Hello,
I've got the following working slapd.conf: -------------------- include /opt/symas/etc/openldap/schema/core.schema include /opt/symas/etc/openldap/schema/cosine.schema include /opt/symas/etc/openldap/schema/inetorgperson.schema include /opt/symas/etc/openldap/schema/misc.schema include /opt/symas/etc/openldap/schema/nis.schema include /opt/symas/etc/openldap/schema/msuser.schema modulepath /opt/symas/lib/openldap moduleload back_ldap moduleload back_mdb moduleload rwm.la moduleload memberof.la moduleload pcache.la loglevel any pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args
database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldap://192.168.56.201:389" suffix "dc=example1,dc=net" rootdn "cn=admin,dc=example1,dc=net" idassert-bind bindmethod=simple mode=none binddn="CN=Administrator,cn=users,dc=example1,dc=net" credentials=Passw0rd tls_cacertdir=/opt/symas/etc/openldap tls_reqcert=never idassert-authzFrom "*"
overlay rwm rwm-map attribute uid sAMAccountName rwm-map objectClass posixAccount person
overlay memberof memberof-group-oc groupOfuniqueNames memberof-member-ad uniquemember memberof-dangling error
overlay pcache pcache mdb 100000 6 1000 100 pcachePersist TRUE directory "/var/symas/pcache" pcacheAttrset 0 1.1 pcacheTemplate (uid=) 0 3600 pcacheTemplate (&(|(objectClass=))) 0 3600 pcacheAttrset 1 employeetype givenName cn sn uid mail pcacheTemplate (uid=) 1 3600 pcacheBind (uid=) 1 3600 sub dc=de pcacheAttrset 2 givenName cn sn uid mail uidNumber pcacheTemplate (objectClass=) 2 3600 pcacheAttrset 3 userPassword pcacheTemplate (uid=) 3 3600 pcacheTemplate (objectClass=) 2 3600 pcacheAttrset 4 employeetype givenName cn sn uid mail pcacheTemplate (uid=) 1 3600 pcacheAttrset 5 memberOf pcacheTemplate (objectClass=*) 2 3600 -------------------- Search for an entry in AD is working: ---------------------- root@ldap-proxy01:~/server-setup/proxy# ldapsearch -x -b dc=example1,dc=net cn=administrator -LLL dn
dn: cn=Administrator,cn=Users,dc=example1,dc=net ----------------------
Now I want to convert it to cn=config but Im getting the following error: -------------------- root@ldap-proxy01:/opt/symas/etc/openldap# slaptest -F ./my-slapd.d/ -f slapd.conf Entry (olcDatabase={0}mdb,olcOverlay={2}pcache,olcDatabase={1}ldap,cn=config): object class 'olcMdbBkConfig' requires attribute 'olcBackend' config_build_entry: build "olcDatabase={0}mdb" failed: "(null)" config file testing succeeded mdb_opinfo_get: err Permission denied(13) --------------------
Then I try to create my own LDIFs:
basic config: ----------------- dn: cn=config objectClass: olcGlobal cn: config olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcArgsFile: /var/symas/run/slapd.args olcToolThreads: 1
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: back_mdb olcModuleLoad: back_ldap olcModuleLoad: back_monitor olcModuleLoad: argon2
include: file:///opt/symas/etc/openldap/schema/core.ldif include: file:///opt/symas/etc/openldap/schema/cosine.ldif include: file:///opt/symas/etc/openldap/schema/nis.ldif include: file:///opt/symas/etc/openldap/schema/inetorgperson.ldif include: file:///opt/symas/etc/openldap/schema/msuser.ldif
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcSizeLimit: 500 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth read
dn: olcDatabase={2}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap olcSuffix: dc=example1,dc=net olcAddContentAcl: FALSE olcLastMod: FALSE olcLastBind: FALSE olcLastBindPrecision: 0 olcMaxDerefDepth: 15 olcReadOnly: TRUE olcRootDN: cn=admin,dc=example1,dc=net olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcDbURI: "ldap://dc-net01.example.net:389" olcDbStartTLS: none starttls=no olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=administrator,cn=users,dc =example1,dc=net" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 t ls_cacertdir="/opt/symas/etc/openldap" tls_reqcert=never tls_reqsan=allow tls _crlcheck=none olcDbIDAssertAuthzFrom: * olcDbRebindAsUser: TRUE olcDbChaseReferrals: FALSE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 -----------------
LDIF for rwm ------------------ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm.la
dn: olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid sAMAccountName ------------------
LDIF for pcache ------------------ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: pcache.la
dn: olcOverlay={3}pcache,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {3}pcache olcPcache: mdb 100000 5 1000 100 olcPcacheAttrset: 0 employeeType givenName cn sn uid mail olcPcacheAttrset: 1 givenName cn sn uid mail uidNumber olcPcacheAttrset: 2 userPassword olcPcacheAttrset: 3 employeeType givenName cn sn uid mail olcPcacheAttrset: 4 memberOf olcPcacheTemplate: "(objectClass=*)" 2 3600 0 0 0 olcPcacheTemplate: (&(objectClass=)(memberUid=)) 2 300 olcPcacheTemplate: (&(objectClass=)(uid=)) 0 300
dn: olcDatabase=mdb,olcOverlay={3}pcache,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDbDirectory: /var/symas/pcache olcDbIndex: pcacheQueryID eq ------------------
But wenn I do a ldapsearch I got the following result: ---------------- root@ldap-proxy01:~/server-setup/proxy# ldapsearch -x -b dc=example1,dc=net cn=administrator -LLL dn # refldap://example1.net/CN=Configuration,DC=example1,DC=net
# refldap://example1.net/DC=DomainDnsZones,DC=example1,DC=net
# refldap://example1.net/DC=ForestDnsZones,DC=example1,DC=net ---------------- I only got the Referrals from AD, but not the object I'm looking for.
It's nearly impossible to find a good documentation on how to setup pcache overlay via cn=config. As i said with slapd.conf everyting works.
Any hint that get things working as expected?
When I'm starting the slapd the log is showing: ----------- mdb_db_open: database "dc=example1,dc=net": dbenv_open(/var/symas/pcache).
-----------
Same Server different problem
I did not add memberof, because everytime I add the overlay with the following LDIF (should be replaced by dynlist in the near future) But I think it should work: -------------- dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: memberof.la
dn: olcOverlay={1}memberof,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcMemberOfConfig olcOverlay: {1}memberof olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member --------------
The slapd chrashes and "slapcat -n0" is giving e the following error: --------------- root@ldap-proxy01:~/server-setup/proxy# slapcat -n0 olcAttributeTypes: value #741 olcAttributeTypes: Duplicate attributeType: " z*V" config error processing cn={4}msuser,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: " z*V" slapcat: bad configuration file! ---------------