Chain Overlay and Syncrepl

8 May 2007


      Hello all,
I am having problems with chasing referrals on my slave OpenLDAP server. I
feel like I'm repeating an older thread here, but despite everything I have
read I cannot find a solution.
My setup is as follows:
Both the master and the slave are OpenLDAP 2.3.32 builds with the follwing
configure parameters,
LD_LIBRARY_PATH="/usr/local/lib" ./configure --prefix=/usr/local
--disable-ipv6 --with-tls --enable-dynamic --enable-slapd --enable-modules
--enable-crypt --enable-bdb --enable-rewrite --enable-backends=yes
--enable-rlookups --disable-shell --disable-sql --enable-overlays=yes
--enable-slurpd=yes
At the end of the email, I have attached both the master and the slave
slapd.conf.
The problem is that when I attempt an ldapadd against the slave server, I am
returned a referral instead of having the slave forward the request to the
master. I see no attempt to contact the master server in either the slave or
master logs. Nor do I see any traffic between the two (other than syncrepl
stuff) in a tcpdump. As far as I can tell the chain overlay is being ignored
entirely.
Any suggestions or fixes would be greatly appreciated.
- Scott Sanders
############################################
# Master slapd.conf  --  ldap://info.domain.com:389
############################################
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
password-hash {ssha}
security tls=1
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificatePath /etc/pki/CA
TLSCertificateFile    /usr/local/etc/openldap/security/ldap-master.crt
TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-master.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient allow
limits dn.exact="cn=syncuser,dc=domain,dc=com" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
access to attrs=userPassword
        by self write
        by dn="cn=admin,dc=domain,dc=com" write
        by dn="cn=syncuser,dc=domain,dc=com" read
        by * auth
access to *
        by dn="cn=admin,dc=domain,dc=com" write
        by dn="cn=syncuser,dc=domain,dc=com" read
        by dn="cn=syncuser,dc=domain,dc=com" read
        by * read
database hdb
suffix cn=accesslog
directory /usr/local/var/openldap-accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=admin,dc=domain,dc=com"
rootpw          {SSHA}T2JGZSB3Q2x57s/O
directory       /usr/local/var/openldap-data
index   objectClass     eq
index entryCSN eq
index entryUUID eq
overlay syncprov
syncprov-checkpoint 1000 60
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess true
logpurge 07+00:00 01+00:00
############################################
# Slave slapd.conf  --  ldap://arch.domain.com
############################################
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
password-hash {ssha}
security tls=1
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificatePath /etc/pki/CA
TLSCertificateFile    /usr/local/etc/openldap/security/ldap-slave.crt
TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-slave.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient allow
access to attrs=userPassword
        by self write
        by dn="cn=admin,dc=domain,dc=com" read
        by dn="cn=syncuser,dc=domain,dc=com" write
        by * auth
access to *
        by dn="cn=admin,dc=domain,dc=com" read
        by dn="cn=syncuser,dc=domain,dc=com" write
        by * read
database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=admin,dc=domain,dc=com"
rootpw          {SSHA}T2JGZkB3Q2x57s/O
overlay         chain
chain-uri       ldap://info.domain.com:389
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod=simple
                        binddn="cn=admin,dc=domain,dc=com"
                        credentials=secret
                        mode=self
directory       /usr/local/var/openldap-data
index   objectClass     eq
index entryUUID eq
syncrepl        rid=0
                provider=ldap://info.domain.com:389
                starttls=yes
                bindmethod=simple
                binddn="cn=syncuser,dc=domain,dc=com"
                credentials=secretsyncpasswd
                searchbase="dc=domain,dc=com"
                logbase="cn=accesslog"
                logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
                schemaChecking=on
                type=refreshAndPersist
                retry="60 +"
                syncdata=accesslog
updateref       ldap://info.domain.com:389

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Chain Overlay and Syncrepl