Markus Krause wrote:
Zitat von Pierangelo Masarati ando@sys-net.it:
Markus Krause wrote:
Hi list!
i have several consumer and one provider (lets call them ldapconX and ldapprov). syncrepl works fine, but i actually do not want any clients to contact the provider directly (and i have in addition some clients which would not understand referrals anyway), so reading through the admin guide and man pages i thought slapo-chain would be the solution! (correct me if i am wrong ;-)) But somehow a can not get it working...
the slapd.conf of the provider is untouched, the consumer have (simplified in some places; please tell me if you need it in more details):
slapo-chain must be global (i.e. before any database) since referrals are returned by the frontend, as soon as it discovers that the database that is candidate for a modification is shadow. See example in consumer slapd.conf in test018.
thanks for your answer! i assume you are referring to slapd-chain1.conf, as in slapd-chain2.conf
No. I'm referring to slapd.4.conf as generated by the test018 script.
the overlay chain is after the database definition (which i used after the success following your hint in my acl problem thread).
In that case, the test was testing slapo-chain behavior when used to chain databases, not to chase referrals originating by writing to a shadow. That requires replication, and that's why it's in test018.
but i am still doing something wrong... just to be sure i ran all tests again (make test) which all were finished ok.
now my slapd.conf is like: --- slapd.conf (simplified) ... acl overlay chain chain-rebind-as-user FALSE chain-uri "ldaps://ldapprov" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=manager,o=test" credentials="secret" mode="self" flags=non-prescriptive database bdb ... overlay smbk5pwd syncrepl .... updateref ldaps://ldapprov
Please muve the updateref and the syncrepl lines __before__ overlays related lines.
---- end of slapd.conf
using "ldappasswd -x <...>" i get: Re-enter new password: Enter LDAP Password: ldappasswd: ldap_result: Can't contact LDAP server (-1)
and the ldap consumer segfaults. last messages from slapd -d 65535 was: --- slapd -d 65535 .... conn=0 op=1 PASSMOD id="uid=testuser,ou=people,o=test" new
dnPrettyNormal: <uid=testuser,ou=people,o=test>
=> ldap_bv2dn(uid=testuser,ou=people,o=test,0) <= ldap_bv2dn(uid=testuser,ou=people,o=test)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,o=test)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=testuser,ou=people,o=test)=0 <<< dnPrettyNormal: <uid=testuser,ou=people,o=test>, <uid=testuser,ou=people,o=test> bdb_dn2entry("uid=testuser,ou=people,o=test") => bdb_dn2id("uid=testuser,ou=people,o=test") <= bdb_dn2id: got id=0x0000284c => bdb_dn2id("uid=testuser,ou=people,o=test") <= bdb_dn2id: got id=0x00002861 => bdb_dn2id("uid=testuser,ou=people,o=test") <= bdb_dn2id: got id=0x0000337f entry_decode: "uid=testuser,ou=people,o=test" <= entry_decode(uid=uid=testuser,ou=people,o=test) ldap_url_parse_ext(ldaps://ldapprov) send_ldap_extended: err=10 oid= len=0 ldap_url_parse_ext(ldaps://ldapprov)
the strace backlog says:
I'd stick with slapd logs.
what i find odd is the error "stat64("/var/lib/ldap/__db.004", 0xbfd23b2c) = -1 ENOENT (No such file or directory)" (just at the beginning of the post) because the file actually is there and accessable:
[host]: ls -l /var/lib/ldap/__db.004 -rw------- 1 ldap ldap 450560 May 12 22:45 /var/lib/ldap/__db.004
now if i change the settings in slapd.conf on the consumer and remove the line "updateref"
That's needed by replication
(as in slapd-chain1.conf is no such line)
You're looking at the wrong file, not to the one you were pointed to
the
server (consumer) stays alive but on running "ldappasswd -x <...>" i get:
ldappasswd -x <...> New password: Re-enter new password: Enter LDAP Password: Result: Server is unwilling to perform (53) Additional info: shadow context; no update referral
As expected.
is the line "updateref" needed? but it crashes the server with my config?!
Please rearrange the configuration as instructed and retry. In general, never intermix database and overlay directives. Order matters (as it always did; but now violations are no longer harmless).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------