Please keep replies on the mailing list.
Paul Shevtsov wrote:
On Tue, Nov 14, 2006 at 06:12:18PM +0100, Pierangelo Masarati wrote:
Apparently, your client tries to chase referrals anonymously, and this fails as expected. I don't see any software malfunction here (on the OpenLDAP side, at least); there might be a missing or misimplemented feature in the client, though.
Ok. I try on slave side Client message
#ldapadd -W -x -D "cn=root,dc=dgb,dc=local" -f bbb1.ldif #Enter password: adding new entry "uid=bbb1,ou=users,dc=dgb,dc=local" ldap_add: Referral (10) refferals: ldap://ldap.dgb.local/uid=bbb1,ou=users,dc=dgb,dc=local
Server message (loglevel stats sycn)
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 fd=12 ACCEPT from IP=127.0.0.1:61526 (IP=0.0.0.0:389) Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 BIND dn="cn=root,dc=dgb,dc=local" method=128 Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 BIND dn="cn=root,dc=dgb,dc=local" mech=SIMPLE ssf=0 Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 RESULT tag=97 err=0 text= Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=1 ADD dn="uid=bbb1,ou=users,dc=dgb,dc=local" Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=1 RESULT tag=105 err=10 text= Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=2 UNBIND Nov 15 09:10:51 casablanca slapd[63235]: conn=863 fd=12 closed
And from master side i look tcmpdump and not received any packets. This is native ldapadd. :(
This question has been asked (and answered!) so many times... OpenLDAP tools solve the problem of authenticated referral chasing by delegating it to the user. They simply return a referral and don't even try to chase it anonymously (as supposed to be useless for writes) nor by propagating credentials to the referred DSA (it would be a very poor decision, as the client has no means to determine whether the referred DSA is trusted or not; or, whenever distributed authentication is implemented, it is very likely that the referred DSA has no means to authenticate an otherwise valid user for the initially contacted DSA.
When i try use smbldap-useradd i got:
------------------------client message------------------------------------- smbldap-useradd bbb2 Error: Referral received at /usr/local/lib/perl5/site_perl/5.8.8/smbldap_tools.pm line 1056
--------------------------server message------------------------------------ Nov 15 09:40:24 casablanca slapd[63235]: conn=885 fd=21 ACCEPT from IP=127.0.0.1:50523 (IP=0.0.0.0:389) Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 BIND dn="cn=root,dc=dgb,dc=local" method=128 Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 BIND dn="cn=root,dc=dgb,dc=local" mech=SIMPLE ssf=0 Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 RESULT tag=97 err=0 text= Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=1 SRCH base="dc=dgb,dc=local" scope=2 deref=2 filter="(&(objectClass=posixAccount)(uid=bbb2))" Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=2 SRCH base="sambaDomainName=dgb,dc=dgb,dc=local" scope=0 deref=2 filter="(objectClass=sambaUnixIdPool)" Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 MOD dn="sambaDomainName=dgb,dc=dgb,dc=local" Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 MOD attr=uidNumber Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 RESULT tag=103 err=10 text= Nov 15 09:40:24 casablanca slapd[63235]: conn=885 fd=21 closed (connection lost)
And again any packets on master side. I should solve a problem of synchronization of passwords for samba from slave to master LDAP. And not find the decision. :( Help me please.... :) Where i am mistaken?
I think OpenLDAP has little to do with smbldap-useradd; however, it looks like that that tool is working as expected, since it behaves the same as ldapadd...
p.
On Wed, Nov 15, 2006 at 10:21:39AM +0100, Pierangelo Masarati wrote:
Please keep replies on the mailing list.
Sorry. Certainly.
packets. This is native ldapadd. :(
This question has been asked (and answered!) so many times... OpenLDAP tools solve the problem of authenticated referral chasing by delegating it to the user. They simply return a referral and don't even try to chase it anonymously (as supposed to be useless for writes) nor by propagating credentials to the referred DSA (it would be a very poor decision, as the client has no means to determine whether the referred DSA is trusted or not; or, whenever distributed authentication is implemented, it is very likely that the referred DSA has no means to authenticate an otherwise valid user for the initially contacted DSA.
Ok - so if i have correctly undesrtood - this not mistake, this is a feature. :)
And my config's - correct?
And again any packets on master side. I should solve a problem of synchronization of passwords for samba from slave to master LDAP. And not find the decision. :( Help me please.... :) Where i am mistaken?
I think OpenLDAP has little to do with smbldap-useradd; however, it looks like that that tool is working as expected, since it behaves the same as ldapadd...
Also it is a question for other maillist? :)
p.
openldap-software@openldap.org