> mailing lists wrote:
> > I am testing the chain overlay from a read-only slave (consumer) slapd server
> > to a read-write master (provider), but what I am seeing is an anonymous bind
> > from the consumer to the provider instead of the authorization identity
> > configurated in the chain directive.
>
> Have you successfully run test032 in the test suite? Have you compared your
> config to the config used in that test?
yes, I run the test032 but I am struggling to understand it. It is different from the example exposed in the admin guide.
This is what I get running the test:
root@localhost:/tmp/openldap-2.4.44/tests # ./run -b mdb test032-chain
Cleaning up test run directory leftover from previous run.
Running ./scripts/test032-chain for mdb...
running defines.sh
Running slapadd to build slapd database...
Starting first slapd on TCP/IP port 9011...
Starting second slapd on TCP/IP port 9012...
Using ldapsearch to check that first slapd is running...
Using ldapsearch to check that second slapd is running...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9011...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Reading the referral entry "ou=Other,dc=example,dc=com" as anonymous on port 9011...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Comparing "cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" on port 9011...
Comparing "ou=Other,dc=example,dc=com" on port 9011 with manageDSAit control...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9012...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Reading the referral entry "ou=Other,dc=example,dc=com" as anonymous on port 9012...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Comparing "cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" on port 9012...
Comparing "ou=Other,dc=example,dc=com" on port 9012 with manageDSAit control...
Writing to first server with scope on second server...
Writing to second server with scope on first server...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9011...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9012...
Filtering ldapsearch results...
Filtering original ldif used to create database...
Comparing filter output...
Using ldappasswd on second server with scope on first server...
Binding with newly changed password on first server...
dn:cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
Reading the referral entry "ou=Can't Contact,dc=example,dc=com" as anonymous on port 9011...
>>>>> Test succeeded
the configuration files generated were:
root@localhost:/tmp/openldap-2.4.44/tests # grep '^[^#]' /tmp/openldap-2.4.44/tests/testrun/slapd.1.conf
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/nis.schema
pidfile /tmp/openldap-2.4.44/tests/testrun/slapd.1.pid
argsfile /tmp/openldap-2.4.44/tests/testrun/slapd.1.args
modulepath ../servers/slapd/back-mdb/
moduleload back_mdb.la
modulepath ../servers/slapd/back-ldap/
moduleload back_ldap.la
modulepath ../servers/slapd/back-monitor/
moduleload back_monitor.la
overlay chain
chain-uri ldap://localhost:9012/
chain-idassert-bind bindmethod=simple
binddn="cn=Manager,dc=example,dc=com"
credentials=secret
mode=self
flags=non-prescriptive
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /tmp/openldap-2.4.44/tests/testrun/db.1.a
index objectClass eq
index cn,sn,uid pres,eq,sub
database monitor
and:
root@localhost:/tmp/openldap-2.4.44/tests # grep '^[^#]' /tmp/openldap-2.4.44/tests/testrun/slapd.2.conf
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/nis.schema
pidfile /tmp/openldap-2.4.44/tests/testrun/slapd.2.pid
argsfile /tmp/openldap-2.4.44/tests/testrun/slapd.2.args
modulepath ../servers/slapd/back-mdb/
moduleload back_mdb.la
modulepath ../servers/slapd/back-ldap/
moduleload back_ldap.la
modulepath ../servers/slapd/back-monitor/
moduleload back_monitor.la
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /tmp/openldap-2.4.44/tests/testrun/db.2.a
index objectClass eq
index cn,sn,uid pres,eq,sub
overlay chain
chain-uri ldap://localhost:9011/
chain-idassert-bind bindmethod=simple
binddn="cn=Manager,dc=example,dc=com"
credentials=secret
mode=self
flags=non-prescriptive
database monitor
now updating the "drink" attribute of slapd 2 (port 9012) shows the update in boths servers:
root@localhost:/tmp/openldap-2.4.44/tests # /tmp/openldap-2.4.44/servers/slapd/.libs/lt-slapd -s0 -f /tmp/openldap-2.4.44/tests/testrun/slapd.2.conf -h ldap://0.0.0.0:9012/ -d stats -d stats2 -d sync
59089363 @(#) $OpenLDAP: slapd 2.4.44 (Apr 27 2017 12:58:56) $
root@nuc:/tmp/openldap-2.4.44/servers/slapd
59089363 slapd starting
59089392 conn=1000 fd=10 ACCEPT from IP=127.0.0.1:41182 (IP=0.0.0.0:9012)
59089392 conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" method=128
59089392 conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0
59089392 conn=1000 op=0 RESULT tag=97 err=0 text=
59089392 conn=1000 op=1 SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)"
59089392 conn=1000 op=1 SRCH attr=* +
59089392 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
59089392 conn=1000 op=2 SRCH base="ou=Other,dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)"
59089392 conn=1000 op=2 SRCH attr=* +
59089392 conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
59089392 conn=1000 op=3 SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)"
59089392 conn=1000 op=3 SRCH attr=* +
59089392 conn=1000 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
59089392 conn=1000 op=4 SRCH base="ou=Other,dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)"
59089392 conn=1000 op=4 SRCH attr=* +
59089392 conn=1000 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
root@localhost:/tmp/openldap-2.4.44/tests # /tmp/openldap-2.4.44/servers/slapd/.libs/lt-slapd -s0 -f /tmp/openldap-2.4.44/tests/testrun/slapd.1.conf -h ldap://0.0.0.0:9011/ -d stats -d stats2 -d sync
59089369 @(#) $OpenLDAP: slapd 2.4.44 (Apr 27 2017 12:58:56) $
root@nuc:/tmp/openldap-2.4.44/servers/slapd
59089369 slapd starting
59089392 conn=1000 fd=10 ACCEPT from IP=10.20.30.112:40118 (IP=0.0.0.0:9011)
59089392 conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
59089392 conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
59089392 conn=1000 op=0 RESULT tag=97 err=0 text=
59089392 conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)"
59089392 conn=1000 op=1 SRCH attr=* +
59089392 conn=1000 op=1 ENTRY dn="cn=mark elliot,ou=alumni association,ou=people,dc=example,dc=com"
59089392 conn=1000 op=1 REF #0 "ldap://localhost:9013/ou=Can't%20Contact,dc=example,dc=com??sub"
59089392 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
59089392 conn=1000 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)"
59089392 conn=1000 op=2 SRCH attr=* +
59089392 conn=1000 op=2 ENTRY dn="cn=mark elliot,ou=alumni association,ou=people,dc=example,dc=com"
59089392 conn=1000 op=2 REF #0 "ldap://localhost:9013/ou=Can't%20Contact,dc=example,dc=com??sub"
59089392 conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
59089392 conn=1000 op=3 MOD dn="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
59089392 conn=1000 op=3 MOD attr=drink
59089392 slap_queue_csn: queueing 0x7ffa70102c70 20170502141130.137068Z#000000#000#000000
59089392 conn=1000 op=3 RESULT tag=103 err=0 text=
59089392 slap_graduate_commit_csn: removing 0x7ffa70102c70 20170502141130.137068Z#000000#000#000000
59089392 conn=1000 fd=10 closed (connection lost)
but how is it possible for both servers to be updated without syncrepl configurated (like the example in the admin guide does)?