[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slapd-ldap proxy between replica and mirror



>  Hi,
>
> We have a similar scenario that the one explained in the post of Javier
> Manteiga:
> http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/200907/msg00180.html
>
> We have deployed two servers: a master and a replica (delta-syncrepl). We
> added the chaining configuration that appears in openldap 2.4
> administrator's guide (12.3.2) to handle the modifications originated from
> the replica.
>
> Replica slapd.conf:
>
> #####################
> #  Chaining configuration #
> #####################
> overlay chain
> chain-uri               "ldap://192.168.1.10:389";
> chain-idassert-bind     bindmethod="simple"
>                         binddn="cn=replicator,dc=example,dc=com"
>                         credentials="secret"
>                         mode="self"
> chain-return-error      TRUE
>
> ##########
> #  Replica  #
> ##########
> database bdb
> suffix "dc=example,dc=com"
> rootdn "cn=Administrator,dc=example,dc=com"
> rootpw "secret"
> ....
> ##################
> # Syncrepl directives #
> ##################
> syncrepl  rid=001
>           provider=ldap://192.168.1.10:389
>           type=refreshAndPersist
>           retry="60 +"
>           searchbase="dc=example,dc=com"
>           filter="(objectclass=*)"
>           scope=sub
>           attrs="*"
>           schemachecking=on
>           binddn="cn=replicator,dc=example,dc=com"
>           bindmethod=simple
>           credentials=secret
>           sizelimit=unlimited
>           logbase="cn=accesslog"
>           logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
>           syncdata=accesslog
>
> # Refer updates to the master
> updateref               ldap://192.168.1.10:389
>
> The problem appears when we change the single master for a mirrormode
> configuration (administrator guide 18.3.4.1). In addition, we set up a
> back-ldap proxy between mirror and replica.
>
> back-ldap proxy slapd.conf:
>
> ########
> #  Proxy #
> ########
> database        ldap
> suffix          "dc=example,dc=com"
> rootdn          "cn=slapd-ldap"
>
> uri             "ldap://192.168.1.20:389 ldap://192.168.1.30:389";
>
>
> The IP addresses are:
> 192.168.1.10 -> Back-ldap proxy
> 192.168.1.20 -> Mirror mode server 1
> 192.168.1.30 -> Mirror mode server 2
>
>
> When we try to modify the password through the replica, we get the
> following
> messages in the server where is located the proxy:
>
> ldap-proxy[13175]: daemon: activity on 1 descriptor
> ldap-proxy[13175]: daemon: activity on:
> ldap-proxy[13175]:  12r
> ldap-proxy[13175]:
> ldap-proxy[13175]: daemon: read active on 12
> ldap-proxy[13175]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
> ldap-proxy[13175]: connection_get(12)
> ldap-proxy[13175]: connection_get(12): got connid=1002
> ldap-proxy[13175]: connection_read(12): checking for input on id=1002
> ldap-proxy[13175]: op tag 0x66, time 1270632398
> ldap-proxy[13175]: conn=1002 op=2 do_modify
> ldap-proxy[13175]: conn=1002 op=2 do_modify: dn
> (uid=user,ou=people,dc=example,dc=com)
> ldap-proxy[13175]: => get_ctrls
> ldap-proxy[13175]: => get_ctrls: oid="2.16.840.1.113730.3.4.18"
> (noncritical)
> ldap-proxy[13175]: parseProxyAuthz: conn 1002
> authzid="dn:uid=user,ou=people,dc=example,dc=com"
> ldap-proxy[13175]: slap_sasl_getdn: conn 1002
> id=dn:uid=user,ou=people,dc=example,dc=com [len=38]
> ldap-proxy[13175]: >>> dnNormalize: <uid=user,ou=people,dc=example,dc=com>
> ldap-proxy[13175]: <<< dnNormalize: <uid=user,ou=people,dc=example,dc=com>
> ldap-proxy[13175]: ==>slap_sasl2dn: converting SASL name
> uid=user,ou=people,dc=example,dc=com to a DN
> ldap-proxy[13175]: <==slap_sasl2dn: Converted SASL name to <nothing>
> ldap-proxy[13175]: parseProxyAuthz: conn=1002
> "uid=user,ou=people,dc=example,dc=com"
> ldap-proxy[13175]: ==>slap_sasl_authorized: can
> cn=replicator,dc=example,dc=com become
> uid=user,ou=people,dc=example,dc=com?
> ldap-proxy[13175]: <== slap_sasl_authorized: return 48
> ldap-proxy[13175]: <= get_ctrls: n=1 rc=123 err="not authorized to assume
> identity"
> ldap-proxy[13175]: send_ldap_result: conn=1002 op=2 p=3
> ldap-proxy[13175]: send_ldap_result: err=123 matched="" text="not
> authorized
> to assume identity"
> ldap-proxy[13175]: send_ldap_response: msgid=3 tag=103 err=123
> ldap-proxy[13175]: conn=1002 op=2 RESULT tag=103 err=123 text=not
> authorized
> to assume identity
> ldap-proxy[13175]: conn=1002 op=2 do_modify: get_ctrls failed
> ldap-proxy[13175]: daemon: activity on 1 descriptor
> ldap-proxy[13175]: daemon: activity on:
>
> The authorization is denied for cn=replicator,dc=example,dc=com.

The error looks self-explanatory: the identity
"cn=replicator,dc=example,dc=com" is not authorized to assume the identity
of the client that attempted the write.  The failure appears to happen in
slap_sasl2dn(), where the user's DN is converted to <nothing> (the
"mapping" fails).  It is not clear why it fails.  You probably do not show
enough of your master and replica slapd.conf.

p.