(ITS#7770) mdb_stat in cn=monitor
by michael@stroeder.com
Full_Name:
Version:
OS:
URL:
Submission from: (NULL) (212.227.35.93)
Feature request:
It would be handy to have output of mdb_stat in cn=monitor.
9 years, 5 months
Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
by clem.oudot@gmail.com
--001a11c36ad2fcb4a204ede39c11
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
2013/12/19 Christian Kratzer <ck(a)cksoft.de>
> Hi,
>
> On Wed, 18 Dec 2013, Cl=E9ment OUDOT wrote:
> <snipp/>
>
>> I sent it by mail but I think it is too big and queued. So here is all
>>
>> configuration and test result:
>>
>> http://pastebin.com/earKiHnH
>>
>
> I have not worked trhough all your examples and configs yet as I am
> travelling at the moment but things seem quite clear to me.
>
>
> The password lock from you slaves never arrives on your master as you
> have not configured referrals or any other kind of replication of state
> from your slave to your master.
>
> That means the data on the masters and the slaves is inconsistent.
>
> As syncrepl as you use it always replaces the entire entry any changes
> from the master will complelete overrite anything on the slaves.
>
> There is no merging of data in syncrepl.
>
If you take time to read all I sent, you will see that a first modification
on the master DO NOT modifiy ppolicy attributes on the slave, the second
modification do. Whatever you think, there is a bug here.
If you read with caution the ppolicy draft, you will see that
pwdAccountLockedTime and some other attributes SHOULD NOT be replicated on
read-only replicas.
>
> This is working as designed and is not a bug by my understanding.
>
>
We disagree a lot on this point.
> You have at least following two options from what I see:
>
> 1. configure referrals and chaining so password locks etc... on the slav=
e
> get forwarded to the masters and replicated back to the slave.
>
> This means that you need to configure lcPPolicyForwardUpdates: TRUE
> and chaining on your slave.
>
I tested it with success (almost, see ITS#7767 and ITS#7768)
>
> 2. configure multimaster replication so password locks get replicated
> to your master.
>
>
I did not test if the bug occurs in multimaster, but I think not.
> You should close this ITS and we can discuss anything further on the
> regular mailing lists.
>
>
As said above, I am pretty sure there is a bug. Maybe an OpenLDAP developer
should give its opinion on this ITS.
Cl=E9ment.
--001a11c36ad2fcb4a204ede39c11
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">2013/12/19 Christian Kratzer <span dir=3D"ltr"><<a href=3D"mailt=
o:ck@cksoft.de" target=3D"_blank">ck(a)cksoft.de</a>></span><br><blockquot=
e class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc sol=
id;padding-left:1ex">
<div class=3D"im">Hi,<br>
<br>
On Wed, 18 Dec 2013, Cl=E9ment OUDOT wrote:<br>
<snipp/><br>
</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-l=
eft:1px #ccc solid;padding-left:1ex">
I sent it by mail but I think it is too big and queued. So here is all<div =
class=3D"im"><br>
configuration and test result:<br>
<br>
<a href=3D"http://pastebin.com/earKiHnH" target=3D"_blank">http://pastebin.=
com/earKiHnH</a><br>
</div></blockquote>
<br>
I have not worked trhough all your examples and configs yet as I am<br>
travelling at the moment but things seem quite clear to me.<br></blockquote=
><div>=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
The password lock from you slaves never arrives on your master as you<br>
have not configured referrals or any other kind of replication of state<br>
from your slave to your master.<br>
<br>
That means the data on the masters and the slaves is inconsistent.<br>
<br>
As syncrepl as you use it always replaces the entire entry any changes<br>
from the master will complelete overrite anything on the slaves.<br>
<br>
There is no merging of data in syncrepl.<br></blockquote><div><br><br><br><=
/div><div>If you take time to read all I sent, you will see that a first mo=
dification on the master DO NOT modifiy ppolicy attributes on the slave, th=
e second modification do. Whatever you think, there is a bug here.<br>
</div><div><br><br><br></div><div>If you read with caution the ppolicy draf=
t, you will see that pwdAccountLockedTime and some other attributes SHOULD =
NOT be replicated on read-only replicas.<br></div><div><br>=A0</div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">
<br>
This is working as designed and is not a bug by my understanding.<br>
<br></blockquote><div><br><br></div><div>We disagree a lot on this point.<b=
r><br><br></div><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
You have at least following two options from what I see:<br>
<br>
1. =A0configure referrals and chaining so password locks etc... on the slav=
e<br>
=A0 =A0 get forwarded to the masters and replicated back to the slave.<br>
<br>
=A0 =A0 This means that you need to configure lcPPolicyForwardUpdates: TRUE=
<br>
=A0 =A0 and chaining on your slave.<br></blockquote><div><br><br></div><div=
>I tested it with success (almost, see ITS#7767 and ITS#7768)<br></div><div=
>=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bord=
er-left:1px #ccc solid;padding-left:1ex">
<br>
2. =A0configure multimaster replication so password locks get replicated<br=
>
=A0 =A0 to your master.<br>
<br></blockquote><div><br><br></div><div>I did not test if the bug occurs i=
n multimaster, but I think not.<br><br>=A0<br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">
You should close this ITS and we can discuss anything further on the<br>
regular mailing lists.<div class=3D"HOEnZb"><div class=3D"h5"><br></div></d=
iv></blockquote><div><br><br><br><br></div><div>As said above, I am pretty =
sure there is a bug. Maybe an OpenLDAP developer should give its opinion on=
this ITS.<br>
<br><br>Cl=E9ment.<br></div></div></div></div>
--001a11c36ad2fcb4a204ede39c11--
9 years, 5 months
Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
by ck@cksoft.de
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--4178219828-1095844242-1387443188=:27797
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Hi,
On Wed, 18 Dec 2013, Clément OUDOT wrote:
<snipp/>
> I sent it by mail but I think it is too big and queued. So here is all
> configuration and test result:
>
> http://pastebin.com/earKiHnH
I have not worked trhough all your examples and configs yet as I am
travelling at the moment but things seem quite clear to me.
The password lock from you slaves never arrives on your master as you
have not configured referrals or any other kind of replication of state
from your slave to your master.
That means the data on the masters and the slaves is inconsistent.
As syncrepl as you use it always replaces the entire entry any changes
from the master will complelete overrite anything on the slaves.
There is no merging of data in syncrepl.
This is working as designed and is not a bug by my understanding.
You have at least following two options from what I see:
1. configure referrals and chaining so password locks etc... on the slave
get forwarded to the masters and replicated back to the slave.
This means that you need to configure lcPPolicyForwardUpdates: TRUE
and chaining on your slave.
2. configure multimaster replication so password locks get replicated
to your master.
You should close this ITS and we can discuss anything further on the
regular mailing lists.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
--4178219828-1095844242-1387443188=:27797--
9 years, 5 months
Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
by clem.oudot@gmail.com
--089e0160b79ae9bb0c04edcfeff1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
2013/12/18 <ck(a)cksoft.de>
> This message is in MIME format. The first part should be readable text=
,
> while the remaining parts are likely unreadable without MIME-aware tool=
s.
>
> --4178219828-444410844-1387368134=3D:27797
> Content-Type: TEXT/PLAIN; charset=3DUTF-8; format=3Dflowed
> Content-Transfer-Encoding: 8BIT
>
> Hi,
>
> On Wed, 18 Dec 2013, Cl=E9ment OUDOT wrote:
> <snipp/>
> > Well, I checked that the pwdLockoutDuration was correctly set (The valu=
e
> > in my case is 1200, so 20 minutes, much more than my tests). Other
> > proof, the values of pwdFailureTime are not erased, but replaced by
> > those of the master.
> >
> >
> >> It is of course also quite possible that you have hit a special corner
> >> case that nobody else has yet found.
> >
> >
> > I think so. I have to say that I use standard syncrepl, not
> delta-syncrepl.
> >
> >
> >>
> >> The best thing you could do would be to setup a small self contained
> >> test case to illustrate the problem.
> >>
> >
> > I will try to, but seems really easy to reproduce : configure master an=
d
> > slave with ppolicy, lock an account in slave, update same account on
> > master (change description) a first time and a second time.
>
> are you sure the account lock actually arrives on the master ?
>
> Are you using olcPPolicyForwardUpdates to actually get the account
> locked on the master and not only on the slaves ?
>
> If you do not have all the lock attributes on the master and you modify
> the entry it will get replaced on the slaves.
>
> Can you post your master and slave configs somewhere ?
>
>
I sent it by mail but I think it is too big and queued. So here is all
configuration and test result:
http://pastebin.com/earKiHnH
Cl=E9ment.
--089e0160b79ae9bb0c04edcfeff1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">2013/12/18 <span dir=3D"ltr"><<a href=3D"mailto:ck@cksoft.de" t=
arget=3D"_blank">ck(a)cksoft.de</a>></span><br><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex">
=A0 This message is in MIME format. =A0The first part should be readable te=
xt,<br>
=A0 while the remaining parts are likely unreadable without MIME-aware tool=
s.<br>
<br>
--4178219828-444410844-1387368134=3D:27797<br>
Content-Type: TEXT/PLAIN; charset=3DUTF-8; format=3Dflowed<br>
Content-Transfer-Encoding: 8BIT<br>
<br>
Hi,<br>
<br>
On Wed, 18 Dec 2013, Cl=E9ment OUDOT wrote:<br>
<snipp/><br>
<div class=3D"im">> Well, I checked that the pwdLockoutDuration was corr=
ectly set (The value<br>
> in my case is 1200, so 20 minutes, much more than my tests). Other<br>
> proof, the values of pwdFailureTime are not erased, but replaced by<br=
>
> those of the master.<br>
><br>
><br>
>> It is of course also quite possible that you have hit a special co=
rner<br>
>> case that nobody else has yet found.<br>
><br>
><br>
> I think so. I have to say that I use standard syncrepl, not delta-sync=
repl.<br>
><br>
><br>
>><br>
>> The best thing you could do would be to setup a small self contain=
ed<br>
>> test case to illustrate the problem.<br>
>><br>
><br>
> I will try to, but seems really easy to reproduce : configure master a=
nd<br>
> slave with ppolicy, lock an account in slave, update same account on<b=
r>
> master (change description) a first time and a second time.<br>
<br>
</div>are you sure the account lock actually arrives on the master ?<br>
<br>
Are you using olcPPolicyForwardUpdates to actually get the account<br>
locked on the master and not only on the slaves ?<br>
<br>
If you do not have all the lock attributes on the master and you modify<br>
the entry it will get replaced on the slaves.<br>
<br>
Can you post your master and slave configs somewhere ?<br>
<div class=3D"im"><br></div></blockquote><div><br><br></div><div>I sent it =
by mail but I think it is too big and queued. So here is all configuration =
and test result:<br><br><a href=3D"http://pastebin.com/earKiHnH">http://pas=
tebin.com/earKiHnH</a><br>
<br></div><div>Cl=E9ment.<br></div></div></div></div>
--089e0160b79ae9bb0c04edcfeff1--
9 years, 5 months
Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
by ck@cksoft.de
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--4178219828-444410844-1387368134=:27797
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Hi,
On Wed, 18 Dec 2013, Clément OUDOT wrote:
<snipp/>
> Well, I checked that the pwdLockoutDuration was correctly set (The value
> in my case is 1200, so 20 minutes, much more than my tests). Other
> proof, the values of pwdFailureTime are not erased, but replaced by
> those of the master.
>
>
>> It is of course also quite possible that you have hit a special corner
>> case that nobody else has yet found.
>
>
> I think so. I have to say that I use standard syncrepl, not delta-syncrepl.
>
>
>>
>> The best thing you could do would be to setup a small self contained
>> test case to illustrate the problem.
>>
>
> I will try to, but seems really easy to reproduce : configure master and
> slave with ppolicy, lock an account in slave, update same account on
> master (change description) a first time and a second time.
are you sure the account lock actually arrives on the master ?
Are you using olcPPolicyForwardUpdates to actually get the account
locked on the master and not only on the slaves ?
If you do not have all the lock attributes on the master and you modify
the entry it will get replaced on the slaves.
Can you post your master and slave configs somewhere ?
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
--4178219828-444410844-1387368134=:27797--
9 years, 5 months
Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
by coudot@linagora.com
On 16/12/2013 22:10, Christian Kratzer wrote:
> Hi,
>
> On Mon, 16 Dec 2013, coudot(a)linagora.com wrote:
>> Full_Name: Cl?ment OUDOT
>> Version: 2.4.38
>> OS: GNU/Linux
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (88.173.78.196)
>>
>>
>> I have a simple setup with a master (overlay syncprov + overlay
>> ppolicy) and a
>> slave (syncrepl client, overlay ppolicy).
>>
>> 1. I lock my account in the slave
>> 2. I change the description attribute of my account a first time in
>> the master
>> 3. My account is still locked in the slave
>> 4. I change the description attribute of my account a second time in
>> the master
>> 5. My account is no more locked in the slave: the password policy
>> operational
>> attributes pwdFailureTime and pwdAccountUnlockTime were erased by the
>> one of the
>> master
>>
>> Seems like a control is done the first time that syncrepl update the
>> entry (the
>> first time, pwdAccountLockTime and pwdFailureTime are not erased),
>> but the
>> second time the control is not done.
>
> I have had a very similar setup for some time now and have never
> observed this kind of behaviour from the ppolicy overlay. I am quite
> confident it should work correctly in the situation you describe.
>
> There might be a valid reason for pwdAccountLockedtime and
> pwdFailureTime attributes disappearing like perhaps expiry of
> pwdLockoutDuration. Please see the account_locked() function in
> servers/slapd/overlay/ppolicy.c for this.
>
Well, I checked that the pwdLockoutDuration was correctly set (The value
in my case is 1200, so 20 minutes, much more than my tests). Other
proof, the values of pwdFailureTime are not erased, but replaced by
those of the master.
> It is of course also quite possible that you have hit a special corner
> case that nobody else has yet found.
I think so. I have to say that I use standard syncrepl, not delta-syncrepl.
>
> The best thing you could do would be to setup a small self contained
> test case to illustrate the problem.
>
I will try to, but seems really easy to reproduce : configure master and
slave with ppolicy, lock an account in slave, update same account on
master (change description) a first time and a second time.
This behavior was detected by one of my customer, and I was able to
reproduce it on my own computer.
Clément.
9 years, 5 months
Re: (ITS#7766) Account unlocked in slave after two modifications on a master (overlay ppolicy)
by ck@cksoft.de
Hi,
On Mon, 16 Dec 2013, coudot(a)linagora.com wrote:
> Full_Name: Cl?ment OUDOT
> Version: 2.4.38
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (88.173.78.196)
>
>
> I have a simple setup with a master (overlay syncprov + overlay ppolicy) and a
> slave (syncrepl client, overlay ppolicy).
>
> 1. I lock my account in the slave
> 2. I change the description attribute of my account a first time in the master
> 3. My account is still locked in the slave
> 4. I change the description attribute of my account a second time in the master
> 5. My account is no more locked in the slave: the password policy operational
> attributes pwdFailureTime and pwdAccountUnlockTime were erased by the one of the
> master
>
> Seems like a control is done the first time that syncrepl update the entry (the
> first time, pwdAccountLockTime and pwdFailureTime are not erased), but the
> second time the control is not done.
I have had a very similar setup for some time now and have never observed this kind of behaviour from the ppolicy overlay. I am quite confident it should work correctly in the situation you describe.
There might be a valid reason for pwdAccountLockedtime and pwdFailureTime attributes disappearing like perhaps expiry of pwdLockoutDuration. Please see the account_locked() function in servers/slapd/overlay/ppolicy.c for this.
It is of course also quite possible that you have hit a special corner case that nobody else has yet found.
The best thing you could do would be to setup a small self contained test case to illustrate the problem.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
9 years, 5 months
Re: (ITS#7764) RFE: library lber method which returns the ber size even if the ber is overflown
by nhosoi@gmail.com
--001a11c1a2f087afb804edaadb8d
Content-Type: text/plain; charset=ISO-8859-1
Thank you, Howard!
You are right. We are not getting LBER_OVERFLOW, but having the return
code LBER_DEFAULT and "errno == ERANGE". Also, indeed there is no
particular size limits in openldap lber library unless setting the max
incoming ber size with this API:
ber_sockbuf_ctrl(sockbuf, LBER_SB_OPT_SET_MAX_INCOMING, &maxsize);
We'd like to avoid receiving, e.g., 100MB ber's, but we'd like to also have
a method to log the rejected incoming ber size just in case the
administrator may want to allow to receive it.
Best regards,
--Noriko Hosoi
On Sun, Dec 15, 2013 at 3:58 AM, Howard Chu <hyc(a)symas.com> wrote:
> nhosoi(a)gmail.com wrote:
>
>> Full_Name: Noriko Hosoi
>> Version: 2.4.35-4
>> OS: Fedora 18
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (209.132.181.86)
>>
>>
>> We use the OpenLdap library in our software. LDAP clients could send too
>> large
>> ber and cause LBER_OVERFLOW (or LBER_DEFAULT) to the lber APIs. We'd
>> like to
>> learn how large the ber size we should prepare from the error. When we
>> look
>> into the BerElement ber using gdb, ber->ber_len stores the value. But the
>> value
>> is not returned to the caller when the API fails, e.g., by the overflow.
>> Could
>> it be possible to have a way to retrieve the ber size under any condition?
>>
>
> That doesn't sound like OpenLDAP, we have no LBER_OVERFLOW error code. Nor
> do we have any particular size limits on a BerElement, other than fitting
> into a long.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
--001a11c1a2f087afb804edaadb8d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><div><div>Thank you, Howard!=A0 <br><br>You are right=
.=A0 We are not getting LBER_OVERFLOW, but having the return code LBER_DEFA=
ULT and "errno =3D=3D ERANGE".=A0 Also, indeed there is no partic=
ular size limits in openldap lber library unless setting the max incoming b=
er size with this API:<br>
=A0=A0=A0 ber_sockbuf_ctrl(sockbuf, LBER_SB_OPT_SET_MAX_INCOMING, &maxs=
ize);<br><br></div>We'd like to avoid receiving, e.g., 100MB ber's,=
but we'd like to also have a method to log the rejected incoming ber s=
ize just in case the administrator may want to allow to receive it.<br>
<br></div>Best regards,<br></div>--Noriko Hosoi<br></div><div class=3D"gmai=
l_extra"><br><br><div class=3D"gmail_quote">On Sun, Dec 15, 2013 at 3:58 AM=
, Howard Chu <span dir=3D"ltr"><<a href=3D"mailto:hyc@symas.com" target=
=3D"_blank">hyc(a)symas.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><a href=3D"mailto:nhosoi@gmail.com" target=
=3D"_blank">nhosoi(a)gmail.com</a> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Full_Name: Noriko Hosoi<br>
Version: 2.4.35-4<br>
OS: Fedora 18<br>
URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_blank">ftp://f=
tp.openldap.org/<u></u>incoming/</a><br>
Submission from: (NULL) (209.132.181.86)<br>
<br>
<br>
We use the OpenLdap library in our software. =A0LDAP clients could send too=
large<br>
ber and cause LBER_OVERFLOW (or LBER_DEFAULT) to the lber APIs. =A0We'd=
like to<br>
learn how large the ber size we should prepare from the error. =A0When we l=
ook<br>
into the BerElement ber using gdb, ber->ber_len stores the value. But th=
e value<br>
is not returned to the caller when the API fails, e.g., by the overflow. =
=A0Could<br>
it be possible to have a way to retrieve the ber size under any condition?<=
br>
</blockquote>
<br>
That doesn't sound like OpenLDAP, we have no LBER_OVERFLOW error code. =
Nor do we have any particular size limits on a BerElement, other than fitti=
ng into a long.<span class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>
-- <br>
=A0 -- Howard Chu<br>
=A0 CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 <a href=3D"http://www.symas.com" t=
arget=3D"_blank">http://www.symas.com</a><br>
=A0 Director, Highland Sun =A0 =A0 <a href=3D"http://highlandsun.com/hyc/" =
target=3D"_blank">http://highlandsun.com/hyc/</a><br>
=A0 Chief Architect, OpenLDAP =A0<a href=3D"http://www.openldap.org/project=
/" target=3D"_blank">http://www.openldap.org/<u></u>project/</a><br>
</font></span></blockquote></div><br></div>
--001a11c1a2f087afb804edaadb8d--
9 years, 5 months
(ITS#7768) Use of olcDbUri in LDAP/Chain configuration for ppolicy_forward_updates
by coudot@linagora.com
Full_Name: Clément OUDOT
Version: 2.4.38
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (88.173.78.196)
I set up a slave configuration with ppolicy_forward_updates feature.
In my data backend config, I have:
olcUpdateRef: ldap://localhost:389
And I created the chain overlay and a sub ldap backend like this:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcChainConfig
objectClass: olcOverlayConfig
olcOverlay: {0}chain
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbIDAssertBind: bindmethod="simple" binddn="cn=admin,dc=example,dc=com"
credentials="secret" mode="none"
This configuration do not work: the BIND on the master server is done
anonymously, despite the olcDbIDAssertBind value.
To work, I need to add:
olcDbUri: ldap://localhost:389
Seems the problem exist in OpenLDAP unit test 32, see
tests/data/slapd-chain1.conf :
# uses the chain overlay as global;
# no chain-URI is configured, so the URI is parsed out of the referral
overlay chain
chain-uri @URI2@
chain-idassert-bind bindmethod=simple
binddn="cn=Manager,dc=example,dc=com"
credentials=secret
mode=self
flags=non-prescriptive
The comment say "no chain-URI is configured', but the chain-uri is configured.
Where is the truth?
9 years, 5 months
