[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-meta

To: openldap-technical@openldap.org
Subject: slapd-meta
From: Fr3ddie <fr3ddie@fr3ddie.it>
Date: Tue, 10 Nov 2015 12:06:33 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:reply-to:organization:user-agent :mime-version:to:subject:content-type:content-transfer-encoding; bh=LjJmClQW8LUKrJYj25udu32Op1nS738002lvhD0sUv8=; b=dQo2oSfygMrzO1oI2RfABunqnlVOn7MWc3JiBPZcWXZM22+9V+SpopFYGTS2Ui444z o5Nt5c7ZsPJz+VNeWK2PM7IB4HHEylp9nt7tVpjj7JnQP+l7DVkp9nWFmSXRNDkhyWWj WJ6ehbaO058P1nO43ials5lNz8CjkPwUA5zMtUzdt65iIJbwAHMwvY4vKkUsu1qhVdLc JGP8JoCJf/3Z0QKPvZ8XsIL/L8WGdPsND4wmfqH3Ci7u0mzrmN3/cJrhQMNBw1EYuQoq G/7Ls4Ya6gMrit77yc00nUzeW+r9i9HaBV2vnhfDkfGDwK1armygD5s4S4bCIwxwsRGn TQyw==
Organization: http://www.fr3ddie.it
User-agent: Fr3ddie's Thunderbird on Linux

Hello to the list,

I'm trying to configure the slapd-meta OpenLDAP backend on an onlinecn=config

configuration with no luck. Slapd version is 2.4.39 (the maximum I can
achieve on the target machines building from vanilla source).
The documentation is clear but too concise for me so I will try to explain
what I'm trying to do to see if there is anybody that can help me.

Currently I have 3 slapd servers that share a common root for the DIT, i.e.:

dc=loc1,dc=root
dc=loc2,dc=root
dc=loc3,dc=root

What I would like to achieve is to obtain a fourth server that contains
the previous trees, along with its own tree, i.e. a server that contains:

dc=loc0,dc=root (locally hosted data)
dc=loc1,dc=root (coming from the first server, chasing referrals)
dc=loc2,dc=root (coming from the second server, chasing referrals)
dc=loc3,dc=root (coming from the third server, chasing referrals)

this way, all the clients connecting to this server will be able to
retrieve data also from the other three remote servers.

As far as I understood, I only need to configure the "loc0" server to access
the other three servers and get the data to serve to clients.

I have already configured the fourth server with its local DIT and this is
the configuration:


# cat 'cn=config.ldif'

    dn: cn=config
    objectClass: olcGlobal
    cn: config
    olcArgsFile: /var/run/slapd/slapd.args
    olcPidFile: /var/run/slapd/slapd.pid
    structuralObjectClass: olcGlobal
    creatorsName: cn=config
    olcServerID: 1
    olcThreads: 32
    olcToolThreads: 8
    olcRequires: LDAPv3
    olcConnMaxPendingAuth: 100
    olcTLSCACertificateFile: /etc/ssl/certs/my_ca_cert.pem
    olcTLSCertificateFile: /etc/ssl/certs/this-host_x509_cert.pem
    olcTLSCertificateKeyFile: /etc/ssl/private/this-host_x509_key.key
    olcTLSVerifyClient: try
    olcTimeLimit: 600
    olcLogLevel: stats2 sync
    [...]

# cat 'cn=module{0}.ldif'

    dn: cn=module{0}
    objectClass: olcModuleList
    cn: module{0}
    olcModulePath: /usr/lib/ldap
    olcModuleLoad: {0}back_hdb
    olcModuleLoad: {1}syncprov
    olcModuleLoad: {2}accesslog
    structuralObjectClass: olcModuleList
    [...]


Schema files are the following:

    cn={0}core.ldif
    cn={1}cosine.ldif
    cn={2}nis.ldif
    cn={3}inetorgperson.ldif
    cn={4}dyngroup.ldif
    cn={5}kerberos.ldif


# cat 'olcDatabase={1}hdb.ldif'

    dn: olcDatabase={1}hdb
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {1}hdb
    olcDbDirectory: /var/lib/ldap
    olcSuffix: dc=loc0,dc=root

olcAccess: {0}toattrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=loc0,dc=root" write by anonymous auth by self write by *none

    olcAccess: {1}to dn.base="" by * read
    olcAccess: {2}to * by dn="cn=admin,dc=loc0,dc=root" write by * read
    olcLastMod: TRUE
    olcRootDN: cn=admin,dc=loc0,dc=root
    olcRootPW:: xxxxxxxxxxxxxxxxxxxx
    olcDbCacheSize: 10000
    olcDbCheckpoint: 512 10
    olcDbConfig: {0}set_cachesize 0 524288000 1
    olcDbConfig: {1}set_lk_max_objects 1500
    olcDbConfig: {2}set_lk_max_locks 1500
    olcDbConfig: {3}set_lk_max_lockers 1500
    olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
    olcDbIDLcacheSize: 30000
    olcDbIndex: default pres,eq
    [...]
    structuralObjectClass: olcHdbConfig

olcSyncrepl: {0}rid=0 provider=ldap://second-host.loc0.rootbindmethod=simple binddn="cn=admin,dc=loc0,dc=root" credentials=xxxxxxsearchbase="dc=loc0,dc=root"

     logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObj

ect)(reqResult=0))" schemachecking=on type=refreshAndPersistretry="60 +" syn

     cdata=accesslog starttls=yes
    olcMirrorMode: TRUE
    [...]

On top of this DB I have the "syncprov" and the "accesslog" overlaysconfigured(these are two servers in "MirrorMode", configured following theOpenLDAP admin documentation).

I believe this DB is the ones containing the actual "loc0" DIT data...

Then I have the accesslog DB for the replica (with the syncprov overlayon top):


# cat 'olcDatabase={2}hdb.ldif'

    dn: olcDatabase={2}hdb
    objectClass: olcDatabaseConfig
    objectClass: olcHdbConfig
    olcDatabase: {2}hdb
    olcDbDirectory: /var/lib/ldap/accesslog
    olcSuffix: cn=accesslog
    olcRootDN: cn=admin,dc=loc0,dc=root
    olcDbConfig: {0}set_cachesize 0 524288000 1
    olcDbConfig: {1}set_lk_max_objects 1500
    olcDbConfig: {2}set_lk_max_locks 1500
    olcDbConfig: {3}set_lk_max_lockers 1500
    olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
    olcDbIndex: default eq
    olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
    [...]

On top of this environment I start loading the needed modules with thisLDIF file:


    version: 1

    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: back_ldap
    -
    add: olcModuleLoad
    olcModuleLoad: back_meta
    -
    add: olcModuleLoad
    olcModuleLoad: rwm


and it seems I'm able to load the new modules without errors
into the configuration, thus I obtain:

# cat 'cn=module{0}.ldif'

    dn: cn=module{0}
    structuralObjectClass: olcModuleList
    objectClass: olcModuleList
    cn: module{0}
    olcModulePath: /usr/lib/ldap
    olcModuleLoad: {0}back_hdb
    olcModuleLoad: {1}syncprov
    olcModuleLoad: {2}accesslog
    olcModuleLoad: {3}back_ldap
    olcModuleLoad: {4}back_meta
    olcModuleLoad: {5}rwm
    [...]

Now I try to load the slapd-meta directives into a new database usingthis LDIF:


    version: 1

    dn: olcDatabase={3}meta,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcMetaConfig
    olcDatabase: {3}meta
    olcSuffix: dc=root
    olcDbURI: "ldap://server-loc1.loc1.root/dc=loc1,dc=root";

olcDbIdAssertBind: bindmethod=simplebinddn="cn=admin,dc=loc1,dc=root" credentials=xxxxxx starttls=yestls_reqcert=demand

    olcDbURI: "ldap://server-loc2.loc2.root/dc=loc2,dc=root";

olcDbIdAssertBind: bindmethod=simplebinddn="cn=admin,dc=loc2,dc=root" credentials=xxxxxx starttls=yestls_reqcert=demand

    olcDbURI: "ldap://server-loc3.loc3.root/dc=loc3,dc=root";

olcDbIdAssertBind: bindmethod=simplebinddn="cn=admin,dc=loc3,dc=root" credentials=xxxxxx starttls=yestls_reqcert=demand

but I obtain an error that sticks me trying various combinations withoutsuccess:


    # ldapadd -Y EXTERNAL -H ldapi:/// -f slapd-META-DB-CREATION.ldif

    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "olcDatabase={3}meta,cn=config"
    ldap_add: Object class violation (65)
        additional info: attribute 'olcDbURI' not allowed

and:

    # tail /var/log/openldap/slapd.log

Nov 9 19:47:17 server01 slapd[32392]: conn=1025 op=2 ENTRYdn="dc=loc0,dc=root"Nov 9 19:47:29 server01 slapd[32392]: conn=1052 op=2 INTERMoid=1.3.6.1.4.1.4203.1.9.1.4Nov 9 19:49:47 server01 slapd[32392]: conn=1327 op=2 ENTRYdn="dc=loc0,dc=root"Nov 9 19:52:17 server01 slapd[32392]: conn=1628 op=2 ENTRYdn="dc=loc0,dc=root"Nov 9 19:54:46 server01 slapd[32392]: conn=1929 op=2 ENTRYdn="dc=loc0,dc=root"Nov 9 19:57:07 server01 slapd[32392]: Entry(olcDatabase={3}meta,cn=config), attribute 'olcDbURI' not allowed

Into the slapd-meta documentation the "URI" directive is mentioned butthe "DbURI" seems toraise a "better error", in fact if I try to modify the above LDIF fileusing "URI" I obtain:


    SASL/EXTERNAL authentication started
    SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    SASL SSF: 0
    adding new entry "olcDatabase={3}meta,cn=config"
    ldap_add: Undefined attribute type (17)
        additional info: olcUri: attribute type undefined

Moreover, it is not stated into the slapd-meta docs that the slapd-ldapbackend is needed by slapd-meta but,anyway, I think its needed because if I try to load the slapd-meta aloneit raises an error (I don't remember exactly which one).

At this point I'm stuck to this error and I wasn't able to find any hinton the web to solve this :(The examples I was able to find were related with the static slapd.confconfiguration, I counldn't

find any "full" configuration example using the cn=config.

I'm wondering if I should create a "cn=root" actual DB first and thenlink the sub-DITs to it,or, maybe, add some other overlay... I really can't understand how itshould work :(


Can please anybody help me?
Thank you very much

Follow-Ups:
- Re: slapd-meta
  - From: Fr3ddie <fr3ddie@fr3ddie.it>

Prev by Date: PPolicy, syncrepl
Next by Date: modify ldap conn=-1
Index(es):
- Chronological
- Thread