Hello,
I try to configure a proxy-server with back_meta connecting to to different AD-domains. I'm getting the result as expected if I do an ldapsearch. But now I want to add caching for the data, so I configured the following: ---------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/symas/run/slapd.args olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: {0}back_ldap olcModuleLoad: {1}back_meta olcModuleLoad: {2}argon2 olcModuleLoad: {3}rwm.la olcModuleLoad: {4}pcache.la olcModuleLoad: {5}back_mdb.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ... ... dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * read olcSizeLimit: 500 olcPasswordHash: {ARGON2}
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
dn: olcDatabase={1}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {1}meta olcSuffix: dc=example,dc=net olcReadOnly: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW: $argon2i$v=19$m=4096,t=3,p=1$c2dkc3Rld3Z0ZTV0NDU0NQ$F6NZb2w8O+6BOA3 L7zZ37mxFv7CPCXfHYuEiIxTYALY olcMonitoring: FALSE olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE
dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid sAMAccountName
dn: olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {1}pcache olcPcache: mdb 100000 2 1000 100 olcPcacheAttrset: 0 mail postalAddress telephoneNumber givenName olcPcacheAttrset: 1 uid employeeType olcPcacheTemplate: "(&(mail=)(postalAddress=*)(telephoneNumber)" 0 3600 100 3 0 1600 olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 100 olcPcacheTemplate: "(mail=)" 0 3600 olcPcacheTemplate: "(sn=)" 1 3600 100 olcPcacheTemplate: "(uid=)" 1 3600 1000 30 200 olcPcachePersist: TRUE
dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: /var/symas/pcache olcDbIndex: objectClass eq olcDbIndex: uid,employeeType,mail eq olcDbIndex: postalAddress,telephoneNumber,givenName eq
dn: olcMetaSub={0}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbURI: "ldap://192.168.56.202/ou=org,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-orguser,cn=users,dc =example2,dc=org" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 tls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=org,dc=example,dc=net" "dc=example2,dc=org" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE
dn: olcMetaSub={1}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {1}uri olcDbURI: "ldap://192.168.56.203/ou=com,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-comuser,cn=users,dc =example3,dc=com" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 t ls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=com,dc=example,dc=net" "dc=example3,dc=com" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE
----------------
The same pcache setup works with back_ldap.
What did I do wrong or did I miss something.
Using this setting with back_ldap, doing a ledapsearch, stopping the domaincontroller, repeat the ldapserch, because the data is in cache I still get the result. Seting up back_meta, as soon as I stop the domaincontroller I got nothing at all.
Do I have to set up a cache for every uri? Then what should be the DN?
Stefan