Hi everyone,
In this period, a "Happy new year" is most appropriate, isn't ?
I have setup two servers in multimaster replication, with using SASL/EXTERNAL+authz_regexp (1 have to authz_regexp - one for cn=config and one for the replicator dn in data context) to authenticate the replication instances with SSL Certificates.
I would like to implement a "local" rewrite of incoming requests (mostly BIND and Search operations) so that queries originating with dn like "cn=jdoe,ou=people,dc=local" are transformed in "uid=jdoe,ou=people,dc=local".
I have two problems and one question :
1. I can't implement any olcRwmRewrite attribute. Any of the following lines in the olcOverlay={4}rwm.ldif file : olcRwmRewrite: {0}rwm-rewriteEngine "on" olcRwmRewrite: {1}rwm-rewriteContext "default" olcRwmRewrite: {2}rwm-rewriteRule "cn=(.+),ou=people,dc=local$" "uid=$1,ou=people,dc=local" ":"
give the error message (in debug mode) : ------------- [/etc/openldap/slapd.d/:1] unknown command '' olcRwmRewrite: value #0: <olcRwmRewrite> handler exited with 1! config error processing olcOverlay={4}rwm,olcDatabase={2}hdb,cn=config: <olcRwmRewrite> handler exited with 1 send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=80 matched="" text="" slaptest: bad configuration directory! --------------
Those lines were generated by slaptest from a working slapd.conf file
2. Segfault at startup (or when pushing LDIF configuration - maybe at first sync): The segfault point varies from one startup to another, always after a TLS negociation (it is the syncrepl instance with itself) and sometimes the following lines appear: ldap_msgfree [rw] searchDN: "dc=app,dc=eiffage,dc=loc" -> "dc=app,dc=eiffage,dc=loc" => bdb_entry_get: ndn: "(null)" => bdb_entry_get: oc: "(null)", at: "contextCSN" bdb_dn2entry("(null)") Erreur de segmentation
Even when the overlay configuration LDIF file is reduced to the following : dn: olcOverlay={4}rwm objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {4}rwm structuralObjectClass: olcRwmConfig
If I remove the overlay configuration LDIF file, the server starts working immediately.
3. Where can I find documentation about olcRwmTFSupport and olcRwmNormalizeMapped, that slaptest generated for me ?
For documentation, here are the authz_regexp : {0}cn=.*_repl_config,ou=AC-LDAP,o=myorg cn=config {1}cn=.*_replicator,ou=AC-LDAP,o=myorg cn=Replicator,ou=replicators,dc=local
and the olcsyncrepl attributes look like this :
{0}rid=001 provider="ldap://slxp0059.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=10 tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/repl_config.cert.pem tls_key=/etc/openldap/repl_config.key.pem {1}rid=002 provider="ldap://slxp0058.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist starttls=critical retry="5 5 60 +" timeout=10 tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/repl_config.cert.pem tls_key=/etc/openldap/repl_config.key.pem
{0}rid=201 provider="ldap://slxp0059.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/replicator.cert.pem tls_key=/etc/openldap/replicator.key.pem {1}rid=202 provider="ldap://slxp0058.app.local" bindmethod=sasl saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical tls_cacert=/etc/openldap/cacerts/cacert.pem tls_cert=/etc/openldap/replicator.cert.pem tls_key=/etc/openldap/replicator.key.pem
Thanks in advance for any answer. Sincerely yours, Mathieu MILLET.
--On Tuesday, January 06, 2009 4:03 PM +0100 Mathieu MILLET ldap@htam.net wrote:
Hi everyone,
In this period, a "Happy new year" is most appropriate, isn't ?
I have setup two servers in multimaster replication, with using SASL/EXTERNAL+authz_regexp (1 have to authz_regexp - one for cn=config and one for the replicator dn in data context) to authenticate the replication instances with SSL Certificates.
I would like to implement a "local" rewrite of incoming requests (mostly BIND and Search operations) so that queries originating with dn like "cn=jdoe,ou=people,dc=local" are transformed in "uid=jdoe,ou=people,dc=local".
I have two problems and one question :
What OpenLDAP release are you using?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wed, 07 Jan 2009 10:35:35 -0800, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, January 06, 2009 4:03 PM +0100 Mathieu MILLET
wrote:
Hi everyone,
In this period, a "Happy new year" is most appropriate, isn't ?
I have setup two servers in multimaster replication, with using SASL/EXTERNAL+authz_regexp (1 have to authz_regexp - one for cn=config and one for the replicator dn in data context) to authenticate the replication instances with SSL Certificates.
I would like to implement a "local" rewrite of incoming requests (mostly BIND and Search operations) so that queries originating with dn like "cn=jdoe,ou=people,dc=local" are transformed in "uid=jdoe,ou=people,dc=local".
I have two problems and one question :
What OpenLDAP release are you using?
Sorry for the late response. (It seems my previous 2/3 answers didn't get to the list - my mistake)
OpenLDAP 2.4.13.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org
-
Mathieu MILLET -
Quanah Gibson-Mount