1:21 a.m.
Please keep replies on the mailing list.
Paul Shevtsov wrote:
On Tue, Nov 14, 2006 at 06:12:18PM +0100, Pierangelo Masarati wrote:
> Apparently, your client tries to chase referrals anonymously, and this
> fails as expected. I don't see any software malfunction here (on the
> OpenLDAP side, at least); there might be a missing or misimplemented
> feature in the client, though.
>
Ok. I try on slave side
Client message
-------------------------------------------------------------------------
#ldapadd -W -x -D "cn=root,dc=dgb,dc=local" -f bbb1.ldif
#Enter password:
adding new entry "uid=bbb1,ou=users,dc=dgb,dc=local"
ldap_add: Referral (10)
refferals:
ldap://ldap.dgb.local/uid=bbb1,ou=users,dc=dgb,dc=local
-------------------------------------------------------------------------
Server message (loglevel stats sycn)
-------------------------------------------------------------------------
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 fd=12 ACCEPT from IP=127.0.0.1:61526
(IP=0.0.0.0:389)
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 BIND
dn="cn=root,dc=dgb,dc=local" method=128
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 BIND
dn="cn=root,dc=dgb,dc=local" mech=SIMPLE ssf=0
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=0 RESULT tag=97 err=0 text=
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=1 ADD
dn="uid=bbb1,ou=users,dc=dgb,dc=local"
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=1 RESULT tag=105 err=10 text=
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 op=2 UNBIND
Nov 15 09:10:51 casablanca slapd[63235]: conn=863 fd=12 closed
---------------------------------------------------------------------------
And from master side i look tcmpdump and not received any
packets.
This is native ldapadd. :(
This question has been asked (and answered!) so many times... OpenLDAP
tools solve the problem of authenticated referral chasing by delegating
it to the user. They simply return a referral and don't even try to
chase it anonymously (as supposed to be useless for writes) nor by
propagating credentials to the referred DSA (it would be a very poor
decision, as the client has no means to determine whether the referred
DSA is trusted or not; or, whenever distributed authentication is
implemented, it is very likely that the referred DSA has no means to
authenticate an otherwise valid user for the initially contacted DSA.
When i try use smbldap-useradd i got:
------------------------client message-------------------------------------
smbldap-useradd bbb2
Error: Referral received at /usr/local/lib/perl5/site_perl/5.8.8/smbldap_tools.pm line
1056
----------------------------------------------------------------------------
--------------------------server message------------------------------------
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 fd=21 ACCEPT from IP=127.0.0.1:50523
(IP=0.0.0.0:389)
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 BIND
dn="cn=root,dc=dgb,dc=local" method=128
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 BIND
dn="cn=root,dc=dgb,dc=local" mech=SIMPLE ssf=0
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=0 RESULT tag=97 err=0 text=
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=1 SRCH
base="dc=dgb,dc=local" scope=2 deref=2
filter="(&(objectClass=posixAccount)(uid=bbb2))"
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=1 SEARCH RESULT tag=101 err=0
nentries=0 text=
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=2 SRCH
base="sambaDomainName=dgb,dc=dgb,dc=local" scope=0 deref=2
filter="(objectClass=sambaUnixIdPool)"
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text=
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 MOD
dn="sambaDomainName=dgb,dc=dgb,dc=local"
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 MOD attr=uidNumber
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 op=3 RESULT tag=103 err=10 text=
Nov 15 09:40:24 casablanca slapd[63235]: conn=885 fd=21 closed (connection lost)
------------------------------------------------------------------------------
And again any packets on master side.
I should solve a problem of synchronization of passwords
for samba from slave to master LDAP.
And not find the decision. :(
Help me please.... :)
Where i am mistaken?
I think OpenLDAP has little to do with smbldap-useradd; however, it
looks like that that tool is working as expected, since it behaves the
same as ldapadd...
p.
4:53 a.m.
New subject: Problem with replica.
On Wed, Nov 15, 2006 at 10:21:39AM +0100, Pierangelo Masarati wrote:
Please keep replies on the mailing list.
Sorry. Certainly.
> packets.
> This is native ldapadd. :(
>
This question has been asked (and answered!) so many times... OpenLDAP
tools solve the problem of authenticated referral chasing by delegating
it to the user. They simply return a referral and don't even try to
chase it anonymously (as supposed to be useless for writes) nor by
propagating credentials to the referred DSA (it would be a very poor
decision, as the client has no means to determine whether the referred
DSA is trusted or not; or, whenever distributed authentication is
implemented, it is very likely that the referred DSA has no means to
authenticate an otherwise valid user for the initially contacted DSA.
Ok - so if
i have correctly undesrtood - this not mistake,
this is a feature. :)
And my config's - correct?
> And again any packets on master side.
>
> I should solve a problem of synchronization of passwords
> for samba from slave to master LDAP.
> And not find the decision. :(
>
> Help me please.... :)
> Where i am mistaken?
>
>
I think OpenLDAP has little to do with smbldap-useradd; however, it
looks like that that tool is working as expected, since it behaves the
same as ldapadd...
Also it is a question for other maillist?
:)
p.
--
Paul Shevtsov <> 380-62-3327312
<Dongorbank> <> paul(a)dongorbank.com
6159
days inactive
6159
days old
openldap-software@openldap.org
1 comments
2 participants
participants (2)
-
Paul Shevtsov -
Pierangelo Masarati