[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7434) idassert-bind fails after restarting slapd

To: openldap-its@OpenLDAP.org
Subject: (ITS#7434) idassert-bind fails after restarting slapd
From: blance3459@hotmail.com
Date: Fri, 9 Nov 2012 01:55:31 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Barry Lance
Version: 2.4.28
OS: Ubuntu 12.04
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (70.226.37.226)


Two servers: Master (192.168.1.1) and Replica (192.168.1.2) both running slap
2.4.28 and ubuntu 12.04.  Replica is a replication partner of Master using
syncrepl.  Replication is working fine.  When I attempt to add a chain overlay
to Replica to send all writes over to the master, it works exactly as expected
allowing both normal users and the rootdn to make appropriate changes.  However,
once I either reboot the replica server or restart slapd, the chain overlay
fails to allow any changes on the master.  Looking at syslog shows that before
the reboot/restart the requesting users' dn is proxied over as expected.  After
the restarting slapd or rebooting Replica, all changes are proxied anonymously
(dn="").

I am using simple binds at this point in the project, but it doesn't seems to
matter if I proxy in the clear, ldaps, or TLS the result is the same.  All three
methods can successfully negotiate a connection.  I've even tried switching
between using the rootdn and a different user as the binddn in my overlay, but
the result is still the same no matter what I use for the binddn.  When I look
at my config, I notice that "chain-idassert-bind"  appears to be hashed or
encrypted in thew config.  Is that normal?  Just seems really odd that my config
would work immediately when added, but fail after the the daemon has been
restarted.  Am I missing something really silly?  Hopefully, someone can assist
me on this.  I've been driving myself crazy trying to figure out why this
behavior is occurring.  

Disclaimer: I am using openldap as part of my capstone project for graduation. 
I'm not asking for anyone to do my "homework" for me, I'm just stuck on this one
issue that I would love to resolve so I can move on to the Kerberos phase of my
project (and maybe even study for an exam coming up in my algorithms class next
week).  

Here is my overlay config using the rootDN and TLS (on Replica):

dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: "ldap://master.example.net/";
olcDbRebindAsUser: TRUE
olcDbIDAssertBind: bindmethod=simple 
 binddn="cn=admin,dc=example,dc=net" 
 credentials=(secret) 
 mode=self 
 starttls=critical 
 tls_cacert=/etc/ssl/certs/cacert.pem 
 tls_reqcert=demand 

And without TLS (also on Replica):

dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: "ldap://master.example.net/";
olcDbRebindAsUser: TRUE
olcDbIDAssertBind: bindmethod=simple 
 binddn="cn=admin,dc=example,dc=net" 
 credentials=(secret)
 mode=self

Prev by Date: Re: (ITS#7431) seg fault in constraint_check_restrict at constraint.c:713
Next by Date: Re: (ITS#7434) idassert-bind fails after restarting slapd
Index(es):
- Chronological
- Thread