error in modifying subordinate entries - openldap-technical

27 Feb 2009


      Hi,
I want to establish communication between two ldap servers at different
machines.
For this i have used "ref attribute of ldap" by using this attribute, i am
able to retrieve
entries of second ldap server. Means i can read or search entries of second
server from
first ldap server.
But the problem comes when i want to modify any attribute of an entry of
second server
from the first server.
Definitely i am having some access permissions related error.
Here i am attaching slapd.conf files of both ldap servers.
*First Server* *slapd.conf:*
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/gfsUserManage.schema
include         /usr/local/etc/openldap/schema/gfsFileMetaData.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la
# Sample access control policy:
#       Root DSE: allow anyone to write it
#       Subschema (sub)entry DSE: allow anyone to write it
#Other DSEs:
allow update_anon
#               Allow * write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
access to * by * write
#######################################################################
# BDB database definitions
#######################################################################
database        bdb
suffix          "dc=cdac,dc=in"
rootdn          "cn=Manager,dc=cdac,dc=in"
rootpw          secret
index   objectClass     eq
*access to * by * write*
--------------------------------------------------------------------------------------------------------------------------------
*Second server's slapd.conf:*
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/gfsUserManage.schema
include         /usr/local/etc/openldap/schema/gfsFileMetaData.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database        bdb
suffix          "dc=cdac,dc=in"
rootdn          "cn=Manager,dc=cdac,dc=in"
rootpw          secret
directory       /usr/local/var/gfsMetaData
index   objectClass     eq
*access to * by * write*
-----------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------
*FIRST LADP SERVER DN*:
fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
where *test_ref* is having *ref* attribute
dn: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
objectClass: referral
objectClass: extensibleObject
fn: test_ref
ref: ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in
*NOW SECOND LDAP SERVER is having DN*:
dn: fn=test1,fn=test_ref,dc=cdac,dc=in
Now i want to delete "*fn=test1,fn=test_ref,dc=cdac,dc=in*" this entry.
I have used ldap command line tool "*ldapdelete*" and executed this tool on
*first LDAP machine*.
Then the result of command is:
**[root@tapti LDIF]# ldapdelete -x -h "tapti" -D "cn=Manager,dc=cdac,dc=in"
"fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in" -w
"secret"
ldap_delete: Referral (10)
        matched DN: fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
        referrals:
                ldap://
192.168.5.243/fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in
*And slapd debug statements:*
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
...
...
...
dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>
<<< dnPrettyNormal: <cn=Manager,dc=cdac,dc=in>, <cn=manager,dc=cdac,dc=in>
do_bind: version=3 dn="cn=Manager,dc=cdac,dc=in" method=128
do_bind: v3 bind: "cn=Manager,dc=cdac,dc=in" to "cn=Manager,dc=cdac,dc=in"
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
connection_get(11): got connid=2
connection_read(11): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 69 contents:
ber_get_next
do_delete
ber_scanf fmt (m) ber:
...
...
...
dnPrettyNormal:
<fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>
<<< dnPrettyNormal:
<fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>,
<fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in>
bdb_dn2entry("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in")
=>
bdb_dn2id("fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30990)
bdb_referrals: op=74
target="fn=test1,fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in"
matched="fn=test_ref,fn=bioinfo,fn=gstorage,fn=gfs,dc=cdac,dc=in"
ldap_url_parse_ext(ldap://192.168.5.243/fn=test_ref,dc=cdac,dc=in)
send_ldap_result: conn=2 op=1 p=3
send_ldap_response: msgid=2 tag=107 err=10
ber_flush: 160 bytes to sd 11
connection_get(11): got connid=2
connection_read(11): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
do_unbind
connection_closing: readying conn=2 sd=11 for close
connection_resched: attempting closing conn=2 sd=11
connection_close: conn=2 sd=11
*
-----------------------------------------------------------------------------------------------------------------------------------------
*
Please do me a favour suggest any solution as soon as possible through which
i can update slave ldap server entries from master ldap server.
-- 
Rakesh Yadav
Pune.