Hi,
I had bought a german book (OpenLDAP 2.4 - Das Praxisbuch) and could successfully setup a delta-sync replication. Now I read about the ability to add the overlay chain on the consumer side to automatically redircet write rquests for the consumer to the provider.
I am using an online configuration and I am not able to find answers how to add this overlay.
I am using Ubuntu, which has built openldap with module-support. So I have already added the back_ldap.la module.
Two questions I can not get answers:
1.) Do I need to add the overlay to the thb-backend or to the frontend?
2.) Could please somebody point me to the corresponting objectClasses that need to be added and the required attributes?
The book lists the follwing:
overlay chain chain-uri ldap://foo/ chain-idassert-bind bindmethod=simple binddn="..." credentials="..." mode=self flags=non-prescriptive chain-rebind-as-user true chain-return-error true
I can not find the olcXYZ options.
So, I thank you really very much for any help. :-)
Christian
Christian Roessner christian@roessner-net.com writes:
Hi,
I had bought a german book (OpenLDAP 2.4 - Das Praxisbuch) and could successfully setup a delta-sync replication. Now I read about the ability to add the overlay chain on the consumer side to automatically redircet write rquests for the consumer to the provider.
I am using an online configuration and I am not able to find answers how to add this overlay.
Some information you may find here: man slapo-chain(5) http://www.openldap.org/doc/admin24/overlays.html#Chaining
I am using Ubuntu, which has built openldap with module-support. So I have already added the back_ldap.la module.
Two questions I can not get answers:
1.) Do I need to add the overlay to the thb-backend or to the frontend?
This depends :-) But in most cases the overlays are an extension to a specific database declaration
2.) Could please somebody point me to the corresponting objectClasses that need to be added and the required attributes?
The book lists the follwing:
overlay chain chain-uri ldap://foo/ chain-idassert-bind bindmethod=simple binddn="..." credentials="..." mode=self flags=non-prescriptive chain-rebind-as-user true chain-return-error true
I can not find the olcXYZ options.
You are requesting information on the config database i presume. The relevant objectclass is olcChainConfig.
-Dieter
Hi Dieter,
This depends :-) But in most cases the overlays are an extension to a specific database declaration
Ok, I have added it to the htb-part:
DN: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config objectClass: olcChainConfig objectClass: olcConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {0}chain
overlay chain chain-uri ldap://foo/ chain-idassert-bind bindmethod=simple binddn="..." credentials="..." mode=self flags=non-prescriptive chain-rebind-as-user true chain-return-error true
My problem is that I can not find the corresponding old-attributes. I only could set:
olcChainCacheURI olcChainMaxReferralDepth olcChainReturnError olcChainingBehavior
So, what have I done wrong?
Thanks Christian
Christian Roessner christian@roessner-net.com writes:
Hi Dieter,
This depends :-) But in most cases the overlays are an extension to a specific database declaration
Ok, I have added it to the htb-part:
DN: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config objectClass: olcChainConfig objectClass: olcConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {0}chain
overlay chain chain-uri ldap://foo/ chain-idassert-bind bindmethod=simple binddn="..." credentials="..." mode=self flags=non-prescriptive chain-rebind-as-user true chain-return-error true
My problem is that I can not find the corresponding old-attributes. I only could set:
olcChainCacheURI olcChainMaxReferralDepth olcChainReturnError olcChainingBehavior
So, what have I done wrong?
There is nothing wrong. The chain overlay is derived from back-ldap, that is, only attributes unknown to back-ldap, are specific to chain overlay. ldapsearch [-Y external -H ldapi:///]-b "cn=subschema" -s base + | grep -A4 'olcLDAPConfig' will show the missing attributes. But as man slapo-chain(5) mentions, an extension of chain- will distinguish from other configuration parameters. If this applies to cn=config related attributes I don't know, as I don't have a chained replication setup. Others may answer to this.
-Dieter
Dieter Kluenter wrote:
Christian Roessnerchristian@roessner-net.com writes:
Hi Dieter,
This depends :-) But in most cases the overlays are an extension to a specific database declaration
Ok, I have added it to the htb-part:
DN: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config objectClass: olcChainConfig objectClass: olcConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {0}chain
overlay chain chain-uri ldap://foo/ chain-idassert-bind bindmethod=simple binddn="..." credentials="..." mode=self flags=non-prescriptive chain-rebind-as-user true chain-return-error true
My problem is that I can not find the corresponding old-attributes. I only could set:
olcChainCacheURI olcChainMaxReferralDepth olcChainReturnError olcChainingBehavior
So, what have I done wrong?
There is nothing wrong. The chain overlay is derived from back-ldap, that is, only attributes unknown to back-ldap, are specific to chain overlay. ldapsearch [-Y external -H ldapi:///]-b "cn=subschema" -s base + | grep -A4 'olcLDAPConfig' will show the missing attributes. But as man slapo-chain(5) mentions, an extension of chain- will distinguish from other configuration parameters. If this applies to cn=config related attributes I don't know, as I don't have a chained replication setup. Others may answer to this.
Under the covers, the chain overlay creates a private back-ldap instance. For dynamically adding with cn=config, you have to create this instance yourself. See the later section of test022-ppolicy in the test suite for an example of how this is done.
Hi, once again,
Under the covers, the chain overlay creates a private back-ldap instance. For dynamically adding with cn=config, you have to create this instance yourself. See the later section of test022-ppolicy in the test suite for an example of how this is done.
yesterday I told you that everything worked after setting up the chain overlay. I could change objects on the consumer side that got redirected to the provider.
Yesterday, I stopped the consumer side and tried to start it this day. But suddenly I get the follwing errors:
=> access_allowed: search access to "olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) <= test_filter 6 slapd-chain: first underlying database "olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" cannot contain attribute "olcDbURI". : config_add_internal: DN="olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" no structural objectClass add function config error processing olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config: send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=65 matched="" text="" slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.
Here is, what I added to th consumer to get the chain overlay added:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDBURI: ldap://10.1.0.3/ olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=roessner-net,dc=de" credentials=********** mode=self
@Dieter: You have shown me your chain solution. You do have two ldap-directives under chain. Could this be the problem here?
This is my directory structure on the consumer side:
./cn=config: -rw------- 1 openldap openldap 405 2009-07-19 20:40 cn=module{0}.ldif drwxr-x--- 2 openldap openldap 4096 2009-07-01 14:57 cn=schema -rw-r----- 1 openldap openldap 307 2009-07-01 14:25 cn=schema.ldif drwxr-x--- 3 openldap openldap 4096 2009-07-26 11:20 olcDatabase={-1}frontend -rw-r----- 1 openldap openldap 390 2009-07-01 14:25 olcDatabase={-1}frontend.ldif -rw-r----- 1 openldap openldap 406 2009-07-01 14:25 olcDatabase={0}config.ldif -rw------- 1 openldap openldap 1741 2009-07-02 09:46 olcDatabase={1}hdb.ldif
./cn=config/olcDatabase={-1}frontend: drwxr-x--- 2 openldap openldap 4096 2009-07-26 11:20 olcOverlay={0}chain -rw------- 1 openldap openldap 373 2009-07-26 11:20 olcOverlay={0}chain.ldif
./cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain: -rw------- 1 openldap openldap 510 2009-07-26 11:20 olcDatabase={0}ldap.ldif
Thanks alto for your help in advance.
Christian
Christian Roessner christian@roessner-net.com writes:
Hi, once again,
[...]
: config_add_internal: DN="olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config" no structural objectClass add function config error processing olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config: send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=65 matched="" text="" slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.
Hm, error=65 is objectclass violation, what attributes did you put into olcDatabase={0}ldap,olcOverlay={0}chain
Here is, what I added to th consumer to get the chain overlay added:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDBURI: ldap://10.1.0.3/ olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=roessner-net,dc=de" credentials=********** mode=self
@Dieter: You have shown me your chain solution. You do have two ldap-directives under chain. Could this be the problem here?
If you don't have 2 ldap entries, it might be a problem, but I'm not sure. olcDatabase{0}ldap contains general back-ldap database related attributes, like startTLS, proxyWhoAmI and so forth. olcDatabase{1}ldap contains back-ldap chain database related attributes. But, as said, I have not much experience in chaining configuration, but mine does what it should do. By the way openldap version are you running? I remember vaguely some chain ITS have been fixed recently.
[...]
-Dieter
openldap-software@openldap.org
-
Christian Roessner -
Dieter Kluenter -
Howard Chu