Hello,
I try to configure a proxy-server with back_meta connecting to to different AD-domains. I'm getting the result as expected if I do an ldapsearch. But now I want to add caching for the data, so I configured the following: ---------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/symas/run/slapd.args olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: {0}back_ldap olcModuleLoad: {1}back_meta olcModuleLoad: {2}argon2 olcModuleLoad: {3}rwm.la olcModuleLoad: {4}pcache.la olcModuleLoad: {5}back_mdb.la
dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ... ... dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * read olcSizeLimit: 500 olcPasswordHash: {ARGON2}
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
dn: olcDatabase={1}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {1}meta olcSuffix: dc=example,dc=net olcReadOnly: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW: $argon2i$v=19$m=4096,t=3,p=1$c2dkc3Rld3Z0ZTV0NDU0NQ$F6NZb2w8O+6BOA3 L7zZ37mxFv7CPCXfHYuEiIxTYALY olcMonitoring: FALSE olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE
dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid sAMAccountName
dn: olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {1}pcache olcPcache: mdb 100000 2 1000 100 olcPcacheAttrset: 0 mail postalAddress telephoneNumber givenName olcPcacheAttrset: 1 uid employeeType olcPcacheTemplate: "(&(mail=)(postalAddress=*)(telephoneNumber)" 0 3600 100 3 0 1600 olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 100 olcPcacheTemplate: "(mail=)" 0 3600 olcPcacheTemplate: "(sn=)" 1 3600 100 olcPcacheTemplate: "(uid=)" 1 3600 1000 30 200 olcPcachePersist: TRUE
dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: /var/symas/pcache olcDbIndex: objectClass eq olcDbIndex: uid,employeeType,mail eq olcDbIndex: postalAddress,telephoneNumber,givenName eq
dn: olcMetaSub={0}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbURI: "ldap://192.168.56.202/ou=org,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-orguser,cn=users,dc =example2,dc=org" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 tls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=org,dc=example,dc=net" "dc=example2,dc=org" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE
dn: olcMetaSub={1}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {1}uri olcDbURI: "ldap://192.168.56.203/ou=com,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-comuser,cn=users,dc =example3,dc=com" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 t ls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=com,dc=example,dc=net" "dc=example3,dc=com" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE
----------------
The same pcache setup works with back_ldap.
What did I do wrong or did I miss something.
Using this setting with back_ldap, doing a ledapsearch, stopping the domaincontroller, repeat the ldapserch, because the data is in cache I still get the result. Seting up back_meta, as soon as I stop the domaincontroller I got nothing at all.
Do I have to set up a cache for every uri? Then what should be the DN?
Stefan
Am 31.03.23 um 20:05 schrieb Stefan Kania:
Hello,
I try to configure a proxy-server with back_meta connecting to to different AD-domains. I'm getting the result as expected if I do an ldapsearch. But now I want to add caching for the data, so I configured the following:
I now tried to set up the configuration via slapd.conf to see what will happen there here is my slapd.conf ------------- include /opt/symas/etc/openldap/schema/core.schema include /opt/symas/etc/openldap/schema/cosine.schema include /opt/symas/etc/openldap/schema/nis.schema include /opt/symas/etc/openldap/schema/misc.schema include /opt/symas/etc/openldap/schema/inetorgperson.schema include /opt/symas/etc/openldap/schema/msuser.schema
pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args
# Load dynamic backend modules: modulepath /opt/symas/lib/openldap moduleload back_mdb.la moduleload back_meta.la moduleload back_ldap.la moduleload argon2.la moduleload rwm.la moduleload pcache.la
sizelimit 500 loglevel any
####################################################################### # MDB database definitions #######################################################################
database meta suffix "dc=example,dc=net" rootdn "cn=admin,dc=example,dc=net" rootpw {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2Rz4
uri "ldap://192.168.56.202/ou=org,dc=example,dc=net" readonly yes lastmod off suffixmassage "ou=org,dc=example,dc=net" "dc=example2,dc=org" map attribute uid sAMAccountName idassert-bind mode=none bindmethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-orguser,cn=Users,dc=example2,dc=org" credentials="Passw0rd" keepalive=0:0:0 tls_reqcert=never tls_reqsan=allow idassert-authzFrom "*"
uri "ldap://192.168.56.203/ou=com,dc=example,dc=net" readonly yes lastmod off suffixmassage "ou=com,dc=example,dc=net" "dc=example3,dc=com" map attribute uid sAMAccountName idassert-bind mode=none bindmethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-comuser,cn=Users,dc=example3,dc=com" credentials="Passw0rd" keepalive=0:0:0 tls_reqcert=never tls_reqsan=allow idassert-authzFrom "*"
overlay rwm
rwm-map attribute uid sAMAccountName
overlay pcache pcachePersist TRUE Pcache mdb 100000 2 1000 100 directory /var/symas/pcache cachesize 100 PcacheAttrset 0 uid PcacheAttrset 1 name PcacheTemplate (uid=) 0 3600
------------- As soon as I try to start slapd I got the following error: ------------------ /opt/symas/etc/openldap/slapd.conf: line 83 (overlay pcache) /opt/symas/etc/openldap/slapd.conf: line 84 (pcachePersist TRUE) /opt/symas/etc/openldap/slapd.conf: line 85 (Pcache mdb 100000 2 1000 100) mdb_db_init: Initializing mdb database Total # of attribute sets to be cached = 2. /opt/symas/etc/openldap/slapd.conf: line 86 (directory /var/symas/pcache) /opt/symas/etc/openldap/slapd.conf: line 87 (cachesize 100) /opt/symas/etc/openldap/slapd.conf: line 87: unknown directive <cachesize> inside backend database definition.
------------------ But the manpage slapo-pcache is telling me: --------- Directives for configuring the underlying database must also be given, as shown here:
directory /var/tmp/cache cachesize 100 --------- If I remove "cachesize 100" slapd will start but no data is cached.
Found my problem was a blank at the end of the line in a ldif-File.
But still ther is the problem with "cachesize 100" in slapd.conf. Can it be that the manpage is wrong?
Am 01.04.23 um 11:31 schrieb Stefan Kania:
Am 31.03.23 um 20:05 schrieb Stefan Kania:
Hello,
I try to configure a proxy-server with back_meta connecting to to different AD-domains. I'm getting the result as expected if I do an ldapsearch. But now I want to add caching for the data, so I configured the following:
I now tried to set up the configuration via slapd.conf to see what will happen there here is my slapd.conf
include /opt/symas/etc/openldap/schema/core.schema include /opt/symas/etc/openldap/schema/cosine.schema include /opt/symas/etc/openldap/schema/nis.schema include /opt/symas/etc/openldap/schema/misc.schema include /opt/symas/etc/openldap/schema/inetorgperson.schema include /opt/symas/etc/openldap/schema/msuser.schema
pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args
# Load dynamic backend modules: modulepath /opt/symas/lib/openldap moduleload back_mdb.la moduleload back_meta.la moduleload back_ldap.la moduleload argon2.la moduleload rwm.la moduleload pcache.la
sizelimit 500 loglevel any
####################################################################### # MDB database definitions #######################################################################
database meta suffix "dc=example,dc=net" rootdn "cn=admin,dc=example,dc=net" rootpw {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2Rz4
uri "ldap://192.168.56.202/ou=org,dc=example,dc=net" readonly yes lastmod off suffixmassage "ou=org,dc=example,dc=net" "dc=example2,dc=org" map attribute uid sAMAccountName idassert-bind mode=none bindmethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-orguser,cn=Users,dc=example2,dc=org" credentials="Passw0rd" keepalive=0:0:0 tls_reqcert=never tls_reqsan=allow idassert-authzFrom "*"
uri "ldap://192.168.56.203/ou=com,dc=example,dc=net" readonly yes lastmod off suffixmassage "ou=com,dc=example,dc=net" "dc=example3,dc=com" map attribute uid sAMAccountName idassert-bind mode=none bindmethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-comuser,cn=Users,dc=example3,dc=com" credentials="Passw0rd" keepalive=0:0:0 tls_reqcert=never tls_reqsan=allow idassert-authzFrom "*"
overlay rwm
rwm-map attribute uid sAMAccountName
overlay pcache pcachePersist TRUE Pcache mdb 100000 2 1000 100 directory /var/symas/pcache cachesize 100 PcacheAttrset 0 uid PcacheAttrset 1 name PcacheTemplate (uid=) 0 3600
As soon as I try to start slapd I got the following error:
/opt/symas/etc/openldap/slapd.conf: line 83 (overlay pcache) /opt/symas/etc/openldap/slapd.conf: line 84 (pcachePersist TRUE) /opt/symas/etc/openldap/slapd.conf: line 85 (Pcache mdb 100000 2 1000 100) mdb_db_init: Initializing mdb database Total # of attribute sets to be cached = 2. /opt/symas/etc/openldap/slapd.conf: line 86 (directory /var/symas/pcache) /opt/symas/etc/openldap/slapd.conf: line 87 (cachesize 100) /opt/symas/etc/openldap/slapd.conf: line 87: unknown directive <cachesize> inside backend database definition.
But the manpage slapo-pcache is telling me:
Directives for configuring the underlying database must also be given, as shown here:
directory /var/tmp/cache cachesize 100
If I remove "cachesize 100" slapd will start but no data is cached.
openldap-technical@openldap.org
-
Stefan Kania