[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7434) idassert-bind fails after restarting slapd



blance3459@hotmail.com wrote:
> Full_Name: Barry Lance
> Version: 2.4.28
> OS: Ubuntu 12.04
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (70.226.37.226)

It appears the submitter found an alternate solution, but just for future 
reference this issue was the same as ITS#7381, now fixed in git master.
>
> Two servers: Master (192.168.1.1) and Replica (192.168.1.2) both running slap
> 2.4.28 and ubuntu 12.04.  Replica is a replication partner of Master using
> syncrepl.  Replication is working fine.  When I attempt to add a chain overlay
> to Replica to send all writes over to the master, it works exactly as expected
> allowing both normal users and the rootdn to make appropriate changes.  However,
> once I either reboot the replica server or restart slapd, the chain overlay
> fails to allow any changes on the master.  Looking at syslog shows that before
> the reboot/restart the requesting users' dn is proxied over as expected.  After
> the restarting slapd or rebooting Replica, all changes are proxied anonymously
> (dn="").
>
> I am using simple binds at this point in the project, but it doesn't seems to
> matter if I proxy in the clear, ldaps, or TLS the result is the same.  All three
> methods can successfully negotiate a connection.  I've even tried switching
> between using the rootdn and a different user as the binddn in my overlay, but
> the result is still the same no matter what I use for the binddn.  When I look
> at my config, I notice that "chain-idassert-bind"  appears to be hashed or
> encrypted in thew config.  Is that normal?  Just seems really odd that my config
> would work immediately when added, but fail after the the daemon has been
> restarted.  Am I missing something really silly?  Hopefully, someone can assist
> me on this.  I've been driving myself crazy trying to figure out why this
> behavior is occurring.
>
> Disclaimer: I am using openldap as part of my capstone project for graduation.
> I'm not asking for anyone to do my "homework" for me, I'm just stuck on this one
> issue that I would love to resolve so I can move on to the Kerberos phase of my
> project (and maybe even study for an exam coming up in my algorithms class next
> week).
>
> Here is my overlay config using the rootDN and TLS (on Replica):
>
> dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config
> changetype: add
> objectClass: olcLDAPConfig
> objectClass: olcChainDatabase
> olcDatabase: {0}ldap
> olcDbURI: "ldap://master.example.net/";
> olcDbRebindAsUser: TRUE
> olcDbIDAssertBind: bindmethod=simple
>   binddn="cn=admin,dc=example,dc=net"
>   credentials=(secret)
>   mode=self
>   starttls=critical
>   tls_cacert=/etc/ssl/certs/cacert.pem
>   tls_reqcert=demand
>
> And without TLS (also on Replica):
>
> dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config
> changetype: add
> objectClass: olcLDAPConfig
> objectClass: olcChainDatabase
> olcDatabase: {0}ldap
> olcDbURI: "ldap://master.example.net/";
> olcDbRebindAsUser: TRUE
> olcDbIDAssertBind: bindmethod=simple
>   binddn="cn=admin,dc=example,dc=net"
>   credentials=(secret)
>   mode=self
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/