Hi folks,
While testing the current Debian squeeze version of OpenLDAP, v2.4.23-6, in a provider/consumer syncprov/syncrepl (refreshAndPersist) configuration, using a patch(1) written by Pierangelo, I have not been able to get chaining to work.
The consumer, ldaps2, was configured with a referral(2) to the provider, ldaps1, as well as a chaining configuration(3). A couple of authzTo rules(4) were added to its entry in the DIT, which immediately replicated to the consumer, and the provider was configured with an olcAuthzPolicy directive for "to"(5). So far, so good.
However, when using ldapmodify on the consumer to test that an entry in the DIT could actually be modified (the description attr of the consumer's entry) from there as a result, I got this response: ------------------------------------------------------------ modifying entry "cn=ldaps2,dc=example,dc=com" ldap_modify: Referral (10) referrals: ldap://ldaps.example.com/cn=ldaps2,dc=example,dc=com ------------------------------------------------------------
I know ldapmodify doesn't understand referrals; this is where chaining should have worked instead. So, I removed the referral from the consumer's configuration to see what would then happen with the same command: ------------------------------------------------------------ modifying entry "cn=ldaps2,dc=example,dc=com" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral ------------------------------------------------------------
(shadow context?). In both cases, this shows up in the syslog as a result: ------------------------------------------------------------ Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 ACCEPT from IP=127.0.1.1:43982 (IP=0.0.0.0:389) Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128 Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 RESULT tag=97 err=0 text= Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD dn="cn=ldaps2,dc=example,dc=com" Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD attr=description Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 RESULT tag=103 err=53 text=shadow context; no update referral Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=2 UNBIND Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 closed ------------------------------------------------------------
Have I made a mistake somewhere, or could this be another bug?
Thanks,
Jaap
1) ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch
2) LDIF applied to ldaps2 (the consumer) to create the referral to ldaps1 (the provider) via an alias (ldaps): --------------------------------- dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcUpdateref olcUpdateref: ldap://ldaps.example.com ---------------------------------
3) LDIF applied to ldaps2 to create the chaining configuration: --------------------------------- dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {1}back_ldap
dn: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}hdb,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: ldap://ldaps.example.com olcDbRebindAsUser: TRUE olcDbIDAssertBind: bindmethod=simple binddn="cn=ldaps2,dc=example,dc=com" credentials=bilineatus mode=self ---------------------------------
4) LDIF to create a couple of authzTo rules for the consumer: --------------------------------- dn: cn=ldaps2,dc=example,dc=com changetype: modify add: authzTo authzTo: {0}dn.regex:^uid=[^,]+,ou=people,dc=example,dc=com$ authzTo: {1}dn.exact:cn=admin,dc=example,dc=com ---------------------------------
5) LDIF to add an olcAuthzPolicy directive to the provider, ldaps1: --------------------------------- dn: cn=config changetype: modify add: olcAuthzPolicy olcAuthzPolicy: to ---------------------------------
Jaap Winius wrote:
Hi folks,
While testing the current Debian squeeze version of OpenLDAP, v2.4.23-6, in a provider/consumer syncprov/syncrepl (refreshAndPersist) configuration, using a patch(1) written by Pierangelo, I have not been able to get chaining to work.
The consumer, ldaps2, was configured with a referral(2) to the provider, ldaps1, as well as a chaining configuration(3). A couple of authzTo rules(4) were added to its entry in the DIT, which immediately replicated to the consumer, and the provider was configured with an olcAuthzPolicy directive for "to"(5). So far, so good.
However, when using ldapmodify on the consumer to test that an entry in the DIT could actually be modified (the description attr of the consumer's entry) from there as a result, I got this response:
modifying entry "cn=ldaps2,dc=example,dc=com" ldap_modify: Referral (10) referrals: ldap://ldaps.example.com/cn=ldaps2,dc=example,dc=com
I know ldapmodify doesn't understand referrals; this is where chaining should have worked instead. So, I removed the referral from the consumer's configuration to see what would then happen with the same command:
modifying entry "cn=ldaps2,dc=example,dc=com" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral
(shadow context?). In both cases, this shows up in the syslog as a result:
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 ACCEPT from IP=127.0.1.1:43982 (IP=0.0.0.0:389) Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128 Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0 Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 RESULT tag=97 err=0 text= Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD dn="cn=ldaps2,dc=example,dc=com" Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD attr=description Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 RESULT tag=103 err=53 text=shadow context; no update referral Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=2 UNBIND Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 closed
Have I made a mistake somewhere, or could this be another bug?
The chain overlay needs to be configured on the frontendDB in order to catch these update referrals.
Quoting Howard Chu hyc@symas.com:
The chain overlay needs to be configured on the frontendDB in order to catch these update referrals.
Excellent. Thanks to your advice together with Pierangelo's patch of 29 April 2010 (which I hope will soon be committed), my test configuration is now behaving as it should.
Thanks!
Jaap
openldap-technical@openldap.org
-
Howard Chu -
Jaap Winius