[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rép. : Re: Overlay Chain



> Hi,
>
> thanks, for the help.
>
> I have see the example and tested it like this:
>
> overlay         chain
> chain-uri       ldaps://ip:636
> chain-idassert-bind     bindmethod=simple
>
> binddn="cn=Manager,o=Managers,dc=monAnnuaire,dc=fr"
>                         credentials=secret
>                         mode=self
>
> the server start (i use an openLdap 2.3.13 for the moment) but I don't
> see any subtree relative to the chainning on ldap Browser  (my client
> for the moment).

If you ran test032 and it succeeded, this means that chaining works.  At
this point you should go step by step and check if all the bricks are in
place or you made any errors in setting the system up.

1) "I don't see any subtree relative to the chainning on ldap Browser" is
not very useful information to trace the problem; can you produce logs at
a reasonable level ("stats") of both the local and the remote servers when
you run a few queries?  Do the logs tell you anything relevant about the
reason chaining failed?

2) can you query ldaps://ip:636 directly using ldapsearch, simple bind and
the above identity (to clarify, does:

ldapsearch -x -H ldaps://ip:636 \
    -D "cn=Manager,o=Managers,dc=monAnnuaire,dc=fr" -w secret \
    -b "dc=monAnnuaire,dc=fr"

return anything?  Can you show the __exact__ message you get?  In case you
get an error, can you retry adding -d -1 and post the __exact output you
get?)

3) in case (2) passes, can you post the entire content of your
slapd.conf(5) (you may omit comments, schema and other details; the layout
of the databases, overlays and so should suffice; since you're using
ldaps, you should also include your TLS/SSL configuration parameters).

4) did you try without TLS/SSL?  I'd suggest you first make sure things
work; then complete them with TLS details, which represent a completely
different issue.

> if I change the chain-uri like ldaps://ip:636/dc=monAnnuaire2,dc=fr  it
> don't work.

If you just read slapo-chain(5) it'll point you to slapd-ldap(5) for the
"uri" directive; slapd-ldap(5) will tell you that the DN in the URI is
strictly prohibited.  I'd first try something smarter before changing
parameters randomly and against their documented usage.

p.



Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------