[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta

To: Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
Subject: Re: slapd-meta
From: Fr3ddie <fr3ddie@fr3ddie.it>
Date: Thu, 10 Mar 2016 10:15:10 +0100
In-reply-to: <17B77E63A550B0A71E0A961C@[192.168.1.9]>
Organization: fr3ddie.it
References: <5641CFB9.6030405@fr3ddie.it> <564B6A78.8000206@fr3ddie.it> <B86DF74A3A67FB202276375E@[192.168.1.9]> <56D5DE23.6060809@fr3ddie.it> <17B77E63A550B0A71E0A961C@[192.168.1.9]>
User-agent: Fr3ddie's Thunderbird on Linux

On 04/03/2016 20:33, Quanah Gibson-Mount wrote:

Then I modified the ldif file in order to create the meta-DB and its
sub-DBs
containing the URIs of the target servers (if I correctly understood):

     version: 1

     dn: olcDatabase={3}meta,cn=config
     objectClass: olcDatabaseConfig
     objectClass: olcMetaConfig
     olcDatabase: {3}meta
     olcSuffix: dc=loc1,dc=root
     olcSuffix: dc=loc2,dc=root
     olcSuffix: dc=loc3,dc=root
I've never used meta backend, but the above doesn't look valid to me(multiple suffixes). The man page shows a single suffix, with URIdirectives for additional representations of the DB.
[OMISSIS]
The slapd-meta test suit shows an additional parameter, mode=self,being set. That may or may not help. ;)



Hello,

I performed further testing but I have no good news :(

about the multiple "olcSuffix" I'm inserting into the"olcDatabase={3}meta" (I don't know where I'm supposed to putmultiple entries of the olcSuffix except the olcDatabase since it is anattribute of olcDatabaseConfig objectclass),I configured the meta backend with just one DB suffix and just onetarget, in order to keep it easy and avoid,as much as possible, my configuration mistakes. I believe this is theconfiguration I would have been supposed to

do in order to properly configure the slapd-/ldap/ backend (?).

Moreover, although I tried both "mode=self", "mode=none" and"authzID="dn:cn=admin,dc=loc1,dc=root""(and "flags=non-prescriptive" too, while without the "authzID" ofcourse), the result is the same.

Logs from the slapd-meta equipped server report (I'm simply trying todirectly access the admin dn):

Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCHbase="cn=admin,dc=loc1,dc=root" scope=0 deref=0 filter="(objectClass=*)"Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCHattr=hasSubordinates objectClassMar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11meta_search_dobind_init[0] mc=0x7175f3e8: non-empty dn with empty cred;binding anonymouslyMar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SEARCH RESULTtag=101 err=0 nentries=0 text=


and from the target server:

Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 ACCEPT fromIP=10.0.x.55:51909 (IP=10.0.y.85:389)Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 BINDdn="cn=admin,dc=loc1,dc=root" method=128Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 RESULT tag=97err=53 text=unauthenticated bind (DN with no password) disallowed

Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=1 UNBIND
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed

thus the target server refuses unauthenticated bind and closes theconnection (as it is configured to do so).

Moreover, if I try to put double quotes around the "binddn" directive itseems that slapd-meta doesn't recognize at allthe dn I'm trying to use to bind to the target, and the target server'slog reports:

Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 fd=58 ACCEPT fromIP=10.0.x.55:49353 (IP=10.0.y.85:389)

Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 BIND dn="" method=128

Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 RESULT tag=97err=0 text=Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 SEARCH RESULTtag=101 err=123 nentries=0 text=anonymous proxied authorization not allowedMar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 do_search:get_ctrls failed


Just to be complete, this is (one of) the configurations I'm trying:

dn: olcMetaSub={0}uri
objectClass: olcConfig
objectClass: olcMetaTargetConfig
olcMetaSub: {0}uri
olcDbURI: "ldap://server01.loc1.root/dc=loc1,dc=root";

olcDbIDAssertBind: mode=self bindmethod=simplebinddn=cn=admin,dc=loc1,dc=root credentials=xxxxxxx starttls=noauthzID="dn:cn=admin,dc=loc1,dc=root"

while the rest of the configuration stayed the same as the one from myfirst mail.

At this point I'm really stuck and the only thing I can think of it isthe presence of a bug somewhere into slapd-meta,since the behaviour doesn't reflect the configuration on, somehowsimple, parameters.


Is there anybody having the same issues?
Is it still my fault on configuration?

I really don't know where to put my hands on...

Thanks for support


--
Fr3ddie
/fr3ddie@fr3ddie.it <mailto:fr3ddie@fr3ddie.it>/

A computer is like an air conditioner:
it stops working when you open Windows

Follow-Ups:
- Re: slapd-meta
  - From: Dirk Kastens <dirk.kastens@uni-osnabrueck.de>

References:
- Re: slapd-meta
  - From: Fr3ddie <fr3ddie@fr3ddie.it>
- Re: slapd-meta
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: log_rdns.patch
Next by Date: Re: Experience with LDAP monitoring (cn=monitor)
Index(es):
- Chronological
- Thread