Hi,

I want to establish communication between two ldap servers at different machines.
For this i have used "ref attribute of ldap" by using this attribute, i am able to retrieve
entries of second ldap server. Means i can read or search entries of second server from
first ldap server.

But the problem comes when i want to modify any attribute of an entry of second server
from the first server.

Definitely i am having some access permissions related error.

Here i am attaching slapd.conf files of both ldap servers.

First Server slapd.conf:

# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/gfsUserManage.schema
include         /usr/local/etc/openldap/schema/gfsFileMetaData.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample access control policy:
#       Root DSE: allow anyone to write it
#       Subschema (sub)entry DSE: allow anyone to write it
#Other DSEs:
allow update_anon
#               Allow * write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:

access to * by * write

#######################################################################
# BDB database definitions
#######################################################################

database        bdb

suffix          "dc=cdac,dc=in"

rootdn          "cn=Manager,dc=cdac,dc=in"

rootpw          secret

index   objectClass     eq

access to * by * write

--------------------------------------------------------------------------------------------------------------------------------

Second server's slapd.conf:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/gfsUserManage.schema
include         /usr/local/etc/openldap/schema/gfsFileMetaData.schema

# Define global ACLs to disable default read access.


# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.


pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args


#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=cdac,dc=in"

rootdn          "cn=Manager,dc=cdac,dc=in"

rootpw          secret

directory       /usr/local/var/gfsMetaData

index   objectClass     eq

access to * by * write
-----------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------

FIRST LADP SERVER DN:

fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in

where test_ref is having ref attribute

dn: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
objectClass: referral
objectClass: extensibleObject
fn: test_ref
ref: ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in


NOW SECOND LDAP SERVER is having DN:

dn: fn=test1,fn=test_ref,dc=cdac,dc=in


Now i want to delete "fn=test1,fn=test_ref,dc=cdac,dc=in" this entry.
I have used ldap command line tool "ldapdelete" and executed this tool on first LDAP machine.

Then the result of command is:

[root@tapti LDIF]# ldapdelete -x -h "tapti" -D "cn=Manager,dc=cdac,dc=in" \"fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" -w "secret"
ldap_delete: Referral (10)
        matched DN: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
        referrals:
                ldap://192.168.5.243/fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in

And slapd debug statements:

do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>
<<< dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>, <cn=manager,dc=cdac,dc=in>
do_bind: version=3 dn="cn=Manager,dc=cdac,dc=in" method=128
do_bind: v3 bind: "cn=Manager,dc=cdac,dc=in" to "cn=Manager,dc=cdac,dc=in"
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=2
connection_read(11): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 69 contents:
ber_get_next
do_delete
ber_scanf fmt (m) ber:
>>> dnPrettyNormal: <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>
<<< dnPrettyNormal: <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>, <fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>
bdb_dn2entry("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in")
=> bdb_dn2id("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
bdb_referrals: op=74 target="fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" matched="fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in"
ldap_url_parse_ext(ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in)
send_ldap_result: conn=2 op=1 p=3
send_ldap_response: msgid=2 tag=107 err=10
ber_flush: 160 bytes to sd 11
connection_get(11): got connid=2
connection_read(11): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
connection_closing: readying conn=2 sd=11 for close
connection_resched: attempting closing conn=2 sd=11
connection_close: conn=2 sd=11

-----------------------------------------------------------------------------------------------------------------------------------------

Please do me a favour suggest any solution as soon as possible through which i can update slave ldap server entries from master ldap server.




--
Rakesh Yadav
Pune.