Hello, I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive. consumer/10.112.107.53:-------------------------------------
# slapd -V @(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $ root@consumer:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
# grep -v -e '^#' -e '^$' slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/freeradius.schema include /etc/openldap/schema/authldap.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/custom.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args moduleload back_ldap.la moduleload unique.la moduleload ppolicy.la moduleload dynlist.la moduleload memberof.la moduleload syncprov.la moduleload accesslog.la moduleload auditlog.la overlay chain chain-uri "ldap://10.112.107.51" chain-idassert-bind bindmethod="simple" binddn="cn=proxyuser,dc=example,dc=com" credentials="12345678" mode="self" flags=non-prescriptive chain-rebind-as-user TRUE chain-return-error TRUE access to * by * write serverID 101 allow bind_v2 database mdb suffix "dc=example,dc=com" dbnosync rootdn "cn=Manager,dc=example,dc=com" rootpw 12345678 directory /var/lib/ldap maxsize 106300440576 index objectClass eq index uid eq,sub index entryCSN,entryUUID eq loglevel stats syncrepl rid=101 provider=ldap://10.112.107.51:389 type=refreshAndPersist searchbase="dc=example,dc=com" schemachecking=off bindmethod=simple retry="60 10 300 +" binddn="cn=syncrepl,dc=example,dc=com" credentials=12345678 updateref "ldap://10.112.107.51:389"
provider/10.112.107.51:-----------------------------------
# slapd -V @(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $ root@provider:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
# grep -v -e '^#' -e '^$' slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/freeradius.schema include /etc/openldap/schema/authldap.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/custom.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap moduleload back_ldap.la moduleload unique.la moduleload ppolicy.la moduleload dynlist.la moduleload memberof.la moduleload syncprov.la moduleload accesslog.la moduleload auditlog.la access to * by * write serverID 001 authz-policy to allow bind_v2 database mdb suffix "dc=example,dc=com" dbnosync rootdn "cn=Manager,dc=example,dc=com" rootpw 12345678 directory /var/lib/ldap maxsize 106300440576 index objectClass eq index uid eq,sub index entryCSN,entryUUID eq loglevel stats limits dn="cn=proxyuser,dc=example,dc=com" size=unlimitedlimits dn="cn=syncrepl,dc=example,dc=com" size=unlimitedoverlay syncprov syncprov-checkpoint 1000 1 syncprov-sessionlog 150000 syncprov-reloadhint TRUE
now I do an update in the consumer: Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:42198 (IP=0.0.0.0:389) Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0 Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 RESULT tag=97 err=0 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(employeeid=759042)" Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH attr=* + Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=endwmkhwl60nehf2c)" Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH attr=* + Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com" Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD attr=description Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 RESULT tag=103 err=8 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 closed (connection lost)
and this is the corresponding log in the provider: Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 ACCEPT from IP=10.112.107.53:58416 (IP=0.0.0.0:389) Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 BIND dn="" method=128 Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 RESULT tag=97 err=0 text= Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com" Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD attr=description Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 RESULT tag=103 err=8 text=modifications require authentication Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=2 UNBIND Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 closed
afaik, the bind dn in the provider must be the chain binddn configured in the consumer, but it gets an anonymous bind.
any suggestion about what can be my mistake??
On Thu, Apr 20, 2017 at 6:36 AM, mailing lists listas.correo@yahoo.es wrote:
Hello,
I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive.
We're also seeing the same behavior and reported a similar issue last month to this list: http://www.openldap.org/lists/openldap-technical/201703/msg00047.html
I'm hopeful we can track down this issue as it's causing us some issues that we'll need to resolve eventually.
openldap-technical@openldap.org