I added an updateref statement to my slave/consumer server, referring back to the master/producer:
updateref ldap://test1.mydomain.com
In the logs on the slave, I can see that it does look like it refers the client to the master...
Aug 5 09:21:19 unix-services2 slapd[29985]: daemon: select: listen=7 active_threads=0 tvp=zero Aug 5 09:21:19 unix-services2 slapd[29985]: daemon: select: listen=8 active_threads=0 tvp=zero Aug 5 09:21:19 unix-services2 slapd[29985]: do_modify Aug 5 09:21:19 unix-services2 slapd[29985]: do_modify: dn (uid=joliver,ou=People,dc=mydomain,dc=com) Aug 5 09:21:19 unix-services2 slapd[29985]: >>> dnPrettyNormal: <uid=joliver,ou=People,dc=mydomain,dc=com> Aug 5 09:21:19 unix-services2 slapd[29985]: <<< dnPrettyNormal: <uid=joliver,ou=People,dc=mydomain,dc=com>, <uid=joliver,ou=people,dc=mydomain,dc=com> Aug 5 09:21:19 unix-services2 slapd[29985]: modifications: Aug 5 09:21:19 unix-services2 slapd[29985]: replace: userPassword Aug 5 09:21:19 unix-services2 slapd[29985]: one value, length 41 Aug 5 09:21:19 unix-services2 slapd[29985]: conn=22 op=5 MOD dn="uid=joliver,ou=People,dc=mydomain,dc=com" Aug 5 09:21:19 unix-services2 slapd[29985]: conn=22 op=5 MOD attr=userPassword Aug 5 09:21:19 unix-services2 slapd[29985]: bdb_dn2entry("uid=joliver,ou=people,dc=mydomain,dc=com") Aug 5 09:21:19 unix-services2 slapd[29985]: send_ldap_result: conn=22 op=5 p=3 Aug 5 09:21:19 unix-services2 slapd[29985]: send_ldap_result: err=10 matched="" text="" Aug 5 09:21:19 unix-services2 slapd[29985]: send_ldap_result: referral="ldap://test1.mydomain.com/uid=joliver,ou=People,dc=mydomain,dc=com" Aug 5 09:21:19 unix-services2 slapd[29985]: send_ldap_response: msgid=6 tag=103 err=10 Aug 5 09:21:19 unix-services2 slapd[29985]: send_ldap_response: ref="ldap://test1.mydomain.com/uid=joliver,ou=People,dc=mydomain,dc=com" Aug 5 09:21:19 unix-services2 slapd[29985]: conn=22 op=5 RESULT tag=103 err=10 text= Aug 5 09:21:22 unix-services2 slapd[29985]: daemon: activity on 1 descriptor Aug 5 09:21:22 unix-services2 slapd[29985]: daemon: activity on: Aug 5 09:21:22 unix-services2 slapd[29985]: 28r Aug 5 09:21:22 unix-services2 slapd[29985]: Aug 5 09:21:22 unix-services2 slapd[29985]: daemon: read active on 28 Aug 5 09:21:22 unix-services2 slapd[29985]: connection_get(28) Aug 5 09:21:22 unix-services2 slapd[29985]: connection_get(28): got connid=22 Aug 5 09:21:22 unix-services2 slapd[29985]: connection_read(28): checking for input on id=22 Aug 5 09:21:22 unix-services2 slapd[29985]: do_unbind Aug 5 09:21:22 unix-services2 slapd[29985]: ber_get_next on fd 28 failed errno=0 (Success) Aug 5 09:21:22 unix-services2 slapd[29985]: conn=22 op=6 UNBIND Aug 5 09:21:22 unix-services2 slapd[29985]: connection_read(28): input error=-2 id=22, closing. Aug 5 09:21:22 unix-services2 slapd[29985]: connection_closing: readying conn=22 sd=28 for close Aug 5 09:21:22 unix-services2 slapd[29985]: connection_close: deferring conn=22 sd=28 Aug 5 09:21:22 unix-services2 slapd[29985]: daemon: select: listen=7 active_threads=0 tvp=zero Aug 5 09:21:22 unix-services2 slapd[29985]: connection_resched: attempting closing conn=22 sd=28
Howver, nothing is logged on the master, and the client bombs out with:
LDAP password information update failed: Can't contact LDAP server
The client can authenticate against test1 (the master server) with the appropriate change to /etc/ldap.conf
Hi,
John Oliver wrote:
I added an updateref statement to my slave/consumer server, referring back to the master/producer:
updateref ldap://test1.mydomain.com
Aug 5 09:21:19 unix-services2 slapd[29985]: send_ldap_response: ref="ldap://test1.mydomain.com/uid=joliver,ou=People,dc=mydomain,dc=com"
Howver, nothing is logged on the master, and the client bombs out with:
LDAP password information update failed: Can't contact LDAP server
With which tool are you trying to update the password?
If you configured "pam_ldap" and are using "passwd" to change your password, this should work, as "pam_ldap" will follow referrals.
If you are using "ldapmodify" (or "ldapadd", "ldappasswd", etc.) it will not work since those tools do not follow referrals (AFAIR).
HTH, Filipe
On Tue, Aug 05, 2008 at 02:19:43PM -0400, Filipe Brandenburger wrote:
Hi,
John Oliver wrote:
I added an updateref statement to my slave/consumer server, referring back to the master/producer:
updateref ldap://test1.mydomain.com
Aug 5 09:21:19 unix-services2 slapd[29985]: send_ldap_response: ref="ldap://test1.mydomain.com/uid=joliver,ou=People,dc=mydomain,dc=com"
Howver, nothing is logged on the master, and the client bombs out with:
LDAP password information update failed: Can't contact LDAP server
With which tool are you trying to update the password?
If you configured "pam_ldap" and are using "passwd" to change your password, this should work, as "pam_ldap" will follow referrals.
This is what I want to do. What "configuration" does PAM require over and above what gets LDAP authentication working in the first place?
Thanks...
openldap-technical@openldap.org
-
Filipe Brandenburger -
John Oliver