Christian Marg skrev, on 04-09-2007 18:38:
I always find it helpful to look into the Logfiles of the openldap-servers. On FreeBSD it's /var/log/debug.log.
Personally I find
loglevel 256
which "stats log connections/operations/results" most helpful. If you are not sure how to interpret log entries, edit it to remove sensitive content and post them, perhaps - if its more than 10 lines or so - using a pastebin (eg. pastebin.ca or something)
Hmmm ... I'm used to tailing the slapd logs, I go square-eyed looking at them at all possible values. Level 256 below.
Of course it seems weird to first have to disable and then later on to enable "chain-rebind-as-user". It seems that this is because one shouldn't rely on default values (as they might change). In the second chain-uri-stanza of the example they don't set the rebind-flag again, so I'd assume that the "global" value set after "overlay chain" will be applied.
Anyway: the best thing next to an explanation I found of what ..rebind-as-user does is in slapd-ldap: ---------8<---------8<---------8<---------8<---------8<---------8<--------- rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered for rebinds, when trying to re-establish a broken connection, or when chasing a referral, if chase-referrals is set to yes. ---------8<---------8<---------8<---------8<---------8<---------8<---------
chase-referrals is specific to SLAPD-LDAP and isn't documented in SLAPO-CHAIN.
So I assume that something concerning the credentials breaks - the log should help you pinpoint what exactly.
Why should it? Do you have chaining running?
Log lines (really, there are only 3) while changing a test user's password on the chaining consumer/slave:
Sep 5 08:26:04 oikos slapd2.3[22295]: conn=23043 op=10 MOD dn="cn=bmyguest,ou=gasten,dc=barlaeus,dc=nl" Sep 5 08:26:04 oikos slapd2.3[22295]: conn=23043 op=10 MOD attr=userPassword Sep 5 08:26:04 oikos slapd2.3[22295]: conn=23043 op=10 RESULT tag=103 err=0 text=
The "103" signifies a referral with err=0; good, if there were problems with the referral there would have been an err=10.
Log on the provider/master:
Sep 5 08:26:04 mercurius slapd2.3[6028]: conn=189238 op=6356 MOD dn="cn=bmyguest,ou=gasten,dc=barlaeus,dc=nl" Sep 5 08:26:04 mercurius slapd2.3[6028]: conn=189238 op=6356 MOD attr=userPassword Sep 5 08:26:04 mercurius slapd2.3[6028]: conn=189238 op=6356 RESULT tag=103 err=0 text=
Honestly, I'm no wiser from this. It just shows that there has been a referral, that a MOD operation has been carried out with no error.
Googleing for chain-rebind-as-user brought up 2 helpful OL ML threads (out of a total of 3 references) whereby Pierangelo Masarati stressed the importance of the chaining proxy on the master having authZTo configured; well, since we use digest-md5 SASL for Postfix and other things, it is (this could cause further problems for Taymour A. El Erian).
I can only assume I'm one of the few people in the world who needs real-world chaining and has it - and subscribes to this ML.
Best,
--Tonni