Hi,
After more than a day of fiddling with it, I turn to you, the gurus ;)
I'm trying to create an OpenLDAP proxy that will talk to 2 OpenLDAP servers, doing MirrorMode replication and using a floating IP so that I can point all write queries to one and the same server. Those 2 MirrorMode servers are up and running and doing fine, but I can't figure out how to make that proxy.
I'm running on Debian Bullseye (still "testing" at this moment), with OpenLDAP 2.4.57, both on the backend servers and the proxy I'm trying to make. I'm not using TLS yet, that's for later.
After installation, there's an (empty, of course) mdb database. I think I should throw that away, but I'm not sure. The suffix in that database is different than the one I need to proxy, so it's probably not a problem to leave it there.
I have loaded the extra schemas that I use on the MirrorMode machines, and loaded the backends ldap and meta, with LDIF files like this:
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: back_ldap.la
And fed that to slapd with
ldapmodify -Y EXTERNAL -h ldapi:/// -f <file>
I checked with ldapvi and saw both modules loaded. So far, so good.
Now I need to create the backend, and this is where I keep running into problems. Although the use of slapd.conf has fallen from grace a long time ago, every example I can find online only uses that. So I tried creating one and adding it to the configuration with slaptest. This is what I came up with:
backend meta database meta suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw "super secret passwd"
uri "ldap://172.16.7.6/dc=example,dc=com" readonly yes acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd"
uri "ldap://172.16.7.7/dc=example,dc=com" readonly yes acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd"
uri "ldap://172.16.7.8/dc=example,dc=com" readonly no acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd"
But when I try to convert that, I get an error:
# slaptest -f /root/proxybackend.conf -F /etc/ldap/slapd.d
6075bced /root/proxybackend.conf: line 1: <backend> failed init (meta)! slaptest: bad configuration directory!
The information in the OpenLDAP Handbook is, well, lacking:
https://openldap.org/doc/admin24/backends.html#Metadirectory
I had hoped to find a way to create an LDIF file which I could add with ldapadd, but I never came much further than this:
dn: olcDatabase=meta objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: meta olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcRootPW: "super secret passwd"
which results in:
adding new entry "olcDatabase=meta" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge
I'm pretty sure I need more lines in that, to begin with the URI lines to point the proxy to the machines it needs to contact, but I couldn't find the olcSomeThing syntax for them. I'm pretty good at searching, but not so good at finding, unfortunately.
Can somebody give me a few hints please? I'm pretty sure I'm missing something small here, but I'm stuck.
Kind regards,
Hans
--On Thursday, April 15, 2021 6:39 PM +0200 Hans van Zijst hans@woefdram.nl wrote:
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: back_ldap.la
6075bced /root/proxybackend.conf: line 1: <backend> failed init (meta)! slaptest: bad configuration directory!
A few notes:
A) the "backend meta" directive is not needed. There's only one use case for a "backend" statement at this time that I'm aware of, for back-mdb, and only in OpenLDAP 2.5 or later.
B) You don't show that you loaded the back_meta module via moduleload.
There's definitely still a lot of work to be done in regards to better documentation and examples when working with cn=config. Patches welcome once you get it working. ;)
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 15-04-2021 19:09, Quanah Gibson-Mount wrote:
A few notes:
A) the "backend meta" directive is not needed. There's only one use case for a "backend" statement at this time that I'm aware of, for back-mdb, and only in OpenLDAP 2.5 or later.
B) You don't show that you loaded the back_meta module via moduleload.
I did mention it in the line above that, but for clarity's sake I should have included the olcLoadModule for back_meta.la too: I made two almost identical LDIF files and loaded them separately. Brevity isn't always a good idea :)
It looks like the meta backend is loaded; this is what I find in /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_ldap.la olcModuleLoad: {2}back_meta.la structuralObjectClass: olcModuleList
But I notice that I only have the file cn=module{0}.ldif, and I would expect to also find the directory cn=module{0}, am I correct?
I do suspect the backend isn't actually loaded, because if I remove the backend definition and start the proxybackend.conf with "database meta", I get this error when I run slaptest:
Unrecognized database type (meta) 6078774c proxybackend.conf: line 1: <database> failed init (meta) slaptest: bad configuration directory!
How do I make sure those two backend definitions are actually loaded? If I feed the two LDIF files that load the backends, I get the message:
modifying entry "cn=module{0},cn=config"
and if I try to load them again, I get the error:
modifying entry "cn=module{0},cn=config" ldap_modify: Type or value exists (20) additional info: modify/add: olcModuleLoad: value #0 already exists
That, to me, suggests that they're actually loaded, if if wasn't for the slaptest error message that says it doesn't know about a meta database.
There's definitely still a lot of work to be done in regards to better documentation and examples when working with cn=config. Patches welcome once you get it working. ;)
I'm documenting the whole process, including all the small and bigger LDIF files I have constructed. And I'd be more than happy to share all of it when I get things working.
Kind regards,
Hans
--On Thursday, April 15, 2021 8:58 PM +0200 Hans van Zijst hans@woefdram.nl wrote:
On 15-04-2021 19:09, Quanah Gibson-Mount wrote:
A few notes:
A) the "backend meta" directive is not needed. There's only one use case for a "backend" statement at this time that I'm aware of, for back-mdb, and only in OpenLDAP 2.5 or later.
B) You don't show that you loaded the back_meta module via moduleload.
I did mention it in the line above that, but for clarity's sake I should have included the olcLoadModule for back_meta.la too: I made two almost identical LDIF files and loaded them separately. Brevity isn't always a good idea :)
It looks like the meta backend is loaded; this is what I find in /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_ldap.la olcModuleLoad: {2}back_meta.la structuralObjectClass: olcModuleList
But I notice that I only have the file cn=module{0}.ldif, and I would expect to also find the directory cn=module{0}, am I correct?
No, it's an entry not a directory. Is there a back_meta.la file in /usr/lib/ldap ?
backend definition and start the proxybackend.conf with "database meta", I get this error when I run slaptest:
Unrecognized database type (meta) 6078774c proxybackend.conf: line 1: <database> failed init (meta) slaptest: bad configuration directory!
I would suggest you run slapd -d -1 and see what the full debug output is and any errors.
How do I make sure those two backend definitions are actually loaded? If I feed the two LDIF files that load the backends, I get the message:
modifying entry "cn=module{0},cn=config"
and if I try to load them again, I get the error:
modifying entry "cn=module{0},cn=config" ldap_modify: Type or value exists (20) additional info: modify/add: olcModuleLoad: value #0 already exists
That, to me, suggests that they're actually loaded, if if wasn't for the slaptest error message that says it doesn't know about a meta database.
That tells you nothing about whether or not they're loaded. It says you're trying to add a duplicate value to the entry, which is the correct error for that scenario. ;)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Hans van Zijst -
Quanah Gibson-Mount