[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: cn=config chaining
On 2013-09-26 16:42, "Dieter Klünter" <dieter@dkluenter.de> wrote:
>Am Thu, 26 Sep 2013 19:50:08 +0000
>schrieb "Jancewicz, Russell" <russell.jancewicz@uconn.edu>:
>
>>
>>
>> On 2013-09-26 15:04, "Dieter Klünter" <dieter@dkluenter.de> wrote:
>>
>> >Am Thu, 26 Sep 2013 17:23:42 +0000
>> >schrieb "Jancewicz, Russell" <russell.jancewicz@uconn.edu>:
>> >
>> >> It was modified from the generation of slapd-chain2.conf which also
>> >> didn't work (I was working off the assumption that the overlay
>> >> needed to be on olcDatabase={1}frontend)
>> >>
>> >> This is the slapd-chain2.conf file I am using (modified slightly)
>> >> The only differences between this and the unmodified
>> >> slapd-chain2.conf is the directory and the addition of chain-tls
>> >> and chain-idassert-authzFrom to the "overlay chain" section.
>> >>
>> >> I'm generating my config with it with
>> >> $ slaptest -f slapd-chain2.conf -F ./slapd.d-test/
>> >>
>> >>
>> >> """
>> >> include /etc/openldap/schema/core.schema
>> >> include /etc/openldap/schema/cosine.schema
>> >> include /etc/openldap/schema/inetorgperson.schema
>> >> include /etc/openldap/schema/openldap.schema
>> >> include /etc/openldap/schema/nis.schema
>> >>
>> >> database hdb
>> >> directory /srv/ldap/example.com/
>> >> suffix "dc=example,dc=com"
>> >> rootdn "cn=admin,dc=example,dc=com"
>> >> rootpw secret
>> >>
>> >> overlay chain
>> >> chain-uri ldap://master.example.com
>> >> chain-idassert-bind bindmethod=simple binddn="dc=example,dc=com"
>> >> credentials=secret mode=self
>> >> chain-tls start
>> >> chain-idassert-authzFrom "*"
>> >> """
>> >[...]
>> >
>> >In this particular case chaining is a global configuration parameter,
>>
>>
>> If that's the case what should I do to propagate writes/modifies from
>> a *specific* database on my slave to a master?
>> (ideally in cn=config style ldifs, not ldap.conf)
>>
>> Regardless if I apply it to the {-1}frontend or the {1}hdb both
>> situations have resulted in the unwilling to perform error.
>
>If you want to chain write operations to a remote server, you should
>define your local server, or at least partitions of the local server,
>as a syncrepl client.
>
The system I am working on is already a syncrepl consumer from the master
(hence the terminology master, slave).
The master system is sends all data to the slave. I want any attempted
writes to said save to be forwarded back to the master.
I understand that individual LDAP clients can complete this via referral
chasing however I would like (and maybe wrongly assumed) that chaining
would provide me this functionality.
If this is not how chaining behaves would someone please explain the
intended use?
>From what I read in documentation and other places it would appear that
the following configurations should accomplish what I am looking for
however every variation on them results in
Server unwilling to preform on modify
dn: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: FALSE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: "ldap://master.example.com";
olcDbIDAssertBind: mode=self bindmethod=simple
binddn="cn=admin,dc=example,dc=com" credentials="secret"
I am trying to add said chaining to an already running server which was
bootstrapped via cn=config.
*** Is there any way to accomplish what I am looking to do? ***
Should I modify the LDIF above in any way to make things work?
-Russell J. Jancewicz
University of Connecticut