Hi,
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
Can this be achieved?
Marc
Am Wed, 30 Dec 2015 11:49:14 +0100 schrieb Marc Patermann hans.moser@ofd-z.niedersachsen.de:
Hi,
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
From slapo-chain(5)
overlay chain This directive adds the chain overlay to the current backend. The question is: what is the definition of 'current backend' in this particular case?
-Dieter
Hi,
Am 30.12.2015 um 11:49 Uhr schrieb Marc Patermann:
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
Can this be achieved?
I would like to come back to this.
Here is our example with multiple glued databases and chaining. First there is the "full chain" where chain is loaded globally and should work for all database backends. This works.
Then there is the example where chain is loaded in the linux database backend. This does not chain the request to the master.
///////////////////////////////////
## full_chain config excerpt (see attachment for full config):
overlay chain … database mdb suffix "ou=humans,o=example,c=org" subordinate … database mdb suffix "ou=linux,o=example,c=org" subordinate chain-uri "ldap://SERVER" chain-idassert-bind bindmethod="simple" binddn="cn=linux,ou=mgr,o=example,c=org" credentials=somethingsecret mode="self" chain-return-error TRUE … database mdb suffix "o=example,c=org" …
Tests with modify:
### modify on DB Humans ldapmodify -f /tmp/modify_human.ldif -x -D "cn=human,ou=mgr,o=example,c=org" -W Enter LDAP Password: modifying entry "employeeNumber=0,ou=humans,o=example,c=org" ldap_modify: Proxied Authorization Denied (123)
-> chaining is working (we did not correct the permissions on the master for this DB)
### DB Linux Working as expected.
///////////////////////////////////
## partial_chain config excerpt (see attachment for full config):
database mdb suffix "ou=humans,o=example,c=org" subordinate … database mdb suffix "ou=linux,o=example,c=org" subordinate … overlay chain chain-uri "ldap://SERVER" chain-idassert-bind bindmethod="simple" binddn="cn=linux,ou=mgr,o=example,c=org" credentials=somethingsecret mode="self" chain-return-error TRUE … database mdb suffix "o=example,c=org"
Tests with modify:
### modify DB Humans ldapmodify -f /tmp/modify_human.ldif -x -D "cn=human,ou=mgr,o=example,c=org" -W Enter LDAP Password: modifying entry "employeeNumber=0,ou=humans,o=example,c=org" ldap_modify: Referral (10) referrals: ldap://SERVER/employeeNumber=0,ou=humans,ou=humans,o=example,c=org
-> expected behavior
### modify DB Linux ldapmodify -f /tmp/new_user.ldif -x -D "cn=linux,ou=mgr,o=example,c=org" -W Enter LDAP Password: adding new entry "uid=a12345a,ou=accounts,ou=linux,o=example,c=org" ldap_add: Referral (10) referrals: ldap://SERVER/uid=a12345a,ou=accounts,ou=linux,o=example,c=org
-> should have been using the chain instead of referral
///////////////////////////////////
Why does the last test not use the chaining? Any hints?
Marc
--On Monday, February 08, 2016 4:50 PM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Hi,
Am 30.12.2015 um 11:49 Uhr schrieb Marc Patermann:
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
Can this be achieved?
I would like to come back to this.
Here is our example with multiple glued databases and chaining. First there is the "full chain" where chain is loaded globally and should work for all database backends. This works.
Then there is the example where chain is loaded in the linux database backend. This does not chain the request to the master.
OpenLDAP version?
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Am 08.02.2016 um 22:33 Uhr schrieb Quanah Gibson-Mount:
--On Monday, February 08, 2016 4:50 PM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Am 30.12.2015 um 11:49 Uhr schrieb Marc Patermann:
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
Can this be achieved?
I would like to come back to this.
Here is our example with multiple glued databases and chaining. First there is the "full chain" where chain is loaded globally and should work for all database backends. This works.
Then there is the example where chain is loaded in the linux database backend. This does not chain the request to the master.
OpenLDAP version?
last tested with 2.4.43
Marc
--On Tuesday, February 09, 2016 9:53 AM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Am 08.02.2016 um 22:33 Uhr schrieb Quanah Gibson-Mount:
--On Monday, February 08, 2016 4:50 PM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Am 30.12.2015 um 11:49 Uhr schrieb Marc Patermann:
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
Can this be achieved?
I would like to come back to this.
Here is our example with multiple glued databases and chaining. First there is the "full chain" where chain is loaded globally and should work for all database backends. This works.
Then there is the example where chain is loaded in the linux database backend. This does not chain the request to the master.
OpenLDAP version?
last tested with 2.4.43
Ok. On the surface it looks right to me, but I've never used slapo-chain. I hope someone who has more knowledge on it can chime in. :/
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Quanah Gibson-Mount wrote:
--On Tuesday, February 09, 2016 9:53 AM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Am 08.02.2016 um 22:33 Uhr schrieb Quanah Gibson-Mount:
--On Monday, February 08, 2016 4:50 PM +0100 Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Am 30.12.2015 um 11:49 Uhr schrieb Marc Patermann:
I want to activate chaining for a single backend.
The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local.
Can this be achieved?
I would like to come back to this.
Here is our example with multiple glued databases and chaining. First there is the "full chain" where chain is loaded globally and should work for all database backends. This works.
Then there is the example where chain is loaded in the linux database backend. This does not chain the request to the master.
OpenLDAP version?
last tested with 2.4.43
Ok. On the surface it looks right to me, but I've never used slapo-chain. I hope someone who has more knowledge on it can chime in. :/
Chaining intercepts referrals and chases them down. The overlay has to be positioned at the same place (or above) wherever the referrals are generated, in order to intercept them. Referrals generated by the updateref directive are produced in the frontend, therefore the only way for the slapo-chain overlay to have a chance to see them is by being configured on the frontend.
Configuring slapo-chain on a specific backend will only affect referral entries stored in that backend.
openldap-technical@openldap.org
-
Dieter Klünter -
Howard Chu -
Marc Patermann -
Quanah Gibson-Mount