I'm using chaining as well, from 3 slaves that chain to a single master. In my case, I created a new user to do the chaining (cn=proxyUser,dc=domain). In order to get my setup working I had to add an authzTo URI to my cn=proxyUser account in addition to the chain-* configuration references you mentioned:

# proxyUser, domain
dn: cn=proxyUser,dc=domain
authzTo: {0}ldap:///ou=people,dc=domain??one?(objectClass=posixAccount)

All my user accounts are in the ou=people branch and are all contain the OC posixAccount as indicated above. You may need to craft a different URI depending on what accounts you want to modify and where they live. The slapd-ldap(5) man page has more info on using authzTo.

(I don't know if this is necessarily the fix in your case as you're using what appears to be your admin account to do the chaining, but this is what got mine working)


-Michael Proto


On Wed, Jul 17, 2013 at 3:44 PM, <espeake@oreillyauto.com> wrote:

Okay my referral chaining was working and then stopped working.  I get an
error 10 when I submit a change to my clustered consumers that are setup to
refer writes to my master LDAP server.  In looking at the configuration
help in the online documentation it shows how to setup the slapd.conf file
on the master.  The issue here is that everything is setup through
cn=config.  my consumers do have a slapd.conf file along with cn=config
files.  I have inherited these servers so I'm sure what the person here
before me was trying to do.  I have an idea but I didn't like that idea.

Here is the chaining command from my slapd.conf file.

overlay                        chain
chain-uri              "ldap://tntest-ldap-master-1.example.com"
chain-rebind-as-user   TRUE
chain-idassert-bind    bindmethod="simple"
                       binddn="uid=admin,dc=oreillyauto,dc=com"
                       credentials="password"
                       mode="self"
chain-tls              start
chain-return-error     TRUE


The the syncrepl area
syncrepl rid 002
        provider=ldap://tntest-ldap-master-1.example.com
        type=refreshOnly
        interval=00:00:05:00
        searchbase-"dc=oreillyauto,dc=com"
        binddn="uuid=syncrepl,ou=system,dc=oreillyauto,dc=com"
        credentials=password

updatedn  "uid=ldapadmin,ou=system,dc=example,dc=com"
updateref ldap://tntest-ldap-master-1.example.com

I need to be pointed in the right direction please.
Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts

This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.