[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chain-overlay question



Zitat von Pierangelo Masarati <ando@sys-net.it>:
Markus Krause wrote:
Zitat von Pierangelo Masarati <ando@sys-net.it>:
Markus Krause wrote:
Hi list!

i have several consumer and one provider (lets call them ldapconX and
ldapprov). syncrepl works fine, but i actually do not want any clients
to contact the provider directly (and i have in addition some clients
which would not understand referrals anyway), so reading through the
admin guide and man pages i thought slapo-chain would be the solution!
(correct me if i am wrong ;-))
But somehow a can not get it working...

the slapd.conf of the provider is untouched, the consumer have
(simplified in some places; please tell me if you need it in more
details):

slapo-chain must be global (i.e. before any database) since referrals are returned by the frontend, as soon as it discovers that the database that is candidate for a modification is shadow. See example in consumer slapd.conf in test018.
thanks for your answer!
i assume you are referring to slapd-chain1.conf, as in slapd-chain2.conf

No. I'm referring to slapd.4.conf as generated by the test018 script.
ah ok, sorry for that. i could not find it at first, had ro stop "make test" at test018 to get it ... now i used it (and slapd.1.conf) as template for my config.

the overlay chain is after the database definition (which i used after
the success following your hint in my acl problem thread).

In that case, the test was testing slapo-chain behavior when used to chain databases, not to chase referrals originating by writing to a shadow. That requires replication, and that's why it's in test018.

but i am still doing something wrong... just to be sure i ran all tests
again (make test) which all were finished ok.

now my slapd.conf is like:
--- slapd.conf (simplified)
...
acl
overlay chain
chain-rebind-as-user    FALSE
chain-uri       "ldaps://ldapprov"
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod="simple"
                        binddn="cn=manager,o=test"
                        credentials="secret"
                        mode="self"
                        flags=non-prescriptive
database bdb
...
overlay smbk5pwd
syncrepl ....
updateref ldaps://ldapprov

Please muve the updateref and the syncrepl lines __before__ overlays related lines.
i am really sorry about still bothering you with my problems but i still have no success... :-(
my slapd.conf now looks like (now in more detail, just cleaned up):
--- slapd.conf
...
modulepath /usr/lib/openldap/modules
moduleload smbk5pwd.so
sizelimit unlimited
acl ...
TLSstuff ...
#### chain overlay definition
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldaps://ldapprov"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=manager,o=test"
credentials="secret"
mode="self"


database bdb
suffix "o=test"
directory /var/lib/ldap/
rootdn "cn=manager,o=test"
rootpw "secret"
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index entryCSN,entryUUID eq
index dhcpHWAddress eq,pres
index relativeDomainName eq,pres
index ipHostNumber eq,pres
index zoneName eq,pres
index radiusGroupName eq,pres

syncrepl rid=13
        provider=ldaps://ldapprov
        type=refreshAndPersist
        retry=1,5,5,6,30,+
        interval=00:00:00:30
        searchbase="o=test"
        filter="(objectclass=*)"
        scope=sub
        attrs="*"
        schemachecking=off
        binddn="cn=manager,o=test"
        bindmethod=simple
        credentials="secret"
        sizelimit=unlimited
updateref ldaps://ldapprov

overlay syncprov
overlay smbk5pwd
smbk5pwd-enable samba
--- end of slapd.conf

the strace backlog says:
I'd stick with slapd logs.
ok.

is the line "updateref" needed? but it crashes the server with my config?!

Please rearrange the configuration as instructed and retry. In general, never intermix database and overlay directives. Order matters (as it always did; but now violations are no longer harmless).
i hope i did understand how which order the entries should have ... (see above)

but the last lines before the consumer dies after running "ldappasswd .." show:
--- slapd -d 65535 output
...
=> bdb_dn2id("uid=user,o=test")
<= bdb_dn2id: got id=0x0000337f
entry_decode: "uid=user,o=test"
<= entry_decode(uid=user,o=test)
ldap_url_parse_ext(ldaps://ldapprov)
send_ldap_extended: err=10 oid= len=0
ldap_url_parse_ext(ldaps://ldapprov)
Segmentation fault
--- end of slapd -d 65535 output


ineresting (at least for me) is that if i provide the wrong ldap password to "ldappasswd" the output of "ldappaswd" is:
---
ldappasswd -x -h localhost <...>
New password:
Re-enter new password:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
---
and the consumer stays alive.. does this mean there is something wrong with the provider config? just to be sure the slapd.conf:
---- slapf.conf of provider
include ...
modulepath /usr/lib/openldap/modules
moduleload smbk5pwd.so
sizelimit unlimited
acls ...
TLSStuff
database bdb
suffix "o=teset"
directory /var/lib/ldap/
rootdn "cn=manager,o=test"
rootpw "secret"
index ...


overlay syncprov
overlay smbk5pwd
smbk5pwd-enable samba
---

but the provider debug output seems to be ok, just says:
--- slapd -d 65535 of provider
ber_get_next on fd 16 failed errno=0 (Success)
connection_read(16): input error=-2 id=2, closing.
connection_closing: readying conn=2 sd=16 for close
connection_close: conn=2 sd=16
daemon: removing 16
tls_write: want=37, written=37
  0000:  15 03 01 00 20 ff da 2f  93 ad 2b 27 df b9 2c f5   .... ../..+'..,.
  0010:  3f 57 27 a2 12 f8 35 d4  76 3e 35 a1 04 78 e3 9b   ?W'...5.v>5..x..
  0020:  bd d0 6f fc 29                                     ..o.)
TLS trace: SSL3 alert write:warning:close notify
conn=2 fd=16 closed (connection lost)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
---

it seems i am still configuring something completely wrong (or am misunterstanding some basic concepts ..).
where is my mistake??


thanks in advance for your help and patience!

with best regards
   markus


+-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause@biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause@mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause@mac.com | +--------------------------------+--------------------------------+

----------------------------------------------------------------------
     This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de