[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Rivendell] idassert-bind not working as expected?

To: Federico Grau <grauf@rfa.org>
Subject: Re: [Rivendell] idassert-bind not working as expected?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 17 May 2007 21:32:15 +0200
Cc: openldap-software@openldap.org, rivendell@rfa.org
In-reply-to: <20070517191139.GK24872@rfa.org>
References: <20070516203424.GO1539@rfa.org> <464C9193.3080206@sys-net.it> <20070517191139.GK24872@rfa.org>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Federico Grau wrote:
> Hello Pierangelo,
> 
> First, thank you for the response.  I will re-test with the current stable
> release (2.3.32).  

After reading the CHANGES in re23, you should rather use 2.3.35.

> FYI, we chose the slapd-meta backend to allow for redundancy and work with
> multiple remote servers (I had read in the man page "the ldap backend is
> intended to proxy operations directed to a single server").

If by "redundancy" you mean that in case of failure of a server another
one will be contacted, then it has nothing to do with the difference
between back-meta and back-ldap.  The way both handle lists of multiple
servers in case of failure is identical.  Back-meta assumes that the
servers related to each "uri" statement contain different data.  So

database ldap
uri "ldap://ldap.example.com ldap://backup.example.com";

is redundancy (sort of);

database meta
uri "ldap://ldap.example.com/<suffix>	ldap://backup.example.com";

is exactly the same level of redundancy (sort of);

database meta
uri "ldap://ldap.example.com/<suffix>"
uri "ldap://backup.example.com/<suffix>"

is a configuration error...

> Would you have a sample configuration file for the working situtation?  I
> never see a "simple authentication" bind go out from the OpenLDAP meta server,
> so something is definitely wrong on that end (either configuration or bug).

I tested:

database       ldap
suffix          "ou=windows,dc=rfa,dc=org"
uri            "ldap://:9011/";
overlay                rwm
rwm-suffixmassage      "ou=windows,dc=rfa,dc=org"
                       "ou=People,dc=example,dc=com"

idassert-authzFrom "dn:*"
idassert-bind   bindmethod=simple
                binddn="cn=Manager,dc=example,dc=com"
                credentials="secret"
                mode=none

database        meta
suffix          "ou=windows,dc=rfa,dc=org"
uri             "ldap://:9011/ou=windows,dc=rfa,dc=org";
suffixmassage   "ou=windows,dc=rfa,dc=org" "ou=People,dc=example,dc=com"

idassert-authzFrom "dn:*"
idassert-bind   bindmethod=simple
                binddn="cn=Manager,dc=example,dc=com"
                credentials="secret"
                mode=none

where, of course, in both cases ldap://:9011 was pointing to another
instance of slapd running on port 9011 as resulting from running
test003.  To make sure authentication was progressing, I modified the
configuration of that slapd with a simple

access to * by * auth

so that the only way data could be read was after successfully binding
as the rootdn of the remote server, as configured in both idassert-bind.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

References:
- [Rivendell] idassert-bind not working as expected?
  - From: Federico Grau <grauf@rfa.org>
- Re: [Rivendell] idassert-bind not working as expected?
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [Rivendell] idassert-bind not working as expected?
  - From: Federico Grau <grauf@rfa.org>

Prev by Date: Re: [Rivendell] idassert-bind not working as expected?
Next by Date: Problem with adding country attribute
Index(es):
- Chronological
- Thread