Bram Cymet bcymet@cbnco.com writes:
On 09/22/2010 07:27 AM, masarati@aero.polimi.it wrote:
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal configuration problem.
It comments some braindead checks that I don't even remember what were there for, that prevent reloading a valid configuration from cn=config. Consider that back-config support in back-ldap was added during the development of back-config itself, so some odd configuration cases that worked at that time might no longer be valid now.
Should I use the configuration I gave above or should it be modified?
The configuration should be fine; even the contents of the configuration database (back-config) should be valid. After applying the patch, slapd should restart fine, loading slapo-chain(5) as it is configured now.
p.
Hi,
I have applied the patch and now after adding my config I am able to restart slapd. The only problem now is that the chaining has stopped working. I am not sure why it worked before and not now. Will that patch be applied to future version of openldap?
At this point I am trying to figure out the best way to take a config like:
overlay chain chain-rebind-as-user FALSE chain-uri "ldap://ldap1.example.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="self" chain-uri "ldap://ldap2.example.com" chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="none"
and properly add it to the cn=config directory.
In this particular case, overlay chain should be a global configuration, not a database specific configuration. This is a working example:
<global configuration> ... overlay chain chain-uri ldap://some.host chain-idassert-bind bindmethod=simple binddn="cn=replicator,o=avci,c=de" credentials="secret" mode=self flags=non-prescriptive chain-return-error TRUE chain-rebind-as-user TRUE chain-tls start tls_cacert="/etc/openldap/certs/avciCA.pem" tls_reqcert=demand database config rootdn cn=config syncrepl rid=042 ... database hdb suffix o=avci,c=de ... syncrepl rid=099 ...
-Dieter