[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chaining not working



Jaap Winius wrote:
Hi folks,

While testing the current Debian squeeze version of OpenLDAP,
v2.4.23-6, in a provider/consumer syncprov/syncrepl
(refreshAndPersist) configuration, using a patch(1) written by
Pierangelo, I have not been able to get chaining to work.

The consumer, ldaps2, was configured with a referral(2) to the
provider, ldaps1, as well as a chaining configuration(3). A couple of
authzTo rules(4) were added to its entry in the DIT, which immediately
replicated to the consumer, and the provider was configured with an
olcAuthzPolicy directive for "to"(5). So far, so good.

However, when using ldapmodify on the consumer to test that an entry
in the DIT could actually be modified (the description attr of the
consumer's entry) from there as a result, I got this response:
------------------------------------------------------------
modifying entry "cn=ldaps2,dc=example,dc=com"
ldap_modify: Referral (10)
	referrals:
		ldap://ldaps.example.com/cn=ldaps2,dc=example,dc=com
------------------------------------------------------------

I know ldapmodify doesn't understand referrals; this is where chaining
should have worked instead. So, I removed the referral from the
consumer's configuration to see what would then happen with the same
command:
------------------------------------------------------------
modifying entry "cn=ldaps2,dc=example,dc=com"
ldap_modify: Server is unwilling to perform (53)
	additional info: shadow context; no update referral
------------------------------------------------------------

(shadow context?). In both cases, this shows up in the syslog as a result:
------------------------------------------------------------
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 ACCEPT from
IP=127.0.1.1:43982 (IP=0.0.0.0:389)
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND
dn="cn=admin,dc=example,dc=com" method=128
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 RESULT tag=97 err=0 text=
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD
dn="cn=ldaps2,dc=example,dc=com"
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD attr=description
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 RESULT tag=103
err=53 text=shadow context; no update referral
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=2 UNBIND
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 closed
------------------------------------------------------------

Have I made a mistake somewhere, or could this be another bug?

The chain overlay needs to be configured on the frontendDB in order to catch these update referrals.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/