Hi all,
I am having a terrible time trying to get the meta backend to work with my setup. If I do not have meta things work as expected. As soon as I add the meta backend thing go south.
Partial slapd.conf:
database ldap suffix "o=a.y.x,o=y" uri ldap://a.y.z:389/ idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="uid=foo,ou=people,o=a.y.z,o=y" credentials="**********" mode=none
database bdb suffix "o=b.y.z,o=bcit" checkpoint 32 30 # <kbyte> <min> rootdn "cn=Manager,o=b.y.z,o=y" rootpw {MD5}********== directory /var/lib/openldap-data index objectClass eq
database meta suffix "o=y.z,o=y"
uri "ldap://foo.bar.star:389/o=a.y.z,o=y" rwm-rewriteEngine on rwm-rewriteContext default twm-rewriteRule "(.*)o=y.z,o=y" "%1o=a,y.z,o=y" rwm-rewriteContext searchResult rwm-rewriteRule "(.*)o=a.y.z,o=y" "%1o=y.z,o=y" rwm-map attribute * *
uri "ldap://foo.bar.com:389/o=b.y.z,o=y" rwm-rewriteEngine on rwm-rewriteContext default twm-rewriteRule "(.*)o=y.z,o=y" "%1o=b,y.z,o=y" rwm-rewriteContext searchResult rwm-rewriteRule "(.*)o=b.y.z,o=y" "%1o=y.z,o=y" rwm-map attribute * *
When I run slapd with -d -1 I get (in part):
config_back_db_open backend_startup_one: starting "o=a.y.z,o=y" ldap_back_db_open: URI=ldap://a.y.z:389 backend_startup_one: starting "o=b.y.z,o=y" bdb_db_open: o=b.y.z,o=y bdb_db_open: dbenv_open(/var/lib/openldap-data) backend_startup_one: starting "o=y.z,o=y" meta_back_db_open: no targets defined backend_startup_one: bi_db_open failed! (1)
So, it seems that "meta" is finding no targets...
Any ideas?
Thanks,
..darcy
D'Arcy Smith wrote:
I am having a terrible time trying to get the meta backend to work with my setup. If I do not have meta things work as expected. As soon as I add the meta backend thing go south.
What version of OpenLDAP are you using?
Partial slapd.conf:
database ldap suffix "o=a.y.x,o=y" uri ldap://a.y.z:389/ idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="uid=foo,ou=people,o=a.y.z,o=y" credentials="**********" mode=none
database bdb suffix "o=b.y.z,o=bcit" checkpoint 32 30 # <kbyte> <min>
^^^ extra cruft after "#" (included) is invalid, as clearly indicated in slapd.conf(5). This is treated as an error in OpenLDAP 2.4 (finally!)
rootdn "cn=Manager,o=b.y.z,o=y" rootpw {MD5}********==
rootpw can only be set when rootdn is within the naming context of the database, as clearly indicated in slapd.conf(5), which is not the case above.
directory /var/lib/openldap-data index objectClass eq
database meta suffix "o=y.z,o=y"
uri "ldap://foo.bar.star:389/o=a.y.z,o=y"
^^^ this is not a valid back-meta URI, since the naming context "o=a.y.z,o=y" is not within the naming context of the database, as clearly stated in slapd-meta(5).
rwm-rewriteEngine on
^^^ this is not a valid slapd-meta(5) directive. The "rwm-" prefix clearly indicates it's related to slapo-rwm(5), which has not been instantiated (nor it is required by slapd-meta(5)).
rwm-rewriteContext default twm-rewriteRule "(.*)o=y.z,o=y" "%1o=a,y.z,o=y" rwm-rewriteContext searchResult rwm-rewriteRule "(.*)o=a.y.z,o=y" "%1o=y.z,o=y" rwm-map attribute * *
^^^ same as above
uri "ldap://foo.bar.com:389/o=b.y.z,o=y"
^^^ same as above
rwm-rewriteEngine on rwm-rewriteContext default twm-rewriteRule "(.*)o=y.z,o=y" "%1o=b,y.z,o=y" rwm-rewriteContext searchResult rwm-rewriteRule "(.*)o=b.y.z,o=y" "%1o=y.z,o=y" rwm-map attribute * *
^^^ same as above
When I run slapd with -d -1 I get (in part):
config_back_db_open backend_startup_one: starting "o=a.y.z,o=y" ldap_back_db_open: URI=ldap://a.y.z:389 backend_startup_one: starting "o=b.y.z,o=y" bdb_db_open: o=b.y.z,o=y bdb_db_open: dbenv_open(/var/lib/openldap-data) backend_startup_one: starting "o=y.z,o=y" meta_back_db_open: no targets defined backend_startup_one: bi_db_open failed! (1)
So, it seems that "meta" is finding no targets...
Clearly, the incorrect configuration above is screwing things. Since you didn't state what version of OpenLDAP you're using, there's no way I can help. Note that I'm not a magician, I just ran slaptest and noted (and fixed) errors as they showed up.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On 8/25/07, Pierangelo Masarati ando@sys-net.it wrote:
D'Arcy Smith wrote:
I am having a terrible time trying to get the meta backend to work with my setup. If I do not have meta things work as expected. As soon as I add the meta backend thing go south.
What version of OpenLDAP are you using?
2.3.35
^^^ extra cruft after "#" (included) is invalid, as clearly indicated in slapd.conf(5). This is treated as an error in OpenLDAP 2.4 (finally!)
Good I like it when errors are treated as errors!
after some more searching around I now have this:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema
password-hash {ssha}
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap/openldap moduleload back_null.so moduleload back_meta.so
database ldap suffix "o=aaa.yyy.zzz,o=bcit" uri ldap://aaa.yyy.zzz:389
idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="uid=******,ou=people,o=aaa.yyy.zzz,o=yyy" credentials="******" mode=none
database bdb suffix "o=bbb.yyy.zzz,o=bcit" rootdn "cn=Manager,o=bbb.yyy.zzz,o=yyy" rootpw {SSHA}****** checkpoint 32 30 directory /var/lib/openldap-data index objectClass eq
database meta suffix "dc=yyy,dc=zzz" uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=aaa.yyy.zzz,o=yyy" uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=bbb.yyy.zzz,o=yyy"
What I am after is having it so that users that exist in the "aaa.yyy.zzz" LDAP server (that I have no control over) can authenticate, users in the "bbb.yyy.zzz" LDAP server (that I do control) can authenticate, and that the groups in the "bbb.yyy.zzz", which contain users from both "aaa" and "bbb" are able to authenticate. Authenticate right now means can access apache via authnzldap.
Running "/usr/lib64/openldap/slapd -d -{any level}" doesn't seem to issue any objections, and my testing works (users from both "aaa" and "bbb" can login either as a by user or group).
If I run "slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d" -d {any level} I get:
WARNING: No dynamic config support for database meta. WARNING: The converted cn=config directory is incomplete and may not work. config file testing succeeded
I cannot spot any errors that it is giving me in the config.
then running "/usr/lib64/openldap/slapd -d -{any level}" doesn't work (it does work if I delete the files in the /etc/openldap/slapd.d directory.
For example (with -d 64):
@(#) $OpenLDAP: slapd 2.3.35 (Aug 23 2007 11:00:09) $ root@foo:/var/tmp/portage/net-nds/openldap-2.3.35-r1/work/openldap-2.3.35/servers/slapd loaded module back_null.so module back_null.so: null module registered loaded module back_meta.so module back_meta.so: null module registered index objectClass 0x0004 meta_back_db_open: no targets defined backend_startup_one: bi_db_open failed! (1) slapd stopped. connections_destroy: nothing to destroy.
Any thoughts?
Thanks,
..darcy
"D'Arcy Smith" ds.bcit@gmail.com writes:
On 8/25/07, Pierangelo Masarati ando@sys-net.it wrote:
D'Arcy Smith wrote:
I am having a terrible time trying to get the meta backend to work with my setup. If I do not have meta things work as expected. As soon as I add the meta backend thing go south.
What version of OpenLDAP are you using?
2.3.35
^^^ extra cruft after "#" (included) is invalid, as clearly indicated in slapd.conf(5). This is treated as an error in OpenLDAP 2.4 (finally!)
Good I like it when errors are treated as errors!
after some more searching around I now have this:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema
password-hash {ssha}
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap/openldap moduleload back_null.so moduleload back_meta.so
database ldap suffix "o=aaa.yyy.zzz,o=bcit" uri ldap://aaa.yyy.zzz:389
idassert-authzFrom "dn:*" idassert-bind bindmethod=simple binddn="uid=******,ou=people,o=aaa.yyy.zzz,o=yyy" credentials="******" mode=none
database bdb suffix "o=bbb.yyy.zzz,o=bcit" rootdn "cn=Manager,o=bbb.yyy.zzz,o=yyy" rootpw {SSHA}****** checkpoint 32 30 directory /var/lib/openldap-data index objectClass eq
database meta suffix "dc=yyy,dc=zzz" uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=aaa.yyy.zzz,o=yyy" uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=bbb.yyy.zzz,o=yyy"
What I am after is having it so that users that exist in the "aaa.yyy.zzz" LDAP server (that I have no control over) can authenticate, users in the "bbb.yyy.zzz" LDAP server (that I do control) can authenticate, and that the groups in the "bbb.yyy.zzz", which contain users from both "aaa" and "bbb" are able to authenticate. Authenticate right now means can access apache via authnzldap.
Running "/usr/lib64/openldap/slapd -d -{any level}" doesn't seem to issue any objections, and my testing works (users from both "aaa" and "bbb" can login either as a by user or group).
If I run "slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d" -d {any level} I get:
WARNING: No dynamic config support for database meta. WARNING: The converted cn=config directory is incomplete and may not work. config file testing succeeded
I cannot spot any errors that it is giving me in the config.
then running "/usr/lib64/openldap/slapd -d -{any level}" doesn't work (it does work if I delete the files in the /etc/openldap/slapd.d directory.
For example (with -d 64):
@(#) $OpenLDAP: slapd 2.3.35 (Aug 23 2007 11:00:09) $ root@foo:/var/tmp/portage/net-nds/openldap-2.3.35-r1/work/openldap-2.3.35/servers/slapd loaded module back_null.so module back_null.so: null module registered loaded module back_meta.so module back_meta.so: null module registered index objectClass 0x0004 meta_back_db_open: no targets defined backend_startup_one: bi_db_open failed! (1) slapd stopped. connections_destroy: nothing to destroy.
You have not defined a config database in slapd.conf but created a slapd.d directory, so just run slapd with -f <path/to/slapd.conf> parameter, man slapd(8)
-Dieter
openldap-software@openldap.org
-
D'Arcy Smith -
Dieter Kluenter -
Pierangelo Masarati