On 04/03/2016 20:33, Quanah Gibson-Mount wrote:
Then I modified the ldif file in order to create the meta-DB and its sub-DBs containing the URIs of the target servers (if I correctly understood):
version: 1 dn: olcDatabase={3}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {3}meta olcSuffix: dc=loc1,dc=root olcSuffix: dc=loc2,dc=root olcSuffix: dc=loc3,dc=rootI've never used meta backend, but the above doesn't look valid to me (multiple suffixes). The man page shows a single suffix, with URI directives for additional representations of the DB.
[OMISSIS] The slapd-meta test suit shows an additional parameter, mode=self, being set. That may or may not help. ;)
Hello,
I performed further testing but I have no good news :(
about the multiple "olcSuffix" I'm inserting into the "olcDatabase={3}meta" (I don't know where I'm supposed to put multiple entries of the olcSuffix except the olcDatabase since it is an attribute of olcDatabaseConfig objectclass), I configured the meta backend with just one DB suffix and just one target, in order to keep it easy and avoid, as much as possible, my configuration mistakes. I believe this is the configuration I would have been supposed to do in order to properly configure the slapd-/ldap/ backend (?).
Moreover, although I tried both "mode=self", "mode=none" and "authzID="dn:cn=admin,dc=loc1,dc=root"" (and "flags=non-prescriptive" too, while without the "authzID" of course), the result is the same.
Logs from the slapd-meta equipped server report (I'm simply trying to directly access the admin dn):
Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCH base="cn=admin,dc=loc1,dc=root" scope=0 deref=0 filter="(objectClass=*)" Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCH attr=hasSubordinates objectClass Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 meta_search_dobind_init[0] mc=0x7175f3e8: non-empty dn with empty cred; binding anonymously Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SEARCH RESULT tag=101 err=0 nentries=0 text=
and from the target server:
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 ACCEPT from IP=10.0.x.55:51909 (IP=10.0.y.85:389) Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 BIND dn="cn=admin,dc=loc1,dc=root" method=128 Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=1 UNBIND Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed
thus the target server refuses unauthenticated bind and closes the connection (as it is configured to do so).
Moreover, if I try to put double quotes around the "binddn" directive it seems that slapd-meta doesn't recognize at all the dn I'm trying to use to bind to the target, and the target server's log reports:
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 fd=58 ACCEPT from IP=10.0.x.55:49353 (IP=10.0.y.85:389) Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 BIND dn="" method=128 Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 RESULT tag=97 err=0 text= Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 SEARCH RESULT tag=101 err=123 nentries=0 text=anonymous proxied authorization not allowed Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 do_search: get_ctrls failed
Just to be complete, this is (one of) the configurations I'm trying:
dn: olcMetaSub={0}uri objectClass: olcConfig objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbURI: "ldap://server01.loc1.root/dc=loc1,dc=root" olcDbIDAssertBind: mode=self bindmethod=simple binddn=cn=admin,dc=loc1,dc=root credentials=xxxxxxx starttls=no authzID="dn:cn=admin,dc=loc1,dc=root"
while the rest of the configuration stayed the same as the one from my first mail.
At this point I'm really stuck and the only thing I can think of it is the presence of a bug somewhere into slapd-meta, since the behaviour doesn't reflect the configuration on, somehow simple, parameters.
Is there anybody having the same issues? Is it still my fault on configuration?
I really don't know where to put my hands on...
Thanks for support