Hello
I try to use replication with slurpd, using TLS to secure access to the replicas.
1) On the master, slapd.conf contains this: database bdb suffix "dc=example,dc=net" directory /var/openldap/openldap-data replogfile /var/log/ldap/ldap.replog replica uri=ldaps://ldap1.example.net bindmethod=sasl saslmech=EXTERNAL
I have a slurpd pseudo-user, with a .ldaprc file: SASL_MECH EXTERNAL TLS_CACERT /etc/openssl/certs/ca.crt TLS_KEY /usr/pkg/etc/openldap/slurpd/etc/openssl/slurpd.key TLS_CERT /usr/pkg/etc/openldap/slurpd/etc/openssl/slurpd.crt
2) On the slave, slapd.conf contains: suffix "dc=example,dc=net" directory /var/openldap/openldap-data updatedn "email=...,cn=slurpd,ou=....,o=...,st=...,c=..." updateref ldap://ldap0.example.net
access to * by dn.exact="email=...,cn=slurpd,ou=....,o=...,st=...,c=..." by * none
updatedn is the information I have in slurpd's certificate.
When I update the master, slrupd sees the modification and attempt to propagate it to the salve, but it fails: Error: ldap_modify_s failed modifying DN "cn=foo,dc=example,dc=net": shadow context; no update referral
On the slave, the error is: conn=19 op=7 RESULT tag=103 err=10 text=
I found in <ldap.h> that this err=1à is #define LDAP_REFERRAL 0x0a /* LDAPv3 */
But it does not helps me fixing the problem.
What is wrong?
On Tue, Feb 27, 2007 at 10:13:07AM +0000, Emmanuel Dreyfus wrote:
Error: ldap_modify_s failed modifying DN "cn=foo,dc=example,dc=net": shadow context; no update referral
It seems I finally managed to get it working. I'll post a quick how-to for reference later.
Emmanuel Dreyfus wrote:
On Tue, Feb 27, 2007 at 10:13:07AM +0000, Emmanuel Dreyfus wrote:
Error: ldap_modify_s failed modifying DN "cn=foo,dc=example,dc=net": shadow context; no update referral
It seems I finally managed to get it working. I'll post a quick how-to for reference later.
Unless you developed something very specific that's not documented yet, I suggest you rather propose improvements to the official documentation, in case it was not clear enough, or even disguising. What you set up is a very basic and common feature, I think it rather deserves better official description that yet another unofficial, partial and quickly out-of-date howto...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Pierangelo Masarati ando@sys-net.it wrote:
Unless you developed something very specific that's not documented yet, I suggest you rather propose improvements to the official documentation, in case it was not clear enough, or even disguising. What you set up is a very basic and common feature, I think it rather deserves better official description that yet another unofficial, partial and quickly out-of-date howto...
Where is the documentation that explains how to make slurpd working with certificate authentication, by the way? I'm all for improving it, but I don't know where to work: the guide? The FAQ?
openldap-software@openldap.org
-
Emmanuel Dreyfus -
manu@netbsd.org
-
Pierangelo Masarati