Federico Grau wrote:
Hello Pierangelo,
First, thank you for the response. I will re-test with the current stable release (2.3.32).
After reading the CHANGES in re23, you should rather use 2.3.35.
FYI, we chose the slapd-meta backend to allow for redundancy and work with multiple remote servers (I had read in the man page "the ldap backend is intended to proxy operations directed to a single server").
If by "redundancy" you mean that in case of failure of a server another one will be contacted, then it has nothing to do with the difference between back-meta and back-ldap. The way both handle lists of multiple servers in case of failure is identical. Back-meta assumes that the servers related to each "uri" statement contain different data. So
database ldap uri "ldap://ldap.example.com ldap://backup.example.com"
is redundancy (sort of);
database meta uri "ldap://ldap.example.com/<suffix> ldap://backup.example.com"
is exactly the same level of redundancy (sort of);
database meta uri "ldap://ldap.example.com/<suffix>" uri "ldap://backup.example.com/<suffix>"
is a configuration error...
Would you have a sample configuration file for the working situtation? I never see a "simple authentication" bind go out from the OpenLDAP meta server, so something is definitely wrong on that end (either configuration or bug).
I tested:
database ldap suffix "ou=windows,dc=rfa,dc=org" uri "ldap://:9011/" overlay rwm rwm-suffixmassage "ou=windows,dc=rfa,dc=org" "ou=People,dc=example,dc=com"
idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret" mode=none
database meta suffix "ou=windows,dc=rfa,dc=org" uri "ldap://:9011/ou=windows,dc=rfa,dc=org" suffixmassage "ou=windows,dc=rfa,dc=org" "ou=People,dc=example,dc=com"
idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret" mode=none
where, of course, in both cases ldap://:9011 was pointing to another instance of slapd running on port 9011 as resulting from running test003. To make sure authentication was progressing, I modified the configuration of that slapd with a simple
access to * by * auth
so that the only way data could be read was after successfully binding as the rootdn of the remote server, as configured in both idassert-bind.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------