[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining for a single backend?

To: <openldap-technical@openldap.org>
Subject: Re: chaining for a single backend?
From: Marc Patermann <hans.moser@ofd-z.niedersachsen.de>
Date: Mon, 8 Feb 2016 16:50:28 +0100
In-reply-to: <5683B6AA.7060605@ofd-z.niedersachsen.de>
References: <5683B6AA.7060605@ofd-z.niedersachsen.de>
User-agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.8.0

Hi,

Am 30.12.2015 um 11:49 Uhr schrieb Marc Patermann:

I want to activate chaining for a single backend.

The server is a replication consumer and has a few glued database backends.
Only one is containing linux accounts with ppolicy overlay.
This should use chaining to replicate the ppolicy changes which
otherwise stay local.

Can this be achieved?

I would like to come back to this.

Here is our example with multiple glued databases and chaining.

First there is the "full chain" where chain is loaded globally andshould work for all database backends. This works.

Then there is the example where chain is loaded in the linux databasebackend. This does not chain the request to the master.


///////////////////////////////////

## full_chain
config excerpt (see attachment for full config):

overlay chain
…
database        mdb
suffix          "ou=humans,o=example,c=org"
subordinate
…
database        mdb
suffix          "ou=linux,o=example,c=org"
subordinate
chain-uri "ldap://SERVER";
chain-idassert-bind bindmethod="simple"
                    binddn="cn=linux,ou=mgr,o=example,c=org"
                    credentials=somethingsecret
                    mode="self"
chain-return-error TRUE
…
database        mdb
suffix          "o=example,c=org"
…

Tests with modify:

### modify on DB Humans

ldapmodify -f /tmp/modify_human.ldif -x -D"cn=human,ou=mgr,o=example,c=org" -W

Enter LDAP Password:
modifying entry "employeeNumber=0,ou=humans,o=example,c=org"
ldap_modify: Proxied Authorization Denied (123)

-> chaining is working
   (we did not correct the permissions on the master for this DB)

### DB Linux
Working as expected.

///////////////////////////////////

## partial_chain
config excerpt (see attachment for full config):

database        mdb
suffix          "ou=humans,o=example,c=org"
subordinate
…
database        mdb
suffix          "ou=linux,o=example,c=org"
subordinate
…
overlay chain
chain-uri "ldap://SERVER";
chain-idassert-bind bindmethod="simple"
                    binddn="cn=linux,ou=mgr,o=example,c=org"
                    credentials=somethingsecret
                    mode="self"
chain-return-error TRUE
…
database        mdb
suffix          "o=example,c=org"


Tests with modify:

### modify DB Humans

ldapmodify -f /tmp/modify_human.ldif -x -D"cn=human,ou=mgr,o=example,c=org" -W

Enter LDAP Password:
modifying entry "employeeNumber=0,ou=humans,o=example,c=org"
ldap_modify: Referral (10)
    referrals:
        ldap://SERVER/employeeNumber=0,ou=humans,ou=humans,o=example,c=org

-> expected behavior


### modify DB Linux
ldapmodify -f /tmp/new_user.ldif -x -D "cn=linux,ou=mgr,o=example,c=org" -W
Enter LDAP Password:
adding new entry "uid=a12345a,ou=accounts,ou=linux,o=example,c=org"
ldap_add: Referral (10)
    referrals:
        ldap://SERVER/uid=a12345a,ou=accounts,ou=linux,o=example,c=org

-> should have been using the chain instead of referral

///////////////////////////////////

Why does the last test not use the chaining?
Any hints?

Marc

# Module
modulepath	/usr/lib64/openldap/
moduleload	back_ldap.la
moduleload	back_mdb.la
moduleload	ppolicy.la
moduleload	back_monitor.la
moduleload	accesslog.la
moduleload	dynlist.la
moduleload	back_meta.la

# Schemata
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/nis.schema
# linux
include         /etc/openldap/schema/ppolicy.schema


# Define global ACLs
# Manager 
.....

# ""
access to dn.base="" by * read

# subschema
access to dn.base=cn=subschema by * read

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

# Defaultsearchbase
defaultsearchbase       "ou=humans,o=example,c=org"

# Keine Begrenzung der Antwortgroessen und Antwortzeiten
sizelimit -1
timelimit 200

# max. number of threads - defaults to 16
# should be number of replicas plus x
# threads 16

# Der voreingestellte Loglevel muss ueberschrieben werden:
# 1 liefert Funktionsaufrufe, speziell Malloc...
loglevel        config stats stats2 sync


# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
TLSCACertificateFile    /etc/openldap/ssl/ca.pem
TLSCertificateFile      /etc/openldap/ssl/cert.pem
TLSCertificateKeyFile   /etc/openldap/ssl/key.pem

# So funktioniert das chaining nur für alle DB-Backends
overlay chain

###########################################################################
# Database definitions
###########################################################################

############################  Start DB Meta  ###########################
database        meta
suffix          "ou=META,o=example,c=org"
subordinate
uri             "ldap://SERVER/ou=META,o=example,c=org";
conn-ttl	30
idle-timeout	1m30s
# -------------------------------- INDEX -------------------------------- #
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB META  ############################

############################  Start DB Humans  ############################
database        mdb
suffix          "ou=humans,o=example,c=org"
subordinate
directory       /var/lib/ldap/human-data
rootdn          "cn=gen.man,ou=mgr,o=example,c=org"
checkpoint	4096 2
maxsize		10737418240
# -------------------------------- INDEX -------------------------------- #
index	entryCSN		eq
index	entryUUID		eq
.....
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
syncrepl rid=401
        provider=ldap://SERVER
        type=refreshAndPersist
        retry="60 10 300 10 3600 +"
        searchbase="ou=humans,o=example,c=org"
        bindmethod=simple
        binddn="cn=gen.man,ou=mgr,o=example,c=org"
        credentials=***
updateref ldap://SERVER
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Humans  #############################

############################  Start DB Linux  #############################
database        mdb
suffix          "ou=linux,o=example,c=org"
subordinate
rootdn          "cn=gen.man,ou=mgr,o=example,c=org"
directory       /var/lib/ldap/linux-data
checkpoint	4096 2
maxsize		10737418240
# -------------------------------- INDEX -------------------------------- #
index	entryCSN		eq
index	entryUUID		eq
.....
# ------------------------------- OVERLAY ------------------------------- #
chain-uri "ldap://SERVER";
chain-idassert-bind bindmethod="simple"
                    binddn="cn=linux,ou=mgr,o=example,c=org"
                    credentials=somethingsecret
                    mode="self"
#chain-tls start
chain-return-error TRUE

overlay ppolicy
ppolicy_default "cn=default,ou=ppolicy,ou=linux,o=example,c=org"
ppolicy_forward_updates
ppolicy_use_lockout

# -------------------------------- SYNC  -------------------------------- #
syncrepl rid=402
        provider=ldap://SERVER
        searchbase="ou=linux,o=example,c=org"
        type=refreshAndPersist
        retry="60 10 300 10 3600 +"
        bindmethod=simple
        binddn="cn=gen.man,ou=mgr,o=example,c=org"
        credentials=***
updateref ldap://SERVER
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Linux  ##############################

############################  Start DB Steuer  ############################
database        mdb
suffix          "o=example,c=org"
rootdn          "cn=gen.man,ou=mgr,o=example,c=org"
directory       /var/lib/ldap/main-data
checkpoint	4096 2
maxsize		10737418240
# -------------------------------- INDEX -------------------------------- #
index	entryCSN		eq
index	entryUUID		eq
.....
# ------------------------------- OVERLAY ------------------------------- #
overlay glue
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Steuer  #############################

############################  Start DB Monitor  ###########################
database	monitor
# -------------------------------- INDEX -------------------------------- #
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Monitor  ############################

############################  Start DB Config  ############################
database	config
rootdn		"cn=gen.man,ou=mgr,o=example,c=org"
# -------------------------------- INDEX -------------------------------- #
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Config  #############################

# Module
modulepath	/usr/lib64/openldap/
moduleload	back_ldap.la
moduleload	back_mdb.la
moduleload	ppolicy.la
moduleload	back_monitor.la
moduleload	accesslog.la
moduleload	dynlist.la
moduleload	back_meta.la

# Schemata
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/nis.schema
# linux
include         /etc/openldap/schema/ppolicy.schema


# Define global ACLs
# Manager 
.....

# ""
access to dn.base="" by * read

# subschema
access to dn.base=cn=subschema by * read

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

# Defaultsearchbase
defaultsearchbase       "ou=humans,o=example,c=org"

# Keine Begrenzung der Antwortgroessen und Antwortzeiten
sizelimit -1
timelimit 200

# max. number of threads - defaults to 16
# should be number of replicas plus x
# threads 16

# Der voreingestellte Loglevel muss ueberschrieben werden:
# 1 liefert Funktionsaufrufe, speziell Malloc...
loglevel        config stats stats2 sync


# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
TLSCACertificateFile    /etc/openldap/ssl/ca.pem
TLSCertificateFile      /etc/openldap/ssl/cert.pem
TLSCertificateKeyFile   /etc/openldap/ssl/key.pem

###########################################################################
# Database definitions
###########################################################################

############################  Start DB Meta  ###########################
database        meta
suffix          "ou=META,o=example,c=org"
subordinate
uri             "ldap://SERVER/ou=META,o=example,c=org";
conn-ttl	30
idle-timeout	1m30s
# -------------------------------- INDEX -------------------------------- #
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB META  ############################

############################  Start DB Humans  ############################
database        mdb
suffix          "ou=humans,o=example,c=org"
subordinate
directory       /var/lib/ldap/human-data
rootdn          "cn=gen.man,ou=mgr,o=example,c=org"
checkpoint	4096 2
maxsize		10737418240
# -------------------------------- INDEX -------------------------------- #
index	entryCSN		eq
index	entryUUID		eq
.....
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
syncrepl rid=401
        provider=ldap://SERVER
        type=refreshAndPersist
        retry="60 10 300 10 3600 +"
        searchbase="ou=humans,o=example,c=org"
        bindmethod=simple
        binddn="cn=gen.man,ou=mgr,o=example,c=org"
        credentials=***
updateref ldap://SERVER
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Humans  #############################

############################  Start DB Linux  #############################
database        mdb
suffix          "ou=linux,o=example,c=org"
subordinate
rootdn          "cn=gen.man,ou=mgr,o=example,c=org"
directory       /var/lib/ldap/linux-data
checkpoint	4096 2
maxsize		10737418240
# -------------------------------- INDEX -------------------------------- #
index	entryCSN		eq
index	entryUUID		eq
.....
# ------------------------------- OVERLAY ------------------------------- #
# So erhalten alle anderen DB-Backends chaining-Errors
overlay chain
chain-uri "ldap://SERVER";
chain-idassert-bind bindmethod="simple"
                    binddn="cn=linux,ou=mgr,o=example,c=org"
                    credentials=somethingsecret
                    mode="self"
#chain-tls start
chain-return-error TRUE

overlay ppolicy
ppolicy_default "cn=default,ou=ppolicy,ou=linux,o=example,c=org"
ppolicy_forward_updates
ppolicy_use_lockout

# -------------------------------- SYNC  -------------------------------- #
syncrepl rid=402
        provider=ldap://SERVER
        searchbase="ou=linux,o=example,c=org"
        type=refreshAndPersist
        retry="60 10 300 10 3600 +"
        bindmethod=simple
        binddn="cn=gen.man,ou=mgr,o=example,c=org"
        credentials=***
updateref ldap://SERVER
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Linux  ##############################

############################  Start DB Steuer  ############################
database        mdb
suffix          "o=example,c=org"
rootdn          "cn=gen.man,ou=mgr,o=example,c=org"
directory       /var/lib/ldap/main-data
checkpoint	4096 2
maxsize		10737418240
# -------------------------------- INDEX -------------------------------- #
index	entryCSN		eq
index	entryUUID		eq
.....
# ------------------------------- OVERLAY ------------------------------- #
overlay glue
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Steuer  #############################

############################  Start DB Monitor  ###########################
database	monitor
# -------------------------------- INDEX -------------------------------- #
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Monitor  ############################

############################  Start DB Config  ############################
database	config
rootdn		"cn=gen.man,ou=mgr,o=example,c=org"
# -------------------------------- INDEX -------------------------------- #
# ------------------------------- OVERLAY ------------------------------- #
# -------------------------------- SYNC  -------------------------------- #
# -------------------------------- ACL   -------------------------------- #
.....
############################  Ende DB Config  #############################

Follow-Ups:
- Re: chaining for a single backend?
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: OpenLDAP 2.4.44 RPM packages available on LTB project
Next by Date: Re: chaining for a single backend?
Index(es):
- Chronological
- Thread