[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
unable to query rootdn on slave via external auth
- To: openldap-technical@openldap.org
- Subject: unable to query rootdn on slave via external auth
- From: Adrian Bridgett <adrian@smop.co.uk>
- Date: Tue, 16 Jul 2013 18:12:53 +0100
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
This has been driving me up the wall and I wondered if someone could
point out the bit I'm missing - the desk is getting badly damaged by my
head bashing it :-)
On our master server I can query the rootdb no problem, but I can't do
this on the slaves - this applies whether I use external or ldaps
authentication. I've turned on access and search filter debugging and I
can't see any rejections. I'm trying to query contextCSN to ensure that
the slave is in sync. "slapcat" works, but seems an ugly hack. I can
query all the children - just not the root.
The config is the same (ish) on both - here's the slave:
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: .......
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
structuralObjectClass: olcHdbConfig
entryUUID: 07f3fede-c201-1031-8b17-f3837148ab05
creatorsName: cn=config
createTimestamp: 20121113171221Z
olcSyncrepl: {0}rid=000 provider=ldap://ldap.example.com type=refreshandPers
ist interval=00:00:00:60 retry="60 10 300 +" timelimit=10
searchbase="dc=example
,dc=com" binddn="cn=admin,dc=example,dc=com" bindmethod=simple credent
ials=..... starttls=critical tls_reqcert=demand attrs="*,+"
olcUpdateRef: ldap://ldap.example.com
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: objectClass eq
olcDbIndex: cn,sn pres,eq,sub
olcDbIndex: uid,uidNumber,gidNumber,memberOf,sudoUser,memberUid pres,eq
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=example,dc=com" manage by
group.exact="cn=admins,
ou=Group,dc=example,dc=com" manage by
dn.exact=gidNumber=0+uidNumber=0,cn=p
eercred,cn=external,cn=auth manage by * none
olcAccess: {1}to attrs=SambaLMPassword,SambaNTPassword by self write by
dn="cn
=freenas-auth,ou=services,dc=example,dc=com" read by
dn="cn=admin,dc=example
,dc=com" manage by group.exact="cn=admins,ou=Group,dc=example,dc=com" ma
nage by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth mana
ge by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=com" manage b
y group.exact="cn=admins,ou=Group,dc=example,dc=com" manage by
dn.exact=gid
Number=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * read
olcAccess: {4}to dn.base="dc=example,dc=com" by * read
On the slave:
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com -s base -Q#
extended LDIF
# search result
search: 2
result: 0 Success
# numResponses: 1
On the master:
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com -s base
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.com
dc: example
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1