[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chain-overlay question

To: Markus Krause <krause@biochem.mpg.de>
Subject: Re: chain-overlay question
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 15 May 2007 08:24:17 +0200
Cc: openldap-software@openldap.org
In-reply-to: <20070515011745.rxir2hp7vkgkw0ow@webmail2.biochem.mpg.de>
References: <20070514225125.ccc0oso60wswcsss@webmail2.biochem.mpg.de> <4648D2DC.5020000@sys-net.it> <20070515011745.rxir2hp7vkgkw0ow@webmail2.biochem.mpg.de>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Markus Krause wrote:
> Zitat von Pierangelo Masarati <ando@sys-net.it>:
> 
>> Markus Krause wrote:
>>> Hi list!
>>>
>>> i have several consumer and one provider (lets call them ldapconX and
>>> ldapprov). syncrepl works fine, but i actually do not want any clients
>>> to contact the provider directly (and i have in addition some clients
>>> which would not understand referrals anyway), so reading through the
>>> admin guide and man pages i thought slapo-chain would be the solution!
>>> (correct me if i am wrong ;-))
>>> But somehow a can not get it working...
>>>
>>> the slapd.conf of the provider is untouched, the consumer have
>>> (simplified in some places; please tell me if you need it in more
>>> details):
>>
>>
>> slapo-chain must be global (i.e. before any database) since referrals
>> are returned by the frontend, as soon as it discovers that the database
>> that is candidate for a modification is shadow.  See example in consumer
>>  slapd.conf in test018.
> thanks for your answer!
> i assume you are referring to slapd-chain1.conf, as in slapd-chain2.conf

No.  I'm referring to slapd.4.conf as generated by the test018 script.

> the overlay chain is after the database definition (which i used after
> the success following your hint in my acl problem thread).

In that case, the test was testing slapo-chain behavior when used to
chain databases, not to chase referrals originating by writing to a
shadow.  That requires replication, and that's why it's in test018.

> but i am still doing something wrong... just to be sure i ran all tests
> again (make test) which all were finished ok.
> 
> now my slapd.conf is like:
> --- slapd.conf (simplified)
> ...
> acl
> overlay chain
> chain-rebind-as-user    FALSE
> chain-uri       "ldaps://ldapprov"
> chain-rebind-as-user    TRUE
> chain-idassert-bind     bindmethod="simple"
>                         binddn="cn=manager,o=test"
>                         credentials="secret"
>                         mode="self"
>                         flags=non-prescriptive
> database bdb
> ...
> overlay smbk5pwd
> syncrepl ....
> updateref ldaps://ldapprov

Please muve the updateref and the syncrepl lines __before__ overlays
related lines.


> ---- end of slapd.conf
> 
> using "ldappasswd -x <...>" i get:
>   Re-enter new password:
>   Enter LDAP Password:
>   ldappasswd: ldap_result: Can't contact LDAP server (-1)
> 
> and the ldap consumer segfaults.
> last messages from slapd -d 65535 was:
> --- slapd -d 65535
> ....
> conn=0 op=1 PASSMOD id="uid=testuser,ou=people,o=test" new
>>>> dnPrettyNormal: <uid=testuser,ou=people,o=test>
> => ldap_bv2dn(uid=testuser,ou=people,o=test,0)
> <= ldap_bv2dn(uid=testuser,ou=people,o=test)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=testuser,ou=people,o=test)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=testuser,ou=people,o=test)=0
> <<< dnPrettyNormal: <uid=testuser,ou=people,o=test>,
> <uid=testuser,ou=people,o=test>
> bdb_dn2entry("uid=testuser,ou=people,o=test")
> => bdb_dn2id("uid=testuser,ou=people,o=test")
> <= bdb_dn2id: got id=0x0000284c
> => bdb_dn2id("uid=testuser,ou=people,o=test")
> <= bdb_dn2id: got id=0x00002861
> => bdb_dn2id("uid=testuser,ou=people,o=test")
> <= bdb_dn2id: got id=0x0000337f
> entry_decode: "uid=testuser,ou=people,o=test"
> <= entry_decode(uid=uid=testuser,ou=people,o=test)
> ldap_url_parse_ext(ldaps://ldapprov)
> send_ldap_extended: err=10 oid= len=0
> ldap_url_parse_ext(ldaps://ldapprov)
> ----
> 
> the strace backlog says:

I'd stick with slapd logs.

> what i find odd is the error "stat64("/var/lib/ldap/__db.004",
> 0xbfd23b2c) = -1 ENOENT (No such file or directory)" (just at the
> beginning of the post) because the file actually is there and accessable:
> 
> [host]: ls -l /var/lib/ldap/__db.004
> -rw------- 1 ldap ldap 450560 May 12 22:45 /var/lib/ldap/__db.004
> 
> now if i change the settings in slapd.conf on the consumer and remove
> the line "updateref"

That's needed by replication

> (as in slapd-chain1.conf is no such line)

You're looking at the wrong file, not to the one you were pointed to

 the
> server (consumer) stays alive but on running "ldappasswd -x <...>" i get:
> ----
> ldappasswd -x <...>
> New password:
> Re-enter new password:
> Enter LDAP Password:
> Result: Server is unwilling to perform (53)
> Additional info: shadow context; no update referral

As expected.

> ----
> 
> is the line "updateref" needed? but it crashes the server with my config?!

Please rearrange the configuration as instructed and retry.  In general,
never intermix database and overlay directives.  Order matters (as it
always did; but now violations are no longer harmless).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: chain-overlay question
  - From: Markus Krause <krause@biochem.mpg.de>

References:
- chain-overlay question
  - From: Markus Krause <krause@biochem.mpg.de>
- Re: chain-overlay question
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: chain-overlay question
  - From: Markus Krause <krause@biochem.mpg.de>

Prev by Date: querying ACLs
Next by Date: Can I import {lanman} into OpenLDAP?
Index(es):
- Chronological
- Thread