[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining question


Tony Earnshaw wrote:
> Could someone please explain why the configuration for the two tests
> should pass, while it doesn't on my consumer, and why the config with
> the two chain-rebind-as-user stanzas does?

I always find it helpful to look into the Logfiles of the
openldap-servers. On FreeBSD it's /var/log/debug.log.

Personally I find

loglevel 256

which "stats log connections/operations/results" most helpful. If you
are not sure how to interpret log entries, edit it to remove sensitive
content and post them, perhaps - if its more than 10 lines or so - using
a pastebin (eg. pastebin.ca or something)

Of course it seems weird to first have to disable and then later on to
enable "chain-rebind-as-user". It seems that this is because one
shouldn't rely on default values (as they might change). In the second
chain-uri-stanza of the example they don't set the rebind-flag again, so
 I'd assume that the "global" value set after "overlay chain" will be

Anyway: the best thing next to an explanation I found of what
..rebind-as-user does is in slapd-ldap:
rebind-as-user {NO|yes}

If this option is given, the client's bind credentials are remembered
for rebinds, when trying to re-establish a broken connection, or when
chasing a referral, if chase-referrals is set to yes.

So I assume that something concerning the credentials breaks - the log
should help you pinpoint what exactly.

Christian Marg                    mail  : mailto:marg@rz.tu-clausthal.de
Dezernat 2 TU Clausthal           web   : http://www.tu-clausthal.de
D-38678 Clausthal-Zellerfeld      fon   : 05323/72-2107
Germany                           jabber: ifcma@jabber.tu-clausthal.de

Attachment: signature.asc
Description: OpenPGP digital signature