Hi,
I want to establish communication between two ldap servers at different machines.
For this i have used "ref attribute of ldap" by using this attribute, i am able to retrieve
entries of second ldap server. Means i can read or search entries of second server from
first ldap server.
But the problem comes when i want to modify any attribute of an entry of second server
from the first server.
Definitely i am having some access permissions related error.
Here i am attaching slapd.conf files of both ldap servers.
First Server slapd.conf:
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/gfsUserManage.schema
include /usr/local/etc/openldap/schema/gfsFileMetaData.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample access control policy:
# Root DSE: allow anyone to write it
# Subschema (sub)entry DSE: allow anyone to write it
#Other DSEs:
allow update_anon
# Allow * write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to * by * write
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=cdac,dc=in"
rootdn "cn=Manager,dc=cdac,dc=in"
rootpw secret
index objectClass eq
access to * by * write
--------------------------------------------------------------------------------------------------------------------------------
Second server's slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/gfsUserManage.schema
include /usr/local/etc/openldap/schema/gfsFileMetaData.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=cdac,dc=in"
rootdn "cn=Manager,dc=cdac,dc=in"
rootpw secret
directory /usr/local/var/gfsMetaData
index objectClass eq
access to * by * write
-----------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------
FIRST LADP SERVER DN:
fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
where test_ref is having ref attribute
dn: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
objectClass: referral
objectClass: extensibleObject
fn: test_ref
ref: ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in
NOW SECOND LDAP SERVER is having DN:
dn: fn=test1,fn=test_ref,dc=cdac,dc=in
Now i want to delete "fn=test1,fn=test_ref,dc=cdac,dc=in" this entry.
I have used ldap command line tool "ldapdelete" and executed this tool on first LDAP machine.
Then the result of command is:
[root@tapti LDIF]# ldapdelete -x -h "tapti" -D "cn=Manager,dc=cdac,dc=in" \"fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" -w "secret"
ldap_delete: Referral (10)
matched DN: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
referrals:
ldap://192.168.5.243/fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
And slapd debug statements:
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>
<<< dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>, <cn=manager,dc=cdac,dc=in>
do_bind: version=3 dn="cn=Manager,dc=cdac,dc=in" method=128
do_bind: v3 bind: "cn=Manager,dc=cdac,dc=in" to "cn=Manager,dc=cdac,dc=in"
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=2
connection_read(11): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 69 contents:
ber_get_next
do_delete
ber_scanf fmt (m) ber:
>>> dnPrettyNormal: <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>
<<< dnPrettyNormal: <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>, <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>
bdb_dn2entry("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in")
=> bdb_dn2id("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
bdb_referrals: op=74 target="fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" matched="fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in"
ldap_url_parse_ext(ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in)
send_ldap_result: conn=2 op=1 p=3
send_ldap_response: msgid=2 tag=107 err=10
ber_flush: 160 bytes to sd 11
connection_get(11): got connid=2
connection_read(11): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
connection_closing: readying conn=2 sd=11 for close
connection_resched: attempting closing conn=2 sd=11
connection_close: conn=2 sd=11
-----------------------------------------------------------------------------------------------------------------------------------------
Please do me a favour suggest any solution as soon as possible through which i can update slave ldap server entries from master ldap server.
--
Rakesh Yadav
Pune.