"D'Arcy Smith" ds.bcit@gmail.com writes:
On 8/25/07, Pierangelo Masarati ando@sys-net.it wrote:
D'Arcy Smith wrote:
I am having a terrible time trying to get the meta backend to work with my setup. If I do not have meta things work as expected. As soon as I add the meta backend thing go south.
What version of OpenLDAP are you using?
2.3.35
^^^ extra cruft after "#" (included) is invalid, as clearly indicated in slapd.conf(5). This is treated as an error in OpenLDAP 2.4 (finally!)
Good I like it when errors are treated as errors!
after some more searching around I now have this:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema
password-hash {ssha}
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap/openldap moduleload back_null.so moduleload back_meta.so
database ldap suffix "o=aaa.yyy.zzz,o=bcit" uri ldap://aaa.yyy.zzz:389
idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="uid=******,ou=people,o=aaa.yyy.zzz,o=yyy" credentials="******" mode=none
database bdb suffix "o=bbb.yyy.zzz,o=bcit" rootdn "cn=Manager,o=bbb.yyy.zzz,o=yyy" rootpw {SSHA}****** checkpoint 32 30 directory /var/lib/openldap-data index objectClass eq
database meta suffix "dc=yyy,dc=zzz" uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=aaa.yyy.zzz,o=yyy" uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=bbb.yyy.zzz,o=yyy"
What I am after is having it so that users that exist in the "aaa.yyy.zzz" LDAP server (that I have no control over) can authenticate, users in the "bbb.yyy.zzz" LDAP server (that I do control) can authenticate, and that the groups in the "bbb.yyy.zzz", which contain users from both "aaa" and "bbb" are able to authenticate. Authenticate right now means can access apache via authnzldap.
Running "/usr/lib64/openldap/slapd -d -{any level}" doesn't seem to issue any objections, and my testing works (users from both "aaa" and "bbb" can login either as a by user or group).
If I run "slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d" -d {any level} I get:
WARNING: No dynamic config support for database meta. WARNING: The converted cn=config directory is incomplete and may not work. config file testing succeeded
I cannot spot any errors that it is giving me in the config.
then running "/usr/lib64/openldap/slapd -d -{any level}" doesn't work (it does work if I delete the files in the /etc/openldap/slapd.d directory.
For example (with -d 64):
@(#) $OpenLDAP: slapd 2.3.35 (Aug 23 2007 11:00:09) $ root@foo:/var/tmp/portage/net-nds/openldap-2.3.35-r1/work/openldap-2.3.35/servers/slapd loaded module back_null.so module back_null.so: null module registered loaded module back_meta.so module back_meta.so: null module registered index objectClass 0x0004 meta_back_db_open: no targets defined backend_startup_one: bi_db_open failed! (1) slapd stopped. connections_destroy: nothing to destroy.
You have not defined a config database in slapd.conf but created a slapd.d directory, so just run slapd with -f <path/to/slapd.conf> parameter, man slapd(8)
-Dieter