[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: database meta question

On 8/25/07, Pierangelo Masarati <ando@sys-net.it> wrote:
> D'Arcy Smith wrote:

> > I am having a terrible time trying to get the meta backend to work
> > with my setup.  If I do not have meta things work as expected.  As
> > soon as I add the meta backend thing go south.

> What version of OpenLDAP are you using?


> ^^^ extra cruft after "#" (included) is invalid, as clearly indicated in
> slapd.conf(5).  This is treated as an error in OpenLDAP 2.4 (finally!)

Good I like it when errors are treated as errors!

after some more searching around I now have this:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema

password-hash {ssha}

pidfile       /var/run/openldap/slapd.pid
argsfile      /var/run/openldap/slapd.args

modulepath    /usr/lib64/openldap/openldap
moduleload    back_null.so
moduleload    back_meta.so

database      ldap
suffix        "o=aaa.yyy.zzz,o=bcit"
uri           ldap://aaa.yyy.zzz:389

idassert-authzFrom "dn:*"
idassert-bind      bindmethod=simple

database          bdb
suffix            "o=bbb.yyy.zzz,o=bcit"
rootdn            "cn=Manager,o=bbb.yyy.zzz,o=yyy"
rootpw            {SSHA}******
checkpoint        32 30
directory         /var/lib/openldap-data
index objectClass eq

database      meta
suffix        "dc=yyy,dc=zzz"
uri           ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz
suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=aaa.yyy.zzz,o=yyy"
uri           ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz
suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=bbb.yyy.zzz,o=yyy"

What I am after is having it so that users that exist in the
"aaa.yyy.zzz" LDAP server (that I have no control over) can
authenticate, users in the "bbb.yyy.zzz" LDAP server (that I do
control) can authenticate, and that the groups in the "bbb.yyy.zzz",
which contain users from both "aaa" and "bbb" are able to
authenticate.  Authenticate right now means can access apache via

Running "/usr/lib64/openldap/slapd -d -{any level}" doesn't seem to
issue any objections, and my testing works (users from both "aaa" and
"bbb" can login either as a by user or group).

If I run "slaptest -f /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d" -d {any level} I get:

   WARNING: No dynamic config support for database meta.
   WARNING: The converted cn=config directory is incomplete and may not work.
   config file testing succeeded

I cannot spot any errors that it is giving me in the config.

then running "/usr/lib64/openldap/slapd -d -{any level}" doesn't work
(it does work if I delete the files in the /etc/openldap/slapd.d

For example (with -d 64):

@(#) $OpenLDAP: slapd 2.3.35 (Aug 23 2007 11:00:09) $
loaded module back_null.so
module back_null.so: null module registered
loaded module back_meta.so
module back_meta.so: null module registered
index objectClass 0x0004
meta_back_db_open: no targets defined
backend_startup_one: bi_db_open failed! (1)
slapd stopped.
connections_destroy: nothing to destroy.

Any thoughts?