cobpli.svl.ibm.com/
    starttls=no
    binddn="cn=Replicator,ou=DSA,dc=cobpli,dc=svl,dc=ibm,dc=com"
    bindmethod=simple
    credentials=<passwd>
    searchbase="dc=cobpli,dc=svl,dc=ibm,dc=com"
    schemaChecking=off
    type=refreshAndPersist retry="10 10 300 +"
updateref ldap://ldap-master.cobpli.svl.ibm.com/