Zitat von Pierangelo Masarati ando@sys-net.it:
Markus Krause wrote:
Zitat von Pierangelo Masarati ando@sys-net.it:
Markus Krause wrote:
Hi list!
i have several consumer and one provider (lets call them ldapconX and ldapprov). syncrepl works fine, but i actually do not want any clients to contact the provider directly (and i have in addition some clients which would not understand referrals anyway), so reading through the admin guide and man pages i thought slapo-chain would be the solution! (correct me if i am wrong ;-)) But somehow a can not get it working...
the slapd.conf of the provider is untouched, the consumer have (simplified in some places; please tell me if you need it in more details):
slapo-chain must be global (i.e. before any database) since referrals are returned by the frontend, as soon as it discovers that the database that is candidate for a modification is shadow. See example in consumer slapd.conf in test018.
thanks for your answer! i assume you are referring to slapd-chain1.conf, as in slapd-chain2.conf
No. I'm referring to slapd.4.conf as generated by the test018 script.
ah ok, sorry for that. i could not find it at first, had ro stop "make test" at test018 to get it ... now i used it (and slapd.1.conf) as template for my config.
the overlay chain is after the database definition (which i used after the success following your hint in my acl problem thread).
In that case, the test was testing slapo-chain behavior when used to chain databases, not to chase referrals originating by writing to a shadow. That requires replication, and that's why it's in test018.
but i am still doing something wrong... just to be sure i ran all tests again (make test) which all were finished ok.
now my slapd.conf is like: --- slapd.conf (simplified) ... acl overlay chain chain-rebind-as-user FALSE chain-uri "ldaps://ldapprov" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=manager,o=test" credentials="secret" mode="self" flags=non-prescriptive database bdb ... overlay smbk5pwd syncrepl .... updateref ldaps://ldapprov
Please muve the updateref and the syncrepl lines __before__ overlays related lines.
i am really sorry about still bothering you with my problems but i still have no success... :-( my slapd.conf now looks like (now in more detail, just cleaned up): --- slapd.conf ... modulepath /usr/lib/openldap/modules moduleload smbk5pwd.so sizelimit unlimited acl ... TLSstuff ... #### chain overlay definition overlay chain chain-rebind-as-user FALSE chain-uri "ldaps://ldapprov" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=manager,o=test" credentials="secret" mode="self"
database bdb suffix "o=test" directory /var/lib/ldap/ rootdn "cn=manager,o=test" rootpw "secret" index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index entryCSN,entryUUID eq index dhcpHWAddress eq,pres index relativeDomainName eq,pres index ipHostNumber eq,pres index zoneName eq,pres index radiusGroupName eq,pres
syncrepl rid=13 provider=ldaps://ldapprov type=refreshAndPersist retry=1,5,5,6,30,+ interval=00:00:00:30 searchbase="o=test" filter="(objectclass=*)" scope=sub attrs="*" schemachecking=off binddn="cn=manager,o=test" bindmethod=simple credentials="secret" sizelimit=unlimited updateref ldaps://ldapprov
overlay syncprov overlay smbk5pwd smbk5pwd-enable samba --- end of slapd.conf
the strace backlog says:
I'd stick with slapd logs.
ok.
is the line "updateref" needed? but it crashes the server with my config?!
Please rearrange the configuration as instructed and retry. In general, never intermix database and overlay directives. Order matters (as it always did; but now violations are no longer harmless).
i hope i did understand how which order the entries should have ... (see above)
but the last lines before the consumer dies after running "ldappasswd .." show: --- slapd -d 65535 output ... => bdb_dn2id("uid=user,o=test") <= bdb_dn2id: got id=0x0000337f entry_decode: "uid=user,o=test" <= entry_decode(uid=user,o=test) ldap_url_parse_ext(ldaps://ldapprov) send_ldap_extended: err=10 oid= len=0 ldap_url_parse_ext(ldaps://ldapprov) Segmentation fault --- end of slapd -d 65535 output
ineresting (at least for me) is that if i provide the wrong ldap password to "ldappasswd" the output of "ldappaswd" is: --- ldappasswd -x -h localhost <...> New password: Re-enter new password: Enter LDAP Password: ldap_bind: Invalid credentials (49) --- and the consumer stays alive.. does this mean there is something wrong with the provider config? just to be sure the slapd.conf: ---- slapf.conf of provider include ... modulepath /usr/lib/openldap/modules moduleload smbk5pwd.so sizelimit unlimited acls ... TLSStuff database bdb suffix "o=teset" directory /var/lib/ldap/ rootdn "cn=manager,o=test" rootpw "secret" index ...
overlay syncprov overlay smbk5pwd smbk5pwd-enable samba ---
but the provider debug output seems to be ok, just says: --- slapd -d 65535 of provider ber_get_next on fd 16 failed errno=0 (Success) connection_read(16): input error=-2 id=2, closing. connection_closing: readying conn=2 sd=16 for close connection_close: conn=2 sd=16 daemon: removing 16 tls_write: want=37, written=37 0000: 15 03 01 00 20 ff da 2f 93 ad 2b 27 df b9 2c f5 .... ../..+'..,. 0010: 3f 57 27 a2 12 f8 35 d4 76 3e 35 a1 04 78 e3 9b ?W'...5.v>5..x.. 0020: bd d0 6f fc 29 ..o.) TLS trace: SSL3 alert write:warning:close notify conn=2 fd=16 closed (connection lost) daemon: epoll: listen=7 active_threads=0 tvp=NULL ---
it seems i am still configuring something completely wrong (or am misunterstanding some basic concepts ..). where is my mistake??
thanks in advance for your help and patience!
with best regards markus
+-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause@biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause@mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause@mac.com | +--------------------------------+--------------------------------+
---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux@biochem.mpg.de