[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: 2.2.15 proxy database ldap

To: "'Pierangelo Masarati'" <ando@sys-net.it>
Subject: RE: 2.2.15 proxy database ldap
From: "Jean-Jacques Siquet" <jjsiquet@iga.fr>
Date: Mon, 20 Sep 2004 15:14:00 +0200
Cc: <openldap-software@OpenLDAP.org>
Importance: High
In-reply-to: <51512.131.175.154.56.1095682660.squirrel@131.175.154.56>
Thread-index: AcSfE7DIvbyOS4paTPOEMoaLaUNEow==
With my old proxy,( the same configuration : work good)


Slapd.conf's proxy :
include         /etc/openldap/schema/core.schema
pidfile         /usr/var/run/slapd.pid
argsfile        /usr/var/run/slapd.args
database        ldap
suffix          ""
uri             "ldap://myldap.pipo.fr:389/";








slapd.conf's ldap_server:

access to attr=userPassword by self write by anonymous auth by
dn="cn=manager" write by * none
access to
attr=objectclass,mailsenderaccess,mailrecipientaccess,login,mail,mailalias,w
ebclient by self read by dn="cn=manager"
 write by * read
access to * by self write by * read
allow tls_2_anon
disallow bind_anon_dn bind_anon_cred
idletimeout 0
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/myschema.schema
pidfile /var/lib/slapd.pid
argsfile /var/lib/slapd.args
password-hash {SSHA}
#referral
schemacheck on
sizelimit 500
threads 32
timelimit 3600
#TLSCipherSuite
TLSCertificateFile /etc/ssl/server.pem
TLSCACertificateFile /etc/ssl/server.pem
TLSCertificateKeyFile /etc/ssl/server.pem
database ldbm
lastmod on
readonly off
rootdn cn=manager
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
suffix ""
#updatedn
#updateref
cachesize 1000
dbcachesize 100000
directory /var/lib/openldap-ldbm
index objectClass,login,cn,sn,mail,givenname,display-name,mailalias eq
mode 0600


-----Message d'origine-----
De : Pierangelo Masarati [mailto:ando@sys-net.it] 
Envoyé : lundi 20 septembre 2004 14:18
À : Jean-Jacques Siquet
Cc : openldap-software@openldap.org
Objet : RE: 2.2.15 proxy database ldap
Importance : Haute

>From the proxy, you appear to have no access to the objectClass attribute,
neither for filtering nor for reading.  You should investigate on this. 
Do you have any "map" directive in the proxy's slapd.conf that addresses
objectClasses?  Do you have any ACLs?  Is there any ACL addressing the
objectClass attribute in the master?

p.

> On my proxy:
> #ldapsearch -x -h localhost -b "O=PIPO"
> # extended LDIF
> #
> # LDAPv3
> # base <O=PIPO> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # PIPO
> dn: o=PIPO
> dc: pipo.fr
> o: PIPO
>
> # TEST, PIPO
> dn: cn=TEST, o=PIPO
> cn: TEST
> sn: TEST
> mail: test@pipo.fr
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
> On my ldap's server:
> # ldapsearch -x -h localhost -b "O=PIPO"
> version: 2
>
> #
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # PIPO
> dn: o=PIPO
> objectClass: Domain
> objectClass: Organization
> dc: pipo.fr
> o: PIPO
>
> # TEST, PIPO
> dn: cn=TEST, o=PIPO
> cn: TEST
> objectClass: Person
> login: test
> sn: TEST
> mail: test@pipo.fr
> display-name: TEST
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>
>
> -----Message d'origine-----
> De : Pierangelo Masarati [mailto:ando@sys-net.it]
> Envoyé : lundi 20 septembre 2004 12:37
> À : Jean-Jacques Siquet
> Cc : openldap-software@openldap.org
> Objet : RE: 2.2.15 proxy database ldap
> Importance : Haute
>
> What if you directly search the remote server with the same filter?
>
> p.
>
>
>> On my proxy:
>>
>> conn=0 fd=7 ACCEPT from IP=127.0.0.1:60791 (IP=0.0.0.0:389)
>> conn=0 op=0 BIND dn="" method=128
>> conn=0 op=0 RESULT tag=97 err=0 textconn=0 op=1 SRCH base="o=PIPO"
>> scope=2
>> deref=0 filter="(objectClass=*)"
>> request 1 done
>> request 2 done
>> conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=2 textconn=0 op=2
>> UNBIND
>> conn=0 fd=7 closed
>> conn=1 fd=7 ACCEPT from IP=127.0.0.1:60795 (IP=0.0.0.0:389)
>> conn=1 op=0 BIND dn="" method=128
>> conn=1 op=0 RESULT tag=97 err=0 textconn=1 op=1 SRCH base="o=PIPO"
>> scope=2
>> deref=0
>> filter="(|(objectClass=organizationalPerson)(objectClass=person))"
>> request 3 done
>> conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=0 textconn=1 op=2
>> UNBIND
>> conn=1 fd=7 closed
>>
>>
>> it's not possible to stop the service ldap on my server.
>>
>>
>> -----Message d'origine-----
>> De : Pierangelo Masarati [mailto:ando@sys-net.it]
>> Envoyé : lundi 20 septembre 2004 12:09
>> À : Jean-Jacques Siquet
>> Cc : openldap-software@openldap.org
>> Objet : RE: 2.2.15 proxy database ldap
>> Importance : Haute
>>
>> Please reply on the list
>>
>>> How can I have proxy's log?
>>
>> start the proxy slapd with "-d <X>", see slapd.conf(5), directive
>> "loglevel" for details.  Although "-1" would yield all the details, it
>> may
>> result in too much stuff.  I suggest you start with 256 and, if anything
>> useful shows up, add other relevant log levels; or work bottom-up: start
>> with -1, see where's the problem and isolate the log level that yields
>> the
>> relevant info.  It is likely that the problem is not with the proxy
>> (which
>> simply passes info to the remote server) but with the remote server
>> itself; do the same there.  I suspect they bot receive a query that's
>> not
>> what you expected.
>>
>> p.
>>
>>>
>>> -----Message d'origine-----
>>> De : Pierangelo Masarati [mailto:ando@sys-net.it]
>>> Envoyé : lundi 20 septembre 2004 11:19
>>> À : Jean-Jacques Siquet
>>> Cc : openldap-software@openldap.org
>>> Objet : Re: 2.2.15 proxy database ldap
>>> Importance : Haute
>>>
>>>
>>>> I would do a proxy ldap, i have compile with this option :
>>>>
>>>> ./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/sbin
>>>> --enable-ldap --disable-bdb
>>>
>>> just a comment: --enable-ldap does not require to --disable-bdb;
>>> it's a choice you explicitly make.
>>>
>>>>
>>>>
>>>>
>>>> The proxy work but only with defaultfilter (objectclass=*), when i do
>>>> with
>>>> my Groupware the filter is <
>>>> (|(objectclass=organizationalPerson)(objectclass=person)) > and there
>>>> are
>>>> no
>>>> result.
>>>
>>> I don't because you don't provide any info
>>> that could be of help.  Can you post the
>>> logs of the proxy and those of the remote
>>> server at a reasonable level for those
>>> operations that succeed and for those that fail?
>>>
>>> p.
>>>
>>> --
>>> Pierangelo Masarati
>>> mailto:pierangelo.masarati@sys-net.it
>>>
>>>
>>>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:
>>> +390382476497
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Pierangelo Masarati
>> mailto:pierangelo.masarati@sys-net.it
>>
>>
>>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:
>> +390382476497
>>
>>
>>
>>
>
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>
>
>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>
>
>
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
References:
- RE: 2.2.15 proxy database ldap
  - From: "Pierangelo Masarati" <ando@sys-net.it>
Prev by Date: SASL Authentication
Next by Date: Re: Cant get dbs working
Index(es):
- Chronological
- Thread