[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7434) idassert-bind fails after restarting slapd
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7434) idassert-bind fails after restarting slapd
- From: hyc@symas.com
- Date: Sat, 7 Sep 2013 16:53:49 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
blance3459@hotmail.com wrote:
> Full_Name: Barry Lance
> Version: 2.4.28
> OS: Ubuntu 12.04
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (70.226.37.226)
It appears the submitter found an alternate solution, but just for future
reference this issue was the same as ITS#7381, now fixed in git master.
>
> Two servers: Master (192.168.1.1) and Replica (192.168.1.2) both running slap
> 2.4.28 and ubuntu 12.04. Replica is a replication partner of Master using
> syncrepl. Replication is working fine. When I attempt to add a chain overlay
> to Replica to send all writes over to the master, it works exactly as expected
> allowing both normal users and the rootdn to make appropriate changes. However,
> once I either reboot the replica server or restart slapd, the chain overlay
> fails to allow any changes on the master. Looking at syslog shows that before
> the reboot/restart the requesting users' dn is proxied over as expected. After
> the restarting slapd or rebooting Replica, all changes are proxied anonymously
> (dn="").
>
> I am using simple binds at this point in the project, but it doesn't seems to
> matter if I proxy in the clear, ldaps, or TLS the result is the same. All three
> methods can successfully negotiate a connection. I've even tried switching
> between using the rootdn and a different user as the binddn in my overlay, but
> the result is still the same no matter what I use for the binddn. When I look
> at my config, I notice that "chain-idassert-bind" appears to be hashed or
> encrypted in thew config. Is that normal? Just seems really odd that my config
> would work immediately when added, but fail after the the daemon has been
> restarted. Am I missing something really silly? Hopefully, someone can assist
> me on this. I've been driving myself crazy trying to figure out why this
> behavior is occurring.
>
> Disclaimer: I am using openldap as part of my capstone project for graduation.
> I'm not asking for anyone to do my "homework" for me, I'm just stuck on this one
> issue that I would love to resolve so I can move on to the Kerberos phase of my
> project (and maybe even study for an exam coming up in my algorithms class next
> week).
>
> Here is my overlay config using the rootDN and TLS (on Replica):
>
> dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config
> changetype: add
> objectClass: olcLDAPConfig
> objectClass: olcChainDatabase
> olcDatabase: {0}ldap
> olcDbURI: "ldap://master.example.net/";
> olcDbRebindAsUser: TRUE
> olcDbIDAssertBind: bindmethod=simple
> binddn="cn=admin,dc=example,dc=net"
> credentials=(secret)
> mode=self
> starttls=critical
> tls_cacert=/etc/ssl/certs/cacert.pem
> tls_reqcert=demand
>
> And without TLS (also on Replica):
>
> dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend, cn=config
> changetype: add
> objectClass: olcLDAPConfig
> objectClass: olcChainDatabase
> olcDatabase: {0}ldap
> olcDbURI: "ldap://master.example.net/";
> olcDbRebindAsUser: TRUE
> olcDbIDAssertBind: bindmethod=simple
> binddn="cn=admin,dc=example,dc=net"
> credentials=(secret)
> mode=self
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/