Full_Name: Tim Watts Version: 2.4.23 OS: Debian 6/amd64 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (81.2.78.46)
Hi,
We load slapd up with actual entries for the dc=new,dc=example,dc=com domain.
slapd is configured to map all records with rwm/relay to dc=old,dc=example,dc=com so clients with the old config still work.
ie
we load a real record:
1) dn: uid=testuser,ou=people,dc=new,dc=example,dc=com
and we want clients asking about
2) dn: uid=testuser,ou=people,dc=old,dc=example,dc=com
will be served from (1)
======== OK here's an example ================
=== Server ====
Running debian 6 server with debian slapd 2.4.23-7.2
/usr/sbin/slapd -d 4 -h "ldap:/// ldaps:/// ldapi:///" -g openldap -u openldap -f /etc/ldap/slapd.conf
=== Test client ===
Running test against the "old" realm:
ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com
# Enter the wrong password and it fails correctly and server runs OK.
# Enter the right password and the client says:
ldap_result: Can't contact LDAP server (-1)
Server says (last few lines from slapd): [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=old,dc=example,dc=com" [rw] bindDN: "uid=testuser,ou=people,dc=old,dc=example,dc=com" -> "uid=testuser,ou=people,dc=new,dc=example,dc=com" => ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com,0) <= ldap_bv2dn(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,dc=new,dc=example,dc=com)=0 => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" => bdb_entry_get: ndn: "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" ==> hdb_bind: dn: uid=testuser,ou=people,dc=new,dc=example,dc=com send_ldap_result: err=0 matched="" text="" => bdb_entry_get: ndn: "uid=testuser,ou=people,dc=new,dc=example,dc=com" => bdb_entry_get: oc: "(null)", at: "(null)" Segmentation fault
However, queries against the "new" domain work:
ldapwhoami -x -W -D uid=testuser,ou=people,dc=new,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com
If I disable ppolicy in slapd.conf, queries agains the "old" domain work:
root@ldaptest1:/etc# ldapwhoami -x -W -D uid=testuser,ou=people,dc=old,dc=example,dc=com Enter LDAP Password: dn:uid=testuser,ou=people,dc=new,dc=example,dc=com
(the rewrite is not perfect - but that may not matter for my clients).
Almost certainly I have done something stupid - and it seems clear that ppolicy is being upset by the relay mappings. Any ideas how to fix would be *very* welcome - I have been all over Google and the man pages.
All the best!
Tim
OK - boring stuff:
slapd.conf ########################################### ####################################################################### # Global Directives:
# Features to permit allow bind_anon_cred bind_anon_dn update_anon
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel sync stats
sizelimit 5000 tool-threads 1
modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm moduleload ppolicy
overlay rwm rwm-rewriteEngine on
backend hdb
####################################################################### # Global ACLs #
# Ensure read access to the base for things like # supportedSASLMechanisms. access to dn.base="" by * read
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # This ACL must be first or password leakage will happen!!! access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by self write by * auth
# The admin dn has full write access, everyone else # can read everything. Local unix domain socket (root only) # Can do everything access to * by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=new,dc=example,dc=com" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=new,dc=example,dc=com]/memberUid" write by * read
####################################################################### # Main new.example.com authoritative database #
database hdb suffix dc=new,dc=example,dc=com
rootdn "cn=admin,dc=new,dc=example,dc=com" rootpw "{SSHA}NoNoNooo..."
directory "/var/lib/ldap" dbconfig set_cachesize 0 134217728 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30
####################################################################### # # Password Policy # # overlay ppolicy ppolicy_default "cn=default,ou=pwpolicies,dc=new,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
####################################################################### # Virtual maps - compatibility with old.example.com only # # map dc=old to dc=new # database relay suffix "dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" ###########################################
Initial database loaded with slapadd from this ldif: ########################################### dn: dc=new,dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: new.example.com dc: new
dn: cn=admin,dc=new,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: NoNoNoooo...
dn: ou=people,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: people
dn: ou=groups,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: groups
dn: ou=pwpolicies,dc=new,dc=example,dc=com objectClass: organizationalUnit ou: pwpolicies
# # # Standard policy for normal people #
dn: cn=default,ou=pwpolicies,dc=new,dc=example,dc=com objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 15811200 pwdExpireWarning: 1814400 pwdGraceAuthnLimit: 3 pwdInHistory: 6 pwdCheckQuality: 2 pwdMaxFailure: 5 pwdMinLength: 8 pwdLockout: TRUE pwdLockoutDuration: 300 pwdFailureCountInterval: 300 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE
dn: uid=testuser,ou=people,dc=new,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Test User employeeType: Staff gecos: Test User gidNumber: 1000 givenName: Test homeDirectory: /homes/testuser loginShell: /bin/bash mail: testuser@new.example.com sn: User uid: testuser uidNumber: 1000 userPassword: {SSHA}NoNoNoooo...
dn: cn=ddh-staff,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: ddh-staff description: Test Group gidNumber: 1000 memberUid: testuser
dn: cn=sysadmin,ou=groups,dc=new,dc=example,dc=com objectClass: top objectClass: posixGroup cn: sysadmin description: Staff: System Admin Group gidNumber: 1001 memberUid: testuser
###########################################