[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)





On Thursday, April 27, 2017 4:48 AM, Howard Chu <hyc@symas.com> wrote:


> mailing lists wrote:
> > I am testing the chain overlay from a read-only slave (consumer) slapd server
> > to a read-write master (provider), but what I am seeing is an anonymous bind
> > from the consumer to the provider instead of the authorization identity
> > configurated in the chain directive.
>
> Have you successfully run test032 in the test suite? Have you compared your
> config to the config used in that test?

yes, I run the test032 but I am struggling to understand it.  It is different from the example exposed in the admin guide.

This is what I get running the test:

root@localhost:/tmp/openldap-2.4.44/tests # ./run -b mdb test032-chain
Cleaning up test run directory leftover from previous run.
Running ./scripts/test032-chain for mdb...
running defines.sh
Running slapadd to build slapd database...
Starting first slapd on TCP/IP port 9011...
Starting second slapd on TCP/IP port 9012...
Using ldapsearch to check that first slapd is running...
Using ldapsearch to check that second slapd is running...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9011...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Reading the referral entry "ou=Other,dc=example,dc=com" as anonymous on port 9011...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Comparing "cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" on port 9011...
Comparing "ou=Other,dc=example,dc=com" on port 9011 with manageDSAit control...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9012...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Reading the referral entry "ou=Other,dc=example,dc=com" as anonymous on port 9012...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Comparing "cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" on port 9012...
Comparing "ou=Other,dc=example,dc=com" on port 9012 with manageDSAit control...
Writing to first server with scope on second server...
Writing to second server with scope on first server...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9011...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9012...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Using ldappasswd on second server with scope on first server...
Binding with newly changed password on first server...
dn:cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
Reading the referral entry "ou=Can't Contact,dc=example,dc=com" as anonymous on port 9011...
>>>>> Test succeeded


the configuration files generated were:

root@localhost:/tmp/openldap-2.4.44/tests # grep '^[^#]' /tmp/openldap-2.4.44/tests/testrun/slapd.1.conf
include         ./schema/core.schema
include         ./schema/cosine.schema
include         ./schema/inetorgperson.schema
include         ./schema/openldap.schema
include         ./schema/nis.schema
pidfile         /tmp/openldap-2.4.44/tests/testrun/slapd.1.pid
argsfile        /tmp/openldap-2.4.44/tests/testrun/slapd.1.args
modulepath      ../servers/slapd/back-mdb/
moduleload      back_mdb.la
modulepath ../servers/slapd/back-ldap/
moduleload back_ldap.la
modulepath ../servers/slapd/back-monitor/
moduleload back_monitor.la
overlay         chain
chain-uri       ldap://localhost:9012/
chain-idassert-bind     bindmethod=simple
                        binddn="cn=Manager,dc=example,dc=com"
                        credentials=secret
                        mode=self
                        flags=non-prescriptive
database        mdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          secret
directory       /tmp/openldap-2.4.44/tests/testrun/db.1.a
index           objectClass     eq
index           cn,sn,uid       pres,eq,sub
database        monitor


and:

root@localhost:/tmp/openldap-2.4.44/tests # grep '^[^#]' /tmp/openldap-2.4.44/tests/testrun/slapd.2.conf
include         ./schema/core.schema
include         ./schema/cosine.schema
include         ./schema/inetorgperson.schema
include         ./schema/openldap.schema
include         ./schema/nis.schema
pidfile         /tmp/openldap-2.4.44/tests/testrun/slapd.2.pid
argsfile        /tmp/openldap-2.4.44/tests/testrun/slapd.2.args
modulepath      ../servers/slapd/back-mdb/
moduleload      back_mdb.la
modulepath ../servers/slapd/back-ldap/
moduleload back_ldap.la
modulepath ../servers/slapd/back-monitor/
moduleload back_monitor.la
database        mdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          secret
directory       /tmp/openldap-2.4.44/tests/testrun/db.2.a
index           objectClass     eq
index           cn,sn,uid       pres,eq,sub
overlay         chain
chain-uri       ldap://localhost:9011/
chain-idassert-bind     bindmethod=simple
                        binddn="cn=Manager,dc=example,dc=com"
                        credentials=secret
                        mode=self
                        flags=non-prescriptive
database        monitor


now updating the "drink" attribute of slapd 2 (port 9012) shows the update in boths servers:

root@localhost:/tmp/openldap-2.4.44/tests # /tmp/openldap-2.4.44/servers/slapd/.libs/lt-slapd -s0 -f /tmp/openldap-2.4.44/tests/testrun/slapd.2.conf -h ldap://0.0.0.0:9012/ -d stats -d stats2 -d sync
59089363 @(#) $OpenLDAP: slapd 2.4.44 (Apr 27 2017 12:58:56) $
        root@nuc:/tmp/openldap-2.4.44/servers/slapd
59089363 slapd starting
59089392 conn=1000 fd=10 ACCEPT from IP=127.0.0.1:41182 (IP=0.0.0.0:9012)
59089392 conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" method=128
59089392 conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0
59089392 conn=1000 op=0 RESULT tag=97 err=0 text=
59089392 conn=1000 op=1 SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)"
59089392 conn=1000 op=1 SRCH attr=* +
59089392 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
59089392 conn=1000 op=2 SRCH base="ou=Other,dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)"
59089392 conn=1000 op=2 SRCH attr=* +
59089392 conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
59089392 conn=1000 op=3 SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)"
59089392 conn=1000 op=3 SRCH attr=* +
59089392 conn=1000 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
59089392 conn=1000 op=4 SRCH base="ou=Other,dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)"
59089392 conn=1000 op=4 SRCH attr=* +
59089392 conn=1000 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=



root@localhost:/tmp/openldap-2.4.44/tests # /tmp/openldap-2.4.44/servers/slapd/.libs/lt-slapd -s0 -f /tmp/openldap-2.4.44/tests/testrun/slapd.1.conf -h ldap://0.0.0.0:9011/ -d stats -d stats2 -d sync
59089369 @(#) $OpenLDAP: slapd 2.4.44 (Apr 27 2017 12:58:56) $
        root@nuc:/tmp/openldap-2.4.44/servers/slapd
59089369 slapd starting

59089392 conn=1000 fd=10 ACCEPT from IP=10.20.30.112:40118 (IP=0.0.0.0:9011)
59089392 conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
59089392 conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
59089392 conn=1000 op=0 RESULT tag=97 err=0 text=
59089392 conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)"
59089392 conn=1000 op=1 SRCH attr=* +
59089392 conn=1000 op=1 ENTRY dn="cn=mark elliot,ou=alumni association,ou=people,dc=example,dc=com"
59089392 conn=1000 op=1 REF #0 "ldap://localhost:9013/ou=Can't%20Contact,dc=example,dc=com??sub"
59089392 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
59089392 conn=1000 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)"
59089392 conn=1000 op=2 SRCH attr=* +
59089392 conn=1000 op=2 ENTRY dn="cn=mark elliot,ou=alumni association,ou=people,dc=example,dc=com"
59089392 conn=1000 op=2 REF #0 "ldap://localhost:9013/ou=Can't%20Contact,dc=example,dc=com??sub"
59089392 conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
59089392 conn=1000 op=3 MOD dn="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
59089392 conn=1000 op=3 MOD attr=drink
59089392 slap_queue_csn: queueing 0x7ffa70102c70 20170502141130.137068Z#000000#000#000000
59089392 conn=1000 op=3 RESULT tag=103 err=0 text=
59089392 slap_graduate_commit_csn: removing 0x7ffa70102c70 20170502141130.137068Z#000000#000#000000
59089392 conn=1000 fd=10 closed (connection lost)



but how is it possible for both servers to be updated without syncrepl configurated (like the example in the admin guide does)?