[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up a chain overlay

Bram Cymet <bcymet@cbnco.com> writes:

>  On 09/22/2010 07:27 AM, masarati@aero.polimi.it wrote:
>>>> Please try this patch
>>>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch>,
>>>> posted some time ago in partial response to ITS#6540 and report.
>>>> Thanks,
>>>> p.
>>> I will give the patch a try.
>>> What is the patch doing? I am guessing it will fix the illegal
>>> configuration problem.
>> It comments some braindead checks that I don't even remember what were
>> there for, that prevent reloading a valid configuration from cn=config.
>> Consider that back-config support in back-ldap was added during the
>> development of back-config itself, so some odd configuration cases that
>> worked at that time might no longer be valid now.
>>> Should I use the configuration I gave above or should it be modified?
>> The configuration should be fine; even the contents of the configuration
>> database (back-config) should be valid.  After applying the patch, slapd
>> should restart fine, loading slapo-chain(5) as it is configured now.
>> p.
> Hi,
> I have applied the patch and now after adding my config I am able to
> restart slapd. The only problem now is that the chaining has stopped
> working. I am not sure why it worked before and not now.
> Will that patch be applied to future version of openldap?
> At this point I am trying to figure out the best way to take a config like:
> overlay                 chain
> chain-rebind-as-user    FALSE
> chain-uri               "ldap://ldap1.example.com";
> chain-rebind-as-user    TRUE
> chain-idassert-bind     bindmethod="simple"
>                         binddn="cn=Auth,dc=example,dc=com"
>                         credentials="secret"
>                         mode="self"
> chain-uri               "ldap://ldap2.example.com";
> chain-idassert-bind     bindmethod="simple"
>                         binddn="cn=Auth,dc=example,dc=com"
>                         credentials="secret"
>                         mode="none"
> and properly add it to the cn=config directory.

In this particular case, overlay chain should be a global
configuration, not a database specific configuration.
This is a working example:

<global configuration>
overlay chain
chain-uri ldap://some.host
chain-return-error TRUE
chain-rebind-as-user TRUE
chain-tls start 
database        config
rootdn          cn=config
syncrepl rid=042
database        hdb
suffix          o=avci,c=de
syncrepl rid=099


Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de