4:26 a.m.
Hi,
I had bought a german book (OpenLDAP 2.4 - Das Praxisbuch) and could
successfully setup a delta-sync replication. Now I read about the
ability to add the overlay chain on the consumer side to automatically
redircet write rquests for the consumer to the provider.
I am using an online configuration and I am not able to find answers how
to add this overlay.
I am using Ubuntu, which has built openldap with module-support. So I
have already added the back_ldap.la module.
Two questions I can not get answers:
1.) Do I need to add the overlay to the thb-backend or to the frontend?
2.) Could please somebody point me to the corresponting objectClasses
that need to be added and the required attributes?
The book lists the follwing:
overlay chain
chain-uri ldap://foo/
chain-idassert-bind bindmethod=simple
binddn="..." credentials="..."
mode=self
flags=non-prescriptive
chain-rebind-as-user true
chain-return-error true
I can not find the olcXYZ options.
So, I thank you really very much for any help. :-)
Christian
8:45 a.m.
Christian Roessner <christian(a)roessner-net.com> writes:
Hi,
I had bought a german book (OpenLDAP 2.4 - Das Praxisbuch) and could
successfully setup a delta-sync replication. Now I read about the
ability to add the overlay chain on the consumer side to automatically
redircet write rquests for the consumer to the provider.
I am using an online configuration and I am not able to find answers how
to add this overlay.
Some information you may find here:
man slapo-chain(5)
http://www.openldap.org/doc/admin24/overlays.html#Chaining
I am using Ubuntu, which has built openldap with module-support. So
I
have already added the back_ldap.la module.
Two questions I can not get answers:
1.) Do I need to add the overlay to the thb-backend or to the
frontend?
This depends :-)
But in most cases the overlays are an extension to a specific database
declaration
2.) Could please somebody point me to the corresponting objectClasses
that need to be added and the required attributes?
The book lists the follwing:
overlay chain
chain-uri ldap://foo/
chain-idassert-bind bindmethod=simple
binddn="..." credentials="..."
mode=self
flags=non-prescriptive
chain-rebind-as-user true
chain-return-error true
I can not find the olcXYZ options.
You are requesting information on the config database i presume. The
relevant objectclass is olcChainConfig.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
11:02 a.m.
Hi Dieter,
This depends :-)
But in most cases the overlays are an extension to a specific database
declaration
Ok, I have added it to the htb-part:
DN: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
objectClass: olcChainConfig
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {0}chain
> overlay chain
> chain-uri ldap://foo/
> chain-idassert-bind bindmethod=simple
> binddn="..." credentials="..."
> mode=self
> flags=non-prescriptive
> chain-rebind-as-user true
> chain-return-error true
My problem is that I can not find the corresponding old-attributes. I
only could set:
olcChainCacheURI
olcChainMaxReferralDepth
olcChainReturnError
olcChainingBehavior
So, what have I done wrong?
Thanks
Christian
12:57 p.m.
Christian Roessner <christian(a)roessner-net.com> writes:
Hi Dieter,
> This depends :-)
> But in most cases the overlays are an extension to a specific database
> declaration
Ok, I have added it to the htb-part:
DN: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
objectClass: olcChainConfig
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: {0}chain
>> overlay chain
>> chain-uri ldap://foo/
>> chain-idassert-bind bindmethod=simple
>> binddn="..." credentials="..."
>> mode=self
>> flags=non-prescriptive
>> chain-rebind-as-user true
>> chain-return-error true
My problem is that I can not find the corresponding old-attributes. I
only could set:
olcChainCacheURI
olcChainMaxReferralDepth
olcChainReturnError
olcChainingBehavior
So, what have I done wrong?
There is nothing wrong. The chain overlay is derived from back-ldap,
that is, only attributes unknown to back-ldap, are specific to chain
overlay.
ldapsearch [-Y external -H ldapi:///]-b "cn=subschema" -s base + | grep
-A4 'olcLDAPConfig'
will show the missing attributes. But as man slapo-chain(5) mentions,
an extension of chain- will distinguish from other configuration
parameters. If this applies to cn=config related attributes I don't
know, as I don't have a chained replication setup. Others may answer
to this.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
2:41 p.m.
Dieter Kluenter wrote:
Christian Roessner<christian(a)roessner-net.com> writes:
> Hi Dieter,
>
>> This depends :-)
>> But in most cases the overlays are an extension to a specific database
>> declaration
>
> Ok, I have added it to the htb-part:
>
> DN: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
> objectClass: olcChainConfig
> objectClass: olcConfig
> objectClass: olcOverlayConfig
> objectClass: top
> olcOverlay: {0}chain
>
>>> overlay chain
>>> chain-uri ldap://foo/
>>> chain-idassert-bind bindmethod=simple
>>> binddn="..." credentials="..."
>>> mode=self
>>> flags=non-prescriptive
>>> chain-rebind-as-user true
>>> chain-return-error true
>
> My problem is that I can not find the corresponding old-attributes. I
> only could set:
>
> olcChainCacheURI
> olcChainMaxReferralDepth
> olcChainReturnError
> olcChainingBehavior
>
> So, what have I done wrong?
There is nothing wrong. The chain overlay is derived from back-ldap,
that is, only attributes unknown to back-ldap, are specific to chain
overlay.
ldapsearch [-Y external -H ldapi:///]-b "cn=subschema" -s base + | grep
-A4 'olcLDAPConfig'
will show the missing attributes. But as man slapo-chain(5) mentions,
an extension of chain- will distinguish from other configuration
parameters. If this applies to cn=config related attributes I don't
know, as I don't have a chained replication setup. Others may answer
to this.
Under the covers, the chain overlay creates a private back-ldap instance. For
dynamically adding with cn=config, you have to create this instance yourself.
See the later section of test022-ppolicy in the test suite for an example of
how this is done.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:52 a.m.
Hi, once again,
> Under the covers, the chain overlay creates a private back-ldap
> instance. For dynamically adding with cn=config, you have to create this
> instance yourself. See the later section of test022-ppolicy in the test
> suite for an example of how this is done.
>
yesterday I told you that everything worked after setting up the chain
overlay. I could change objects on the consumer side that got redirected
to the provider.
Yesterday, I stopped the consumer side and tried to start it this day.
But suddenly I get the follwing errors:
=> access_allowed: search access to
"olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
<= test_filter 6
slapd-chain: first underlying database
"olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config"
cannot contain attribute "olcDbURI".
: config_add_internal:
DN="olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config"
no structural objectClass add function
config error processing
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config:
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=65 matched="" text=""
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Here is, what I added to th consumer to get the chain overlay added:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDBURI: ldap://10.1.0.3/
olcDbIDAssertBind: bindmethod=simple
binddn="cn=admin,dc=roessner-net,dc=de"
credentials=**********
mode=self
@Dieter: You have shown me your chain solution. You do have two
ldap-directives under chain. Could this be the problem here?
This is my directory structure on the consumer side:
./cn=config:
-rw------- 1 openldap openldap 405 2009-07-19 20:40 cn=module{0}.ldif
drwxr-x--- 2 openldap openldap 4096 2009-07-01 14:57 cn=schema
-rw-r----- 1 openldap openldap 307 2009-07-01 14:25 cn=schema.ldif
drwxr-x--- 3 openldap openldap 4096 2009-07-26 11:20
olcDatabase={-1}frontend
-rw-r----- 1 openldap openldap 390 2009-07-01 14:25
olcDatabase={-1}frontend.ldif
-rw-r----- 1 openldap openldap 406 2009-07-01 14:25
olcDatabase={0}config.ldif
-rw------- 1 openldap openldap 1741 2009-07-02 09:46 olcDatabase={1}hdb.ldif
./cn=config/olcDatabase={-1}frontend:
drwxr-x--- 2 openldap openldap 4096 2009-07-26 11:20 olcOverlay={0}chain
-rw------- 1 openldap openldap 373 2009-07-26 11:20
olcOverlay={0}chain.ldif
./cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain:
-rw------- 1 openldap openldap 510 2009-07-26 11:20
olcDatabase={0}ldap.ldif
Thanks alto for your help in advance.
Christian
10:27 a.m.
Christian Roessner <christian(a)roessner-net.com> writes:
Hi, once again,
[...]
: config_add_internal:
DN="olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config"
no structural objectClass add function
config error processing
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config:
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=65 matched="" text=""
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
Hm, error=65 is objectclass violation, what attributes did you put into
olcDatabase={0}ldap,olcOverlay={0}chain
Here is, what I added to th consumer to get the chain overlay added:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDBURI: ldap://10.1.0.3/
olcDbIDAssertBind: bindmethod=simple
binddn="cn=admin,dc=roessner-net,dc=de"
credentials=**********
mode=self
@Dieter: You have shown me your chain solution. You do have two
ldap-directives under chain. Could this be the problem here?
If you don't have 2 ldap entries, it might be a problem, but I'm not sure.
olcDatabase{0}ldap contains general back-ldap database related attributes, like
startTLS, proxyWhoAmI and so forth.
olcDatabase{1}ldap contains back-ldap chain database related
attributes.
But, as said, I have not much experience in chaining configuration,
but mine does what it should do.
By the way openldap version are you running? I remember vaguely some
chain ITS have been fixed recently.
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
5171
days inactive
5173
days old
openldap-software@openldap.org
6 comments
3 participants
participants (3)
-
Christian Roessner -
Dieter Kluenter -
Howard Chu