[Date Prev][Date Next] [Chronological] [Thread] [Top]
syncrepl+chain+ldappasswd

To: openldap-software@OpenLDAP.org
Subject: syncrepl+chain+ldappasswd
From: Olle.Westman@astrazeneca.com
Date: Thu, 15 Dec 2005 14:04:10 +0100
Hi Folks,

I'm having a little trouble making a syncrepl slapd slave follow referrals.
When I run ldappasswd against the provider the password gets changed and
propagated to the slave. However when I run ldappasswd against the slave, I
only get a referral back even though I have chain overlay specified.

With the "LDAP Browser/Editor" client it's possible to change the password
on the slave, so it appears ldappasswd doesn't follow referrals, but simply
returns them even though chain overlay is specified. Am I omitting something
essential?

Here's the slave slapd.conf: (openldap 2.3.11/RHEL4U2 compiled with
--enable-slapd --enable-overlays --enable-backends --enable-crypt)

Any ideas why the referrals arent chased by the slave slapd?

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/mailrecipient.schema
include         /usr/local/etc/openldap/schema/samba.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile      /usr/local/etc/openldap/server.pem
TLSCertificateKeyFile   /usr/local/etc/openldap/server.pem
TLSCACertificateFile    /usr/local/etc/openldap/server.pem

# Logging
loglevel 2
threads 128
idletimeout 300
sizelimit unlimited


#######################################################################
# BDB database definitions
#######################################################################

database        bdb
cachesize       100000

# one 0.25 GB cache
#dbconfig set_cachesize 0 268435456 1

# Data Directory
#set_data_dir db

# Transaction Log settings
#dbconfig set_lg_regionmax 262144
#dbconfig set_lg_bsize 2097152
#set_lg_dir logs

# When using (and only when using) slapadd(8) or slapindex(8),
# the following flags may be useful:
#dbconfig set_flags DB_TXN_NOSYNC
#set_flags DB_TXN_NOT_DURABLE





suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

#password-hash   {MD5}

overlay chain
chain-uri ldap://master.example.com:389
#chain-idassert-method    "simple"
chain-idassert-authcDN   "cn=Manager,dc=example,dc=com"
chain-idassert-passwd    "secret"
chain-idassert-mode "self"



syncrepl        rid=123
                provider=ldap://master.example.com
                type=refreshAndPersist
                retry=10,+
                searchbase="dc=example,dc=com"
                filter="(objectClass=*)"
                scope=sub
                attrs="*"
                schemachecking=off
                bindmethod=simple
                binddn="cn=Manager,dc=example,dc=com"
                credentials=secret
                updatedn="cn=Manager,dc=example,dc=com"


updateref ldap://master.example.com:389
#referral ldap://master.example.com
Prev by Date: Re: Syncrepl and user event
Next by Date: Re: syncrepl+chain+ldappasswd
Index(es):
- Chronological
- Thread