Hello.
I'm trying to replicate access rules and limits for one of my databases, but with no success: suse:~ # cat olcAccess-syncrepl.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: {1}rid=002 provider=ldap://ldap1.local bindmethod=simple binddn="cn=admin,cn=config" credentials="TopSecret" searchbase="olcDatabase={1}mdb,cn=config" attrs="olcAccess,olcLimits" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/ldap.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" tls_reqcert=demand tls_crlcheck=none
suse:~ # ldapmodify -H ldap://ldap2.local -ZZxWD cn=admin,cn=config -f olcAccess-syncrepl.ldif Enter LDAP Password: modifying entry "olcDatabase={1}mdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: Base DN "olcAccess,olcLimits" is not within the database naming context
slapd-2.4.33 if it matters.
Igor Zinovik wrote:
Hello.
I'm trying to replicate access rules and limits for one of my databases, but with no success: suse:~ # cat olcAccess-syncrepl.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: {1}rid=002 provider=ldap://ldap1.local bindmethod=simple binddn="cn=admin,cn=config" credentials="TopSecret" searchbase="olcDatabase={1}mdb,cn=config" attrs="olcAccess,olcLimits" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/ldap.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" tls_reqcert=demand tls_crlcheck=none
suse:~ # ldapmodify -H ldap://ldap2.local -ZZxWD cn=admin,cn=config -f olcAccess-syncrepl.ldif Enter LDAP Password: modifying entry "olcDatabase={1}mdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: Base DN "olcAccess,olcLimits" is not within the database naming context
slapd-2.4.33 if it matters.
The error message is a bit garbled (obviously the Base DN is wrong) but the error is basically correct. You're trying to replicate the wrong thing from the wrong place. Setting a syncrepl consumer on the olcDatabase={1}mdb database lets you replicate the *content* of that database. To replicate the *configuration* of that database your consumer must be set where that configuration is stored.
The configuration is stored in olcDatabase={0}config.
I am attempting to setup communication between 2 ldap servers but having issues when trying to limit access. I have dug around the source a bit and found a few commands but unable to find any documentation anywhere on them.
olcDbAclBind olcDbACLAuthcDn olcDBAclPasswd
I've tried multiple options but without some information I am just guessing. Any chance these are documented somewhere and I've just not found it?
Mike W wrote:
I am attempting to setup communication between 2 ldap servers but having issues when trying to limit access. I have dug around the source a bit and found a few commands but unable to find any documentation anywhere on them.
olcDbAclBind
slapd-ldap(5) acl-bind.
olcDbACLAuthcDn olcDBAclPasswd
Both of those are obsolete, kept for compatibility with 2.3. Do not use them.
I've tried multiple options but without some information I am just guessing. Any chance these are documented somewhere and I've just not found it?
On 5/17/2013 1:14 PM, Howard Chu wrote:
Mike W wrote:
I am attempting to setup communication between 2 ldap servers but having issues when trying to limit access. I have dug around the source a bit and found a few commands but unable to find any documentation anywhere on them.
olcDbAclBind
slapd-ldap(5) acl-bind.
Forgive me, but I am new to openldap. That seemed to be for the older slapd.conf style, not the RTC style? Assuming that those commands should be similar I configured and tested but no luck. Perhaps someone can see the problem.
Goal, lab5 talk to lab4, read only requiring creds.
-------- lab5--------------- dn: olcDatabase={4}ldap objectClass: olcDatabaseConfig objectClass: olcLdapConfig olcDatabase: {4}ldap olcReadonly: TRUE olcSuffix: dc=mydomain,dc=foo olcRootDN: dc=mydomain,dc=foo olcDbACLBind: bindmethod=simple timeout=5 network-timeout=5 binddn="cn=Manager,dc=mydomain,dc=foo" credentials=secret starttls=no olcDbURI: "ldap://lab4.host.com:389" -------------------------
-----lab4---------------- dn: olcDatabase={2}bdb objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {2}bdb olcSuffix: dc=mydomain,dc=foo olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=Manager,dc=mydomain,dc=foo olcRootPW: secret olcAccess: to dn.base="cn=Manager,dc=mydomain,dc=foo" by users read olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbDirectory: /var/lib/ldap/foo olcDbCacheSize: 1000 olcDbCheckpoint: 1024 15 olcDbConfig: {70} olcDbConfig: {71}#set_flags DB_TXN_NOSYNC olcDbConfig: {72}#set_flags DB_TXN_NOT_DURABLE olcDbConfig: {73} olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: ou pres,eq,sub olcDbIndex: loginShell pres,eq olcDbIndex: sn pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbIndex: memberUid pres,eq,sub olcDbIndex: nisMapName pres,eq,sub olcDbIndex: nisMapEntry pres,eq,sub olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcBdbConfig -------------------------
When I connect to lab4 from lab5 I see this in the log:
conn=1005 op=0 BIND dn="" method=128
Which seems to indicate my dn is not getting across somehow. I suspect it's something in the way I am trying to translate the commands from slapd.conf to this version? Either that or my lack of experience w/openldap is completely off base.
Thanks for any input.
2013/5/17 Howard Chu hyc@symas.com
Igor Zinovik wrote:
Hello.
I'm trying to replicate access rules and limits for one of my databases, but with no success: suse:~ # cat olcAccess-syncrepl.ldif dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: {1}rid=002 provider=ldap://ldap1.local bindmethod=simple binddn="cn=admin,cn=config" credentials="TopSecret" searchbase="olcDatabase={1}**mdb,cn=config" attrs="olcAccess,olcLimits" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/ldap.**pem" tls_key="/etc/openldap/ldap.**key" tls_cacert="/etc/ssl/local-ca.**pem" tls_reqcert=demand tls_crlcheck=none
suse:~ # ldapmodify -H ldap://ldap2.local -ZZxWD cn=admin,cn=config -f olcAccess-syncrepl.ldif Enter LDAP Password: modifying entry "olcDatabase={1}mdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: Base DN "olcAccess,olcLimits" is not within the database naming context
slapd-2.4.33 if it matters.
The error message is a bit garbled (obviously the Base DN is wrong) but the error is basically correct. You're trying to replicate the wrong thing from the wrong place. Setting a syncrepl consumer on the olcDatabase={1}mdb database lets you replicate the *content* of that database. To replicate the *configuration* of that database your consumer must be set where that configuration is stored.
The configuration is stored in olcDatabase={0}config.
Thanks Howard, but I still cannot get things working.
Could you exaplain me following (i read documentation but it is not clear enough for me to understand): Does parameter `searchbase' in olcSyncrepl configuration statement set search starting point or it sets just a database name (which is set in olcSuffix) where search is performed?
Here is my configuration provider setup: ldap1:~ # ldapsearch -H ldap://ldap1.local -LLLZZxWD cn=admin,cn=config -b olcOverlay={0}syncprov,olcDatabase={0}config,cn=config '&' dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100
Here is my configuration consumer: ldap2:~ # ldapsearch -H ldap://ldap2.local -LLLZZxWD cn=admin,cn=config -b olcDatabase={0}config,cn=config '&' olcSyncrepl Enter LDAP Password: dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=001 provider=ldap://ldap1.local bindmethod=simple bind dn="cn=admin,cn=config" credentials="TopSecret" searchbase="cn=con fig" scope=sub filter="(olcDatabase={1}mdb)" attrs="olcAccess,olcLimits" retr y="60 +" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/lda p.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" t ls_reqcert=demand tls_crlcheck=none
A bit offtopic: could you guys implement some kind of human friendly formatting for long line statements and ACLs? So previous statement would look like this when i fetch it from catalog: olcSyncrepl: {0}rid=001 provider=ldap://ldap1.local bindmethod=simple binddn="cn=admin,cn=config" credentials="TopSecret" searchbase="cn=config" scope=sub filter="(olcDatabase={1}mdb)" attrs="olcAccess,olcLimits" retry="60 +" timeout=3 network-timeout=0 starttls=yes tls_cert="/etc/openldap/ldap.pem" tls_key="/etc/openldap/ldap.key" tls_cacert="/etc/ssl/local-ca.pem" t ls_reqcert=demand tls_crlcheck=none
openldap-technical@openldap.org
-
Howard Chu -
Igor Zinovik -
Mike W