Dear, all. Do I need to set up syncrepl on the same proxy server that use back_ldap in order to proxy to my master/provider openldap server.
(Master/provider openldap server) <-------- (consumer that does proxy to openldap master/provider server) [MY CURRENT SETUP)
or should I set up
(Master/provider openldap server) <-------- (consumer that doest proxy and _ALSO_ _SYNCREPL_ to openldap master/provider server)
With the following setup, I can not seem to get any data from that provider openldap server... --------------------- include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/core.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/cosine.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/inetorgperson.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/nis.schema include /usr/local/etc/samba.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
loglevel any
#modulepath /usr/local/stow/openldap-2.4.13/libexec/openldap modulepath /usr/local/libexec/openldap/
#just for testing, load hdb moduleload back_hdb
moduleload back_ldap
timelimit unlimited sizelimit unlimited threads 8
################################################################## database ldap uri "ldap://192.168.28.200"
suffix "ou=people,dc=mynetwork,dc=com" rootdn "cn=admin,dc=mynetwork,dc=com"
idassert-bind bindmethod=simple binddn="uid=proxy,ou=proxy,dc=mynetwork,dc=com" credentials="SunShine" mode=none # tls start #tls_cacertdir=/usr/local/etc/openldap/cacerts
idassert-authzFrom dn.subtree="ou=people,dc=mynetwork,dc=com" -------------------------------------
Here is my ldap.conf [root@ext cache]# cat /usr/local/etc/openldap/ldap.conf #URI ldap://localhost URI ldap://192.168.28.111/ #URI ldap://192.168.28.200/ BASE ou=people,dc=mynetwork,dc=com SIZELIMIT 0 TIMELIMIT 0
I did a ldapsearch and got nothing but "ldap_result: Can't contact LDAP server (-1)"
[root@ext cache]# ldapsearch -d 1 -v -x -W -D "uid=mydude,ou=people,dc=mynetwork,dc=com" ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.28.111:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.28.111:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x102de7f0 msgid 1 wait4msg ld 0x102de7f0 msgid 1 (infinite timeout) wait4msg continue ld 0x102de7f0 msgid 1 all 1 ** ld 0x102de7f0 Connections: * host: 192.168.28.111 port: 389 (default) refcnt: 2 status: Connected
last used: Thu Jan 15 13:51:05 2009
** ld 0x102de7f0 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x102de7f0 request count 1 (abandoned 0) ** ld 0x102de7f0 Response Queue: Empty ld 0x102de7f0 response count 0 ldap_chkResponseList ld 0x102de7f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x102de7f0 NULL ldap_int_select read1msg: ld 0x102de7f0 msgid 1 all 1 ber_get_next ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result: Can't contact LDAP server (-1)
--------------------
I read the http://www.openldap.org/doc/admin24/replication.html#Configuring%20the%20dif... and found out that syncrepl were used in the examples but I had the impression that I do not need syncrepl from reading the man page of slapd-ldap.
Please provide me with the correct ways to implement an openldap proxy server.
Thank you.
On Thu, Jan 15, 2009 at 1:58 PM, Steven Truong midair77@gmail.com wrote:
Dear, all. Do I need to set up syncrepl on the same proxy server that use back_ldap in order to proxy to my master/provider openldap server.
(Master/provider openldap server) <-------- (consumer that does proxy to openldap master/provider server) [MY CURRENT SETUP)
or should I set up
(Master/provider openldap server) <-------- (consumer that doest proxy and _ALSO_ _SYNCREPL_ to openldap master/provider server)
With the following setup, I can not seem to get any data from that provider openldap server...
include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/core.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/cosine.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/inetorgperson.schema include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/nis.schema include /usr/local/etc/samba.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
loglevel any
#modulepath /usr/local/stow/openldap-2.4.13/libexec/openldap modulepath /usr/local/libexec/openldap/
#just for testing, load hdb moduleload back_hdb
moduleload back_ldap
timelimit unlimited sizelimit unlimited threads 8
################################################################## database ldap uri "ldap://192.168.28.200"
suffix "ou=people,dc=mynetwork,dc=com" rootdn "cn=admin,dc=mynetwork,dc=com"
idassert-bind bindmethod=simple binddn="uid=proxy,ou=proxy,dc=mynetwork,dc=com" credentials="SunShine" mode=none # tls start #tls_cacertdir=/usr/local/etc/openldap/cacerts
idassert-authzFrom dn.subtree="ou=people,dc=mynetwork,dc=com"
Here is my ldap.conf [root@ext cache]# cat /usr/local/etc/openldap/ldap.conf #URI ldap://localhost URI ldap://192.168.28.111/ #URI ldap://192.168.28.200/ BASE ou=people,dc=mynetwork,dc=com SIZELIMIT 0 TIMELIMIT 0
I did a ldapsearch and got nothing but "ldap_result: Can't contact LDAP server (-1)"
[root@ext cache]# ldapsearch -d 1 -v -x -W -D "uid=mydude,ou=people,dc=mynetwork,dc=com" ldap_initialize( <DEFAULT> ) ldap_create Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.28.111:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.28.111:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x102de7f0 msgid 1 wait4msg ld 0x102de7f0 msgid 1 (infinite timeout) wait4msg continue ld 0x102de7f0 msgid 1 all 1 ** ld 0x102de7f0 Connections:
- host: 192.168.28.111 port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 15 13:51:05 2009
** ld 0x102de7f0 Outstanding Requests:
- msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0 ld 0x102de7f0 request count 1 (abandoned 0) ** ld 0x102de7f0 Response Queue: Empty ld 0x102de7f0 response count 0 ldap_chkResponseList ld 0x102de7f0 msgid 1 all 1 ldap_chkResponseList returns ld 0x102de7f0 NULL ldap_int_select read1msg: ld 0x102de7f0 msgid 1 all 1 ber_get_next ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result: Can't contact LDAP server (-1)
I read the http://www.openldap.org/doc/admin24/replication.html#Configuring%20the%20dif... and found out that syncrepl were used in the examples but I had the impression that I do not need syncrepl from reading the man page of slapd-ldap.
Please provide me with the correct ways to implement an openldap proxy server.
Thank you.
I forgot to include the log details of this server:
Jan 15 13:52:11 ext slapd[16534]: daemon: activity on 1 descriptor Jan 15 13:52:11 ext slapd[16534]: daemon: activity on: Jan 15 13:52:11 ext slapd[16534]: Jan 15 13:52:11 ext slapd[16534]: slap_listener_activate(8): Jan 15 13:52:11 ext slapd[16534]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jan 15 13:52:11 ext slapd[16534]: daemon: epoll: listen=8 busy Jan 15 13:52:11 ext slapd[16534]: >>> slap_listener(ldap:///) Jan 15 13:52:11 ext slapd[16534]: daemon: listen=8, new connection on 12 Jan 15 13:52:11 ext slapd[16534]: daemon: activity on 1 descriptor Jan 15 13:52:11 ext slapd[16534]: daemon: activity on: Jan 15 13:52:11 ext slapd[16534]: Jan 15 13:52:11 ext slapd[16534]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Jan 15 13:52:11 ext slapd[16534]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Jan 15 13:52:11 ext slapd[16534]: fd=12 DENIED from unknown (192.168.28.111) Jan 15 13:52:11 ext slapd[16534]: daemon: closing 12
Thank you.
On Thu, 15 Jan 2009, Steven Truong wrote:
credentials="SunShine"
Please change this before you go into production...
I did a ldapsearch and got nothing but "ldap_result: Can't contact LDAP server (-1)"
Good debugging, and definitely something to fix first.
I forgot to include the log details of this server:
But it's nice that you did, because it points pretty clearly at your next step...
Jan 15 13:52:11 ext slapd[16534]: fd=12 DENIED from unknown (192.168.28.111)
edit your libwrap (hosts.allow/hosts.deny) configuration to allow 192.168.28.111 and/or whatever else you want to connect.
Then try the ldapsearch again and see how that goes. You should see "ACCEPT" instead of "DENIED."
On Thu, Jan 15, 2009 at 4:47 PM, Aaron Richton richton@nbcs.rutgers.edu wrote:
On Thu, 15 Jan 2009, Steven Truong wrote:
credentials="SunShine"
Please change this before you go into production...
I did a ldapsearch and got nothing but "ldap_result: Can't contact LDAP server (-1)"
Good debugging, and definitely something to fix first.
I forgot to include the log details of this server:
But it's nice that you did, because it points pretty clearly at your next step...
Jan 15 13:52:11 ext slapd[16534]: fd=12 DENIED from unknown (192.168.28.111)
edit your libwrap (hosts.allow/hosts.deny) configuration to allow 192.168.28.111 and/or whatever else you want to connect.
Then try the ldapsearch again and see how that goes. You should see "ACCEPT" instead of "DENIED."
Thanks for the information. I totally forgot that I had set up Bastille on this server.
openldap-software@openldap.org