Hi,
I want to establish communication between two ldap servers at different machines. For this i have used "ref attribute of ldap" by using this attribute, i am able to retrieve entries of second ldap server. Means i can read or search entries of second server from first ldap server.
But the problem comes when i want to modify any attribute of an entry of second server from the first server.
Definitely i am having some access permissions related error.
Here i am attaching slapd.conf files of both ldap servers.
*First Server* *slapd.conf:*
# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/gfsUserManage.schema include /usr/local/etc/openldap/schema/gfsFileMetaData.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# Sample access control policy: # Root DSE: allow anyone to write it # Subschema (sub)entry DSE: allow anyone to write it #Other DSEs: allow update_anon # Allow * write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy:
access to * by * write
####################################################################### # BDB database definitions #######################################################################
database bdb
suffix "dc=cdac,dc=in"
rootdn "cn=Manager,dc=cdac,dc=in"
rootpw secret
index objectClass eq
*access to * by * write*
--------------------------------------------------------------------------------------------------------------------------------
*Second server's slapd.conf:*
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/gfsUserManage.schema include /usr/local/etc/openldap/schema/gfsFileMetaData.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals.
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=cdac,dc=in"
rootdn "cn=Manager,dc=cdac,dc=in"
rootpw secret
directory /usr/local/var/gfsMetaData
index objectClass eq
*access to * by * write* ----------------------------------------------------------------------------------------------------------------------------- -----------------------------------------------------------------------------------------------------------------------------
*FIRST LADP SERVER DN*:
fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
where *test_ref* is having *ref* attribute
dn: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in objectClass: referral objectClass: extensibleObject fn: test_ref ref: ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in
*NOW SECOND LDAP SERVER is having DN*:
dn: fn=test1,fn=test_ref,dc=cdac,dc=in
Now i want to delete "*fn=test1,fn=test_ref,dc=cdac,dc=in*" this entry. I have used ldap command line tool "*ldapdelete*" and executed this tool on *first LDAP machine*.
Then the result of command is:
**[root@tapti LDIF]# ldapdelete -x -h "tapti" -D "cn=Manager,dc=cdac,dc=in" "fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" -w "secret" ldap_delete: Referral (10) matched DN: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in referrals: ldap:// 192.168.5.243/fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
*And slapd debug statements:*
do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>
<<< dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>, <cn=manager,dc=cdac,dc=in> do_bind: version=3 dn="cn=Manager,dc=cdac,dc=in" method=128 do_bind: v3 bind: "cn=Manager,dc=cdac,dc=in" to "cn=Manager,dc=cdac,dc=in" send_ldap_result: conn=2 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=2 connection_read(11): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 69 contents: ber_get_next do_delete ber_scanf fmt (m) ber:
dnPrettyNormal:
<fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in> <<< dnPrettyNormal: <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>, <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in> bdb_dn2entry("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in") => bdb_dn2id("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_referrals: op=74 target="fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" matched="fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" ldap_url_parse_ext(ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in) send_ldap_result: conn=2 op=1 p=3 send_ldap_response: msgid=2 tag=107 err=10 ber_flush: 160 bytes to sd 11 connection_get(11): got connid=2 connection_read(11): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next do_unbind connection_closing: readying conn=2 sd=11 for close connection_resched: attempting closing conn=2 sd=11 connection_close: conn=2 sd=11
* ----------------------------------------------------------------------------------------------------------------------------------------- *
Please do me a favour suggest any solution as soon as possible through which i can update slave ldap server entries from master ldap server.