mailing lists wrote:
Hello,
I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive.
Have you successfully run test032 in the test suite? Have you compared your config to the config used in that test?
afaik, the bind dn in the provider must be the chain binddn configured in the consumer, but it gets an anonymous bind.
any suggestion about what can be my mistake??
On Thursday, April 27, 2017 4:48 AM, Howard Chu hyc@symas.com wrote:
mailing lists wrote:
I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive.
Have you successfully run test032 in the test suite? Have you compared your config to the config used in that test?
yes, I run the test032 but I am struggling to understand it. It is different from the example exposed in the admin guide.
This is what I get running the test:
root@localhost:/tmp/openldap-2.4.44/tests # ./run -b mdb test032-chain Cleaning up test run directory leftover from previous run. Running ./scripts/test032-chain for mdb... running defines.sh Running slapadd to build slapd database... Starting first slapd on TCP/IP port 9011... Starting second slapd on TCP/IP port 9012... Using ldapsearch to check that first slapd is running... Using ldapsearch to check that second slapd is running... Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9011... Filtering ldapsearch results... Filtering original ldif used to create database... Comparing filter output... Reading the referral entry "ou=Other,dc=example,dc=com" as anonymous on port 9011... Filtering ldapsearch results... Filtering original ldif used to create database... Comparing filter output... Comparing "cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" on port 9011... Comparing "ou=Other,dc=example,dc=com" on port 9011 with manageDSAit control... Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9012... Filtering ldapsearch results... Filtering original ldif used to create database... Comparing filter output... Reading the referral entry "ou=Other,dc=example,dc=com" as anonymous on port 9012... Filtering ldapsearch results... Filtering original ldif used to create database... Comparing filter output... Comparing "cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" on port 9012... Comparing "ou=Other,dc=example,dc=com" on port 9012 with manageDSAit control... Writing to first server with scope on second server... Writing to second server with scope on first server... Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9011... Filtering ldapsearch results... Filtering original ldif used to create database... Comparing filter output... Testing ldapsearch as anonymous for "dc=example,dc=com" on port 9012... Filtering ldapsearch results... Filtering original ldif used to create database... Comparing filter output... Using ldappasswd on second server with scope on first server... Binding with newly changed password on first server... dn:cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com Reading the referral entry "ou=Can't Contact,dc=example,dc=com" as anonymous on port 9011...
Test succeeded
the configuration files generated were: root@localhost:/tmp/openldap-2.4.44/tests # grep '^[^#]' /tmp/openldap-2.4.44/tests/testrun/slapd.1.conf include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/openldap.schema include ./schema/nis.schema pidfile /tmp/openldap-2.4.44/tests/testrun/slapd.1.pid argsfile /tmp/openldap-2.4.44/tests/testrun/slapd.1.args modulepath ../servers/slapd/back-mdb/ moduleload back_mdb.la modulepath ../servers/slapd/back-ldap/ moduleload back_ldap.la modulepath ../servers/slapd/back-monitor/ moduleload back_monitor.la overlay chain chain-uri ldap://localhost:9012/ chain-idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self flags=non-prescriptive database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /tmp/openldap-2.4.44/tests/testrun/db.1.a index objectClass eq index cn,sn,uid pres,eq,sub database monitor
and:
root@localhost:/tmp/openldap-2.4.44/tests # grep '^[^#]' /tmp/openldap-2.4.44/tests/testrun/slapd.2.conf include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/openldap.schema include ./schema/nis.schema pidfile /tmp/openldap-2.4.44/tests/testrun/slapd.2.pid argsfile /tmp/openldap-2.4.44/tests/testrun/slapd.2.args modulepath ../servers/slapd/back-mdb/ moduleload back_mdb.la modulepath ../servers/slapd/back-ldap/ moduleload back_ldap.la modulepath ../servers/slapd/back-monitor/ moduleload back_monitor.la database mdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /tmp/openldap-2.4.44/tests/testrun/db.2.a index objectClass eq index cn,sn,uid pres,eq,sub overlay chain chain-uri ldap://localhost:9011/ chain-idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self flags=non-prescriptive database monitor
now updating the "drink" attribute of slapd 2 (port 9012) shows the update in boths servers:
root@localhost:/tmp/openldap-2.4.44/tests # /tmp/openldap-2.4.44/servers/slapd/.libs/lt-slapd -s0 -f /tmp/openldap-2.4.44/tests/testrun/slapd.2.conf -h ldap://0.0.0.0:9012/ -d stats -d stats2 -d sync 59089363 @(#) $OpenLDAP: slapd 2.4.44 (Apr 27 2017 12:58:56) $ root@nuc:/tmp/openldap-2.4.44/servers/slapd 59089363 slapd starting 59089392 conn=1000 fd=10 ACCEPT from IP=127.0.0.1:41182 (IP=0.0.0.0:9012) 59089392 conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" method=128 59089392 conn=1000 op=0 BIND dn="cn=manager,dc=example,dc=com" mech=SIMPLE ssf=0 59089392 conn=1000 op=0 RESULT tag=97 err=0 text= 59089392 conn=1000 op=1 SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)" 59089392 conn=1000 op=1 SRCH attr=* + 59089392 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= 59089392 conn=1000 op=2 SRCH base="ou=Other,dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)" 59089392 conn=1000 op=2 SRCH attr=* + 59089392 conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= 59089392 conn=1000 op=3 SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)" 59089392 conn=1000 op=3 SRCH attr=* + 59089392 conn=1000 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text= 59089392 conn=1000 op=4 SRCH base="ou=Other,dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)" 59089392 conn=1000 op=4 SRCH attr=* + 59089392 conn=1000 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
root@localhost:/tmp/openldap-2.4.44/tests # /tmp/openldap-2.4.44/servers/slapd/.libs/lt-slapd -s0 -f /tmp/openldap-2.4.44/tests/testrun/slapd.1.conf -h ldap://0.0.0.0:9011/ -d stats -d stats2 -d sync 59089369 @(#) $OpenLDAP: slapd 2.4.44 (Apr 27 2017 12:58:56) $ root@nuc:/tmp/openldap-2.4.44/servers/slapd 59089369 slapd starting 59089392 conn=1000 fd=10 ACCEPT from IP=10.20.30.112:40118 (IP=0.0.0.0:9011) 59089392 conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 59089392 conn=1000 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0 59089392 conn=1000 op=0 RESULT tag=97 err=0 text= 59089392 conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(cn=mark elliot)" 59089392 conn=1000 op=1 SRCH attr=* + 59089392 conn=1000 op=1 ENTRY dn="cn=mark elliot,ou=alumni association,ou=people,dc=example,dc=com" 59089392 conn=1000 op=1 REF #0 "ldap://localhost:9013/ou=Can't%20Contact,dc=example,dc=com??sub" 59089392 conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 59089392 conn=1000 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=melliot)" 59089392 conn=1000 op=2 SRCH attr=* + 59089392 conn=1000 op=2 ENTRY dn="cn=mark elliot,ou=alumni association,ou=people,dc=example,dc=com" 59089392 conn=1000 op=2 REF #0 "ldap://localhost:9013/ou=Can't%20Contact,dc=example,dc=com??sub" 59089392 conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 59089392 conn=1000 op=3 MOD dn="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com" 59089392 conn=1000 op=3 MOD attr=drink 59089392 slap_queue_csn: queueing 0x7ffa70102c70 20170502141130.137068Z#000000#000#000000 59089392 conn=1000 op=3 RESULT tag=103 err=0 text= 59089392 slap_graduate_commit_csn: removing 0x7ffa70102c70 20170502141130.137068Z#000000#000#000000 59089392 conn=1000 fd=10 closed (connection lost)
but how is it possible for both servers to be updated without syncrepl configurated (like the example in the admin guide does)?
mailing lists wrote:
I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive.
Have you successfully run test032 in the test suite? Have you compared your config to the config used in that test?
the chain works as expected, with the identity configurated, if the port is not included in the updatedn.
openldap-technical@openldap.org
-
Howard Chu -
mailing lists