Hi,
I am trying to setup a chain overlay to allow writes to a read-only slave to be chained up to the master.
The closest ldif file I could figure out to update the cn=config directory was:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDBURI:ldap://10.1.0.3/ olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=roessner-net,dc=de" credentials=********** mode=self
This works until I have to restart the slave ldap server because this is an invalid config.
Can anyone let me know an ldif file to set up the chain to the master? Or at least point me to the right direction.
Thanks,
Hi,
I am trying to setup a chain overlay to allow writes to a read-only slave to be chained up to the master.
The closest ldif file I could figure out to update the cn=config directory was:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDBURI:ldap://10.1.0.3/ olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=roessner-net,dc=de" credentials=********** mode=self
This works until I have to restart the slave ldap server because this is an invalid config.
Can anyone let me know an ldif file to set up the chain to the master? Or at least point me to the right direction.
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
On 09/22/2010 06:47 AM, masarati@aero.polimi.it wrote:
Hi,
I am trying to setup a chain overlay to allow writes to a read-only slave to be chained up to the master.
The closest ldif file I could figure out to update the cn=config directory was:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDBURI:ldap://10.1.0.3/ olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=roessner-net,dc=de" credentials=********** mode=self
This works until I have to restart the slave ldap server because this is an invalid config.
Can anyone let me know an ldif file to set up the chain to the master? Or at least point me to the right direction.
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal configuration problem.
Should I use the configuration I gave above or should it be modified?
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal configuration problem.
It comments some braindead checks that I don't even remember what were there for, that prevent reloading a valid configuration from cn=config. Consider that back-config support in back-ldap was added during the development of back-config itself, so some odd configuration cases that worked at that time might no longer be valid now.
Should I use the configuration I gave above or should it be modified?
The configuration should be fine; even the contents of the configuration database (back-config) should be valid. After applying the patch, slapd should restart fine, loading slapo-chain(5) as it is configured now.
p.
On 09/22/2010 07:27 AM, masarati@aero.polimi.it wrote:
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal configuration problem.
It comments some braindead checks that I don't even remember what were there for, that prevent reloading a valid configuration from cn=config. Consider that back-config support in back-ldap was added during the development of back-config itself, so some odd configuration cases that worked at that time might no longer be valid now.
Should I use the configuration I gave above or should it be modified?
The configuration should be fine; even the contents of the configuration database (back-config) should be valid. After applying the patch, slapd should restart fine, loading slapo-chain(5) as it is configured now.
p.
Hi,
I have applied the patch and now after adding my config I am able to restart slapd. The only problem now is that the chaining has stopped working. I am not sure why it worked before and not now. Will that patch be applied to future version of openldap?
At this point I am trying to figure out the best way to take a config like:
overlay chain chain-rebind-as-user FALSE chain-uri "ldap://ldap1.example.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="self" chain-uri "ldap://ldap2.example.com" chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="none"
and properly add it to the cn=config directory.
Thanks,
Bram Cymet bcymet@cbnco.com writes:
On 09/22/2010 07:27 AM, masarati@aero.polimi.it wrote:
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal configuration problem.
It comments some braindead checks that I don't even remember what were there for, that prevent reloading a valid configuration from cn=config. Consider that back-config support in back-ldap was added during the development of back-config itself, so some odd configuration cases that worked at that time might no longer be valid now.
Should I use the configuration I gave above or should it be modified?
The configuration should be fine; even the contents of the configuration database (back-config) should be valid. After applying the patch, slapd should restart fine, loading slapo-chain(5) as it is configured now.
p.
Hi,
I have applied the patch and now after adding my config I am able to restart slapd. The only problem now is that the chaining has stopped working. I am not sure why it worked before and not now. Will that patch be applied to future version of openldap?
At this point I am trying to figure out the best way to take a config like:
overlay chain chain-rebind-as-user FALSE chain-uri "ldap://ldap1.example.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="self" chain-uri "ldap://ldap2.example.com" chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="none"
and properly add it to the cn=config directory.
In this particular case, overlay chain should be a global configuration, not a database specific configuration. This is a working example:
<global configuration> ... overlay chain chain-uri ldap://some.host chain-idassert-bind bindmethod=simple binddn="cn=replicator,o=avci,c=de" credentials="secret" mode=self flags=non-prescriptive chain-return-error TRUE chain-rebind-as-user TRUE chain-tls start tls_cacert="/etc/openldap/certs/avciCA.pem" tls_reqcert=demand database config rootdn cn=config syncrepl rid=042 ... database hdb suffix o=avci,c=de ... syncrepl rid=099 ...
-Dieter
On 09/22/2010 05:52 PM, Dieter Kluenter wrote:
Bram Cymetbcymet@cbnco.com writes:
On 09/22/2010 07:27 AM, masarati@aero.polimi.it wrote:
Please try this patch ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch, posted some time ago in partial response to ITS#6540 and report. Thanks, p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal configuration problem.
It comments some braindead checks that I don't even remember what were there for, that prevent reloading a valid configuration from cn=config. Consider that back-config support in back-ldap was added during the development of back-config itself, so some odd configuration cases that worked at that time might no longer be valid now.
Should I use the configuration I gave above or should it be modified?
The configuration should be fine; even the contents of the configuration database (back-config) should be valid. After applying the patch, slapd should restart fine, loading slapo-chain(5) as it is configured now.
p.
Hi,
I have applied the patch and now after adding my config I am able to restart slapd. The only problem now is that the chaining has stopped working. I am not sure why it worked before and not now. Will that patch be applied to future version of openldap?
At this point I am trying to figure out the best way to take a config like:
overlay chain chain-rebind-as-user FALSE chain-uri "ldap://ldap1.example.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="self" chain-uri "ldap://ldap2.example.com" chain-idassert-bind bindmethod="simple" binddn="cn=Auth,dc=example,dc=com" credentials="secret" mode="none"
and properly add it to the cn=config directory.
In this particular case, overlay chain should be a global configuration, not a database specific configuration. This is a working example:
<global configuration> ... overlay chain chain-uri ldap://some.host chain-idassert-bind bindmethod=simple binddn="cn=replicator,o=avci,c=de" credentials="secret" mode=self flags=non-prescriptive chain-return-error TRUE chain-rebind-as-user TRUE chain-tls start tls_cacert="/etc/openldap/certs/avciCA.pem" tls_reqcert=demand database config rootdn cn=config syncrepl rid=042 ... database hdb suffix o=avci,c=de ... syncrepl rid=099 ...
-Dieter
Yes I do want it to be a global configuration. However what you have included above would go into the slapd.conf config file correct? My setup uses the online config where the config is stored in ldap itself (well really in flat files in /etc/openldap/slap.d).
So what I need is an ldif file like the one that I had in my original post so that I can add the chain-overlay properly.
Thanks,
--On Wednesday, September 22, 2010 6:21 PM -0400 Bram Cymet bcymet@cbnco.com wrote:
So what I need is an ldif file like the one that I had in my original post so that I can add the chain-overlay properly.
I suggest you get familiar with the slaptest utility, and/or using/manipulating LDIF. ;)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Bram Cymet -
Dieter Kluenter -
masarati@aero.polimi.it -
Quanah Gibson-Mount