troubles with automatic chaining - openldap-software

27 Sep 2007


      Hello,
I'm trying to use slapo-chain to do automatic chaining on the slave..
I see the howto about this, I think my configuration is correct, but is 
doesn't work all times!!
I have a strange problem..It work correctly for some times, but if 
modify my configuration for otherthing, example to add ppolicy and 
restart the servers, it stop working
Even if I delete the last modification, I can't get it working again..
For some reasons that I ignore, the slave some time send the correct 
bind, for other time, it bind to the master anonymously!!
In this last case, I have error:
To password change : LDAP password information update failed: Proxy 
Authorization Failure
To do ldapmodify:  ldap_modify: Strong(er) authentication required (8)
If I comment security parameter in the master, I doesn't change anything..
My setup:
- version 2.3.38
- 1 master
- 2 slaves as replicas  using syncrepl and authenticate to the master by 
sasl external
In the master, I have added this entries:
--------------------------------------------------------------
dn: cn=referral1,ou=system,dc=example,dc=com
objectClass: organizationalRole
cn: referral1
ou: system
authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$
dn: cn=referral2,ou=system,dc=example,dc=com
objectClass: organizationalRole
cn: referral2
ou: system
authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$
--------------------------------------------------------------
--------------------
Master config:
------------------
moduleload       back_ldap.la
moduleload      ppolicy.la
moduleload      syncprov.la
moduleload      unique.la
moduleload      accesslog.la
moduleload      auditlog.la
moduleload     lastmod.la
##
TLSCertificateFile      /etc/ssl/openldap2.3/master.crt
TLSCertificateKeyFile   /etc/ssl/openldap2.3/private/master.key
TLSCACertificateFile    /etc/ssl/openldap2.3/CA.crt
TLSVerifyClient  allow
##
sasl-secprops none
# logging
loglevel 256
security ssf=1 update_ssf=112 simple_bind=64
##
authz-policy    to
authz-regexp   cn=slave1
       cn=referral1,ou=system,dc=example,dc=com
authz-regexp   cn=slave2
       cn=referral2,ou=system,dc=example,dc=com
####
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=admin,ou=system,dc=example,dc=com"
rootpw          toto
directory       /usr/local/ldap
mode    0600
#
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
##
lastmod on
cachesize 2000
checkpoint 256 5
#
index   objectClass                                             eq
index   cn,mail,surname,givenname                               
eq,subinitial
index   uidNumber,gidNumber,memberuid,member,uniqueMember       eq
index   uid                                                     
eq,subinitial
index  entryCSN,entryUUID                                      eq
##
limits dn.onelevel="ou=system,dc=example,dc=com"
size=unlimited
time=unlimited
limits dn.regex="cn=slave1.example.com"
size=unlimited
time=unlimited
limits dn.regex="cn=slave1.example.com"
size=unlimited
time=unlimited
------------------------------
Slave1 Config
-----------------------------
moduleload       back_ldap.la
moduleload      accesslog.la
moduleload      auditlog.la
moduleload      unique.la
moduleload     lastmod.la
#
TLSCertificateFile      /etc/ssl/openldap2.3/slave1.crt
TLSCertificateKeyFile   /etc/ssl/openldap2.3/private/slave1.key
TLSCACertificateFile    /etc/ssl/openldap2.3/CA.crt
TLSVerifyClient allow
sasl-secprops none
loglevel 256
security ssf=0 update_ssf=156 simple_bind=64
##chasing referrals
overlay         chain
chain-uri       ldap://master.example.com
chain-idassert-bind    bindmethod=sasl
       saslmech="EXTERNAL"
       binddn="cn=bugworkaround"
       mode="self"
       starttls="critical"
       min_ssf="163"
chain-tls      start
chain-return-error         TRUE
#chain-idassert-authzFrom "*"
#
database        bdb
suffix          "dc=example,dc=com"
##
rootdn          "cn=admin,ou=system,dc=example,dc=com"
rootpw          secret
directory       /env/database/ldap
lastmod off
checkpoint 256 5
index   objectClass                                             eq
index   cn,mail,surname,givenname                               
eq,subinitial
index   uidNumber,gidNumber,memberuid,member,uniqueMember       eq
index   uid                                                     
eq,subinitial
index  entryCSN,entryUUID                                      eq
#
limits dn.onelevel="ou=system,dc=example,dc=com"
       size=unlimited
       time=unlimited
#
syncrepl rid=23
       provider=ldap://master.example.com
       type=refreshAndPersist
       retry=3,1,10,2,60,+
       searchbase="dc=example,dc=com"
       filter="(objectClass=*)"
       attrs="*"
       scope=sub
      schemachecking=off
       bindmethod=sasl
       saslmech=EXTERNAL
       starttls=critical
##
updateref       "ldap://master.example.com"
Any help will be appreciated...