On 09/22/2010 05:52 PM, Dieter Kluenter wrote:
Bram Cymetbcymet@cbnco.com writes:
On 09/22/2010 07:27 AM, masarati@aero.polimi.it wrote:
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal configuration problem.
It comments some braindead checks that I don't even remember what were there for, that prevent reloading a valid configuration from cn=config. Consider that back-config support in back-ldap was added during the development of back-config itself, so some odd configuration cases that worked at that time might no longer be valid now.
Should I use the configuration I gave above or should it be modified?
The configuration should be fine; even the contents of the configuration database (back-config) should be valid. After applying the patch, slapd should restart fine, loading slapo-chain(5) as it is configured now.
p.
Hi,
I have applied the patch and now after adding my config I am able to restart slapd. The only problem now is that the chaining has stopped working. I am not sure why it worked before and not now. Will that patch be applied to future version of openldap?
At this point I am trying to figure out the best way to take a config like:
overlay chain chain-rebind-as-user FALSE chain-uri "ldap://ldap1.example.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="self" chain-uri "ldap://ldap2.example.com" chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="none"
and properly add it to the cn=config directory.
In this particular case, overlay chain should be a global configuration, not a database specific configuration. This is a working example:
<global configuration> ... overlay chain chain-uri ldap://some.host chain-idassert-bind bindmethod=simple binddn="cn=replicator,o=avci,c=de" credentials="secret" mode=self flags=non-prescriptive chain-return-error TRUE chain-rebind-as-user TRUE chain-tls start tls_cacert="/etc/openldap/certs/avciCA.pem" tls_reqcert=demand database config rootdn cn=config syncrepl rid=042 ... database hdb suffix o=avci,c=de ... syncrepl rid=099 ...
-Dieter
Yes I do want it to be a global configuration. However what you have included above would go into the slapd.conf config file correct? My setup uses the online config where the config is stored in ldap itself (well really in flat files in /etc/openldap/slap.d).
So what I need is an ldif file like the one that I had in my original post so that I can add the chain-overlay properly.
Thanks,