[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unique overlay confusing

Hi Quanah,

thanks for your reply,

On Wed, Aug 29, 2018 at 09:17:25AM -0700, Quanah Gibson-Mount wrote:
> --On Thursday, August 09, 2018 9:51 AM +0200 Ervin Hegedüs
> <airween@gmail.com> wrote:
> 
> 
> >>olcUniqueURI: ldap:///?uid?sub?
> >>olcUniqueURI: ldap:///?mail?sub?
> >>olcUniqueURI: ldap:///?uidNumber?sub?
> >>olcUniqueURI: ldap:///?sn?sub?
> >>olcUniqueURI: ldap:///?cn?sub?

I've removed these directives:

> >>olcUniqueURI: ldaps:///?uid?sub?
> >>olcUniqueURI: ldaps:///?mail?sub?
> >>olcUniqueURI: ldaps:///?uidNumber?sub?
> >>olcUniqueURI: ldaps:///?sn?sub?
> >>olcUniqueURI: ldaps:///?cn?sub?
> 
> Using "ldaps://" here is invalid.  These are internal searches that don't
> use the LDAP protocol.

thanks,
 
> One thing you've not shown in your configurations is whether or not the
> {1}mdb,cn=config DB has a rootdn configured for that database instance.  As
> noted in the man page, a rootdn is required on the specific database
> instance for the overlay to function:
> 
> "       The search is performed using the rootdn  of  the  database,  to avoid
>       issues with ACLs preventing the overlay from seeing all of the relevant
>       data. As such, the database must have a rootdn configured."

you think about this?

slapcat -b cn=config | less
...

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=hu
...
olcRootDN: cn=admin,dc=hu
...


> Additionaly, you haven't noted how you are making the modifications to add
> the duplicate entries. Again, as noted in the man page:
> 
> "      Replication  and  operations  with  manageDsaIt  control are allowed to
>       bypass this enforcement. It is therefore  important  that  all servers
>       accepting  writes  have  this  overlay  configured in order to maintain
>       uniqueness in a replicated DIT.."
> 
> So it is possible the LDAP client you are using to make the modifications is
> setting the manageDsaIT control.

I'm using jXplorer, I didn't found any manageDsaIt settings, so I
assume that it doesn't support, perhaps I can't bypass the
enforcement - but may be I'm wrong.

The unique key constraint still doesn't work.




Thanks again for your help,


a.