Hi,

 

I have sent out a relevant email about this issue before but the context was a little bit complicated. So I simplified the settings and post this issue again, hoping to get more attentions from this mailing list.

 

I am trying to set up a testing environment in which there are two openldap servers and have one server (externalldap) refer to the second server (internalldap) for some users in a subtree (sub.example.com). Both servers contains some POSIX users. However, I could not get the authentication for  the users in the referral branch to work.

 

For example, this command fails.

 

ldapwhoami -d -1 -x -H ldap://externalldap -D "uid=mark,ou=People,dc=sub,dc=example,dc=com" -w password

 

The log  of the externalldap shows as follows:

 

50e6279d bdb_dn2entry("uid=mark,ou=people,dc=sub,dc=example,dc=com")

50e6279d => bdb_dn2id("dc=example,dc=com")

50e6279d <= bdb_dn2id: got id=0x1

50e6279d => bdb_dn2id("dc=sub,dc=example,dc=com")

50e6279d <= bdb_dn2id: got id=0x6

50e6279d => bdb_dn2id("ou=people,dc=sub,dc=example,dc=com")

50e6279d <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)

 

I am wondering why the externalldap did not just send the client the uri of the referral ldap box and have the client connect directly to the internalldap instead.

 

Similarly error also happened when I use ldapsearch command

 

ldapsearch -d -1 -x -H ldap:// externalldap -D "uid=mark,ou=People,dc=sub,dc=example,dc=com" -w password -CC

 

 

 

The referral record is defined as follows and added into the external ldap using ldapadd command.

 

dn: dc=sub,dc=example,dc=com

objectClass: referral

objectClass: extensibleObject

dc: sub

ref: ldap://10.42.13.212/dc=sub,dc=example,dc=com

 

The slapd.conf of both the external and the internal ldap are defined as follows:

 

#referral       ldap://root.openldap.org

 

pidfile         /usr/local/var/run/slapd.pid

argsfile        /usr/local/var/run/slapd.args

 

 

#######################################################################

# BDB database definitions

#######################################################################

 

database        bdb

suffix          "dc=example;dc=com"

rootdn          "cn=Manager,dc=example,dc=com"

rootpw          password

directory       /usr/local/var/openldap-data

# Indices to maintain

index   objectClass     eq

TLSCACertificateFile /etc/pki/tls/certs/example_cert.pem

TLSCertificateFile /etc/pki/tls/certs/example_cert.pem

TLSCertificateKeyFile /etc/pki/tls/certs/example_key.pem

# configure the SASL parameters

sasl-host localhost

sasl-secprops none

 

For the client, I am just using the default settings. I believe referral chasing is enabled by default in the ldap client library.

 

I have spent more than two weeks on this problem and the project is delayed quite a lot. Referral in LDAP has been in RFC for more than five years. I can not believe that OpenLDAP’s implementation of referral can’t handle authentication. Can anyone kindly let me know what is missing from my setup?

 

Regards,

 

James