Hi all,
I've got a master / slave replica setup. I did use this tutorial to set up the replica:
https://wiki.debian.org/LDAP/OpenLDAPSetup
My ldap tree is something like: Root -> o=(first level local branch), o=(first level replicated branch).
The local branch is just a cut and paste of the replicated branch.
On the slave server I can use the replicated branch to authenticate against a Radius server.
On the master server I realized I cannot let web users authenticate against the replicated branch.
If I try to bind as a user from the replicated branch, on both the master and the slave, I get:
ldapwhoami -H ldap://localhost -D "uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W
Enter LDAP Password: ldap_bind: Invalid credentials (49)
On the master, on the local branch, I get:
ldapwhoami -H ldap://localhost -D "cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W
Enter LDAP Password: dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is
I did try to configure the acl on the server to disallow anonymous bind.
And, once found this problem, I did try to create a bind user (uid=read_only) able to read the replicated branch, userPassword attrs included.
Unfortunately this did not solve the problem.
My acl on the master are:
dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=who,dc=is olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=read_only,ou =binds,dc=who,dc=is" read olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=isi_replica, ou=binds,dc=who,dc=is" read olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * non e olcAccess: {3}to attrs=shadowLastChange by self write by * read olcAccess: {4}to * by users read
I'm quite new to this kind of setup, is this something to be expected? Is there a way to bind directly on the replicated branch?
Regards, Giuseppe
Am Tue, 27 Feb 2018 09:42:12 +0100 schrieb Giuseppe Civitella gcivitella@enter.eu:
Hi all,
I've got a master / slave replica setup. I did use this tutorial to set up the replica:
https://wiki.debian.org/LDAP/OpenLDAPSetup
My ldap tree is something like: Root -> o=(first level local branch), o=(first level replicated branch).
The local branch is just a cut and paste of the replicated branch.
On the slave server I can use the replicated branch to authenticate against a Radius server.
On the master server I realized I cannot let web users authenticate against the replicated branch.
If I try to bind as a user from the replicated branch, on both the master and the slave, I get:
ldapwhoami -H ldap://localhost -D "uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W
Enter LDAP Password: ldap_bind: Invalid credentials (49)
On the master, on the local branch, I get:
ldapwhoami -H ldap://localhost -D "cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W
Enter LDAP Password: dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is
I did try to configure the acl on the server to disallow anonymous bind.
And, once found this problem, I did try to create a bind user (uid=read_only) able to read the replicated branch, userPassword attrs included.
Unfortunately this did not solve the problem.
My acl on the master are:
dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=who,dc=is olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=read_only,ou =binds,dc=who,dc=is" read olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=isi_replica, ou=binds,dc=who,dc=is" read olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * non e olcAccess: {3}to attrs=shadowLastChange by self write by * read olcAccess: {4}to * by users read
I'm quite new to this kind of setup, is this something to be expected? Is there a way to bind directly on the replicated branch?
Run slapd(8) in debug mode acl. Note debuging is not equal to loging!
-Dieter
openldap-technical@openldap.org