Hi,
I have sent out a relevant email about this issue before but the context was a little bit complicated. So I simplified the settings and post this issue again, hoping to get more attentions from this mailing list.
I am trying to set up a testing environment in which there are two openldap servers and have one server (externalldap) refer to the second server (internalldap) for some users in a subtree (sub.example.com). Both servers contains some POSIX users. However, I could not get the authentication for the users in the referral branch to work.
For example, this command fails.
ldapwhoami -d -1 -x -H ldap://externalldap -D "uid=mark,ou=People,dc=sub,dc=example,dc=com" -w password
The log of the externalldap shows as follows:
50e6279d bdb_dn2entry("uid=mark,ou=people,dc=sub,dc=example,dc=com") 50e6279d => bdb_dn2id("dc=example,dc=com") 50e6279d <= bdb_dn2id: got id=0x1 50e6279d => bdb_dn2id("dc=sub,dc=example,dc=com") 50e6279d <= bdb_dn2id: got id=0x6 50e6279d => bdb_dn2id("ou=people,dc=sub,dc=example,dc=com") 50e6279d <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
I am wondering why the externalldap did not just send the client the uri of the referral ldap box and have the client connect directly to the internalldap instead.
Similarly error also happened when I use ldapsearch command
ldapsearch -d -1 -x -H ldap:// externalldap -D "uid=mark,ou=People,dc=sub,dc=example,dc=com" -w password -CC
The referral record is defined as follows and added into the external ldap using ldapadd command.
dn: dc=sub,dc=example,dc=com objectClass: referral objectClass: extensibleObject dc: sub ref: ldap://10.42.13.212/dc=sub,dc=example,dc=com
The slapd.conf of both the external and the internal ldap are defined as follows:
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=example;dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw password directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq TLSCACertificateFile /etc/pki/tls/certs/example_cert.pem TLSCertificateFile /etc/pki/tls/certs/example_cert.pem TLSCertificateKeyFile /etc/pki/tls/certs/example_key.pem # configure the SASL parameters sasl-host localhost sasl-secprops none
For the client, I am just using the default settings. I believe referral chasing is enabled by default in the ldap client library.
I have spent more than two weeks on this problem and the project is delayed quite a lot. Referral in LDAP has been in RFC for more than five years. I can not believe that OpenLDAP's implementation of referral can't handle authentication. Can anyone kindly let me know what is missing from my setup?
Regards,
James
openldap-technical@openldap.org