Hello all,
I am having problems with chasing referrals on my slave OpenLDAP server. I feel like I'm repeating an older thread here, but despite everything I have read I cannot find a solution.
My setup is as follows: Both the master and the slave are OpenLDAP 2.3.32 builds with the follwing configure parameters, LD_LIBRARY_PATH="/usr/local/lib" ./configure --prefix=/usr/local --disable-ipv6 --with-tls --enable-dynamic --enable-slapd --enable-modules --enable-crypt --enable-bdb --enable-rewrite --enable-backends=yes --enable-rlookups --disable-shell --disable-sql --enable-overlays=yes --enable-slurpd=yes At the end of the email, I have attached both the master and the slave slapd.conf.
The problem is that when I attempt an ldapadd against the slave server, I am returned a referral instead of having the slave forward the request to the master. I see no attempt to contact the master server in either the slave or master logs. Nor do I see any traffic between the two (other than syncrepl stuff) in a tcpdump. As far as I can tell the chain overlay is being ignored entirely.
Any suggestions or fixes would be greatly appreciated.
- Scott Sanders
############################################ # Master slapd.conf -- ldap://info.domain.com:389 ############################################ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
password-hash {ssha}
security tls=1 TLSCACertificateFile /etc/pki/CA/cacert.pem TLSCACertificatePath /etc/pki/CA TLSCertificateFile /usr/local/etc/openldap/security/ldap-master.crt TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-master.key TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSVerifyClient allow
limits dn.exact="cn=syncuser,dc=domain,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
access to attrs=userPassword by self write by dn="cn=admin,dc=domain,dc=com" write by dn="cn=syncuser,dc=domain,dc=com" read by * auth
access to * by dn="cn=admin,dc=domain,dc=com" write by dn="cn=syncuser,dc=domain,dc=com" read by dn="cn=syncuser,dc=domain,dc=com" read by * read
database hdb suffix cn=accesslog directory /usr/local/var/openldap-accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE
database bdb suffix "dc=domain,dc=com" rootdn "cn=admin,dc=domain,dc=com" rootpw {SSHA}T2JGZSB3Q2x57s/O directory /usr/local/var/openldap-data index objectClass eq index entryCSN eq index entryUUID eq
overlay syncprov syncprov-checkpoint 1000 60
overlay accesslog logdb cn=accesslog logops writes logsuccess true logpurge 07+00:00 01+00:00
############################################ # Slave slapd.conf -- ldap://arch.domain.com ############################################ include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
password-hash {ssha}
security tls=1 TLSCACertificateFile /etc/pki/CA/cacert.pem TLSCACertificatePath /etc/pki/CA TLSCertificateFile /usr/local/etc/openldap/security/ldap-slave.crt TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-slave.key TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSVerifyClient allow
access to attrs=userPassword by self write by dn="cn=admin,dc=domain,dc=com" read by dn="cn=syncuser,dc=domain,dc=com" write by * auth
access to * by dn="cn=admin,dc=domain,dc=com" read by dn="cn=syncuser,dc=domain,dc=com" write by * read
database bdb suffix "dc=domain,dc=com" rootdn "cn=admin,dc=domain,dc=com" rootpw {SSHA}T2JGZkB3Q2x57s/O overlay chain chain-uri ldap://info.domain.com:389 chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=secret mode=self directory /usr/local/var/openldap-data index objectClass eq index entryUUID eq
syncrepl rid=0 provider=ldap://info.domain.com:389 starttls=yes bindmethod=simple binddn="cn=syncuser,dc=domain,dc=com" credentials=secretsyncpasswd searchbase="dc=domain,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemaChecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
updateref ldap://info.domain.com:389
Scott Sanders wrote:
database bdb suffix "dc=domain,dc=com" rootdn "cn=admin,dc=domain,dc=com" rootpw {SSHA}T2JGZkB3Q2x57s/O overlay chain chain-uri ldap://info.domain.com:389 chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=admin,dc=domain,dc=com" credentials=secret mode=self
You're missing something obvious: it is the frontend that returns a referral when a client writes to the slave, so you need to place the slapo-chain __before__ any database instantiation, thus making it global, which means stacked on top of the frontend.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org