Okay my referral chaining was working and then stopped working. I get an error 10 when I submit a change to my clustered consumers that are setup to refer writes to my master LDAP server. In looking at the configuration help in the online documentation it shows how to setup the slapd.conf file on the master. The issue here is that everything is setup through cn=config. my consumers do have a slapd.conf file along with cn=config files. I have inherited these servers so I'm sure what the person here before me was trying to do. I have an idea but I didn't like that idea.
Here is the chaining command from my slapd.conf file.
overlay chain chain-uri "ldap://tntest-ldap-master-1.example.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="uid=admin,dc=oreillyauto,dc=com" credentials="password" mode="self" chain-tls start chain-return-error TRUE
The the syncrepl area syncrepl rid 002 provider=ldap://tntest-ldap-master-1.example.com type=refreshOnly interval=00:00:05:00 searchbase-"dc=oreillyauto,dc=com" binddn="uuid=syncrepl,ou=system,dc=oreillyauto,dc=com" credentials=password
updatedn "uid=ldapadmin,ou=system,dc=example,dc=com" updateref ldap://tntest-ldap-master-1.example.com
I need to be pointed in the right direction please. Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
I'm using chaining as well, from 3 slaves that chain to a single master. In my case, I created a new user to do the chaining (cn=proxyUser,dc=domain). In order to get my setup working I had to add an authzTo URI to my cn=proxyUser account in addition to the chain-* configuration references you mentioned:
# proxyUser, domain dn: cn=proxyUser,dc=domain authzTo: {0}ldap:///ou=people,dc=domain??one?(objectClass=posixAccount)
All my user accounts are in the ou=people branch and are all contain the OC posixAccount as indicated above. You may need to craft a different URI depending on what accounts you want to modify and where they live. The slapd-ldap(5) man page has more info on using authzTo.
(I don't know if this is necessarily the fix in your case as you're using what appears to be your admin account to do the chaining, but this is what got mine working)
-Michael Proto
On Wed, Jul 17, 2013 at 3:44 PM, espeake@oreillyauto.com wrote:
Okay my referral chaining was working and then stopped working. I get an error 10 when I submit a change to my clustered consumers that are setup to refer writes to my master LDAP server. In looking at the configuration help in the online documentation it shows how to setup the slapd.conf file on the master. The issue here is that everything is setup through cn=config. my consumers do have a slapd.conf file along with cn=config files. I have inherited these servers so I'm sure what the person here before me was trying to do. I have an idea but I didn't like that idea.
Here is the chaining command from my slapd.conf file.
overlay chain chain-uri "ldap://tntest-ldap-master-1.example.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="uid=admin,dc=oreillyauto,dc=com" credentials="password" mode="self" chain-tls start chain-return-error TRUE
The the syncrepl area syncrepl rid 002 provider=ldap://tntest-ldap-master-1.example.com type=refreshOnly interval=00:00:05:00 searchbase-"dc=oreillyauto,dc=com" binddn="uuid=syncrepl,ou=system,dc=oreillyauto,dc=com" credentials=password
updatedn "uid=ldapadmin,ou=system,dc=example,dc=com" updateref ldap://tntest-ldap-master-1.example.com
I need to be pointed in the right direction please. Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
openldap-technical@openldap.org
-
espeake@oreillyauto.com -
Michael Proto