Hi,
Am 30.12.2015 um 11:49 Uhr schrieb Marc Patermann:
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
Can this be achieved?
I would like to come back to this.
Here is our example with multiple glued databases and chaining. First there is the "full chain" where chain is loaded globally and should work for all database backends. This works.
Then there is the example where chain is loaded in the linux database backend. This does not chain the request to the master.
///////////////////////////////////
## full_chain config excerpt (see attachment for full config):
overlay chain … database mdb suffix "ou=humans,o=example,c=org" subordinate … database mdb suffix "ou=linux,o=example,c=org" subordinate chain-uri "ldap://SERVER" chain-idassert-bind bindmethod="simple" binddn="cn=linux,ou=mgr,o=example,c=org" credentials=somethingsecret mode="self" chain-return-error TRUE … database mdb suffix "o=example,c=org" …
Tests with modify:
### modify on DB Humans ldapmodify -f /tmp/modify_human.ldif -x -D "cn=human,ou=mgr,o=example,c=org" -W Enter LDAP Password: modifying entry "employeeNumber=0,ou=humans,o=example,c=org" ldap_modify: Proxied Authorization Denied (123)
-> chaining is working (we did not correct the permissions on the master for this DB)
### DB Linux Working as expected.
///////////////////////////////////
## partial_chain config excerpt (see attachment for full config):
database mdb suffix "ou=humans,o=example,c=org" subordinate … database mdb suffix "ou=linux,o=example,c=org" subordinate … overlay chain chain-uri "ldap://SERVER" chain-idassert-bind bindmethod="simple" binddn="cn=linux,ou=mgr,o=example,c=org" credentials=somethingsecret mode="self" chain-return-error TRUE … database mdb suffix "o=example,c=org"
Tests with modify:
### modify DB Humans ldapmodify -f /tmp/modify_human.ldif -x -D "cn=human,ou=mgr,o=example,c=org" -W Enter LDAP Password: modifying entry "employeeNumber=0,ou=humans,o=example,c=org" ldap_modify: Referral (10) referrals: ldap://SERVER/employeeNumber=0,ou=humans,ou=humans,o=example,c=org
-> expected behavior
### modify DB Linux ldapmodify -f /tmp/new_user.ldif -x -D "cn=linux,ou=mgr,o=example,c=org" -W Enter LDAP Password: adding new entry "uid=a12345a,ou=accounts,ou=linux,o=example,c=org" ldap_add: Referral (10) referrals: ldap://SERVER/uid=a12345a,ou=accounts,ou=linux,o=example,c=org
-> should have been using the chain instead of referral
///////////////////////////////////
Why does the last test not use the chaining? Any hints?
Marc