[Date Prev][Date Next] [Chronological] [Thread] [Top]

Netscape roaming && OpenLDAP 2.0.23



I'm trying to get roaming to work with 2.0. It worked fine with 1.2.11, but I never
got around to get it to work with 2.0 when I upgraded some time ago (almost a year?).

This is what I get in the logs:
----- s n i p -----
Apr 10 14:47:44 papadoc slapd[20683]: conn=115 op=25 ADD dn="NSLIELEMENTTYPE=LIPREFS,NSLIPROFILENAME=TURBO,UID=TURBO,OU=PEOPLE,DC=PAPADOC,DC=BAYOUR,DC=COM" 
Apr 10 14:47:44 papadoc slapd[20683]: conn=115 op=25 RESULT tag=105 err=20 text=attribute provided more than once 
Apr 10 14:47:44 papadoc slapd[20684]: conn=115 op=26 SRCH base="nsLIElementType=Appartements_2.na2,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com" scope=0 filter="(objectClass=*)" 
Apr 10 14:47:44 papadoc slapd[20684]: conn=115 op=26 RESULT tag=101 err=32 text= 
----- s n i p -----

It took a while to get the ACL's in order, but these are what I have now:
----- s n i p -----
# Give access to roaming parent...
access to dn="nsliProfileName=(.*),uid=(.*)"
        by dn="cn=admin,ou=People,dc=papadoc,dc=bayour,dc=com" write
        by dn="uid=turbo.+\+realm=BAYOUR.COM" write
        by dn="uid=$1.+\+realm=BAYOUR.COM" write
        by dnattr=owner write
        by * none

# Give access to the actual roaming dn
access to dn=".*,nsliProfileName=(.*),uid=(.*)"
        by dn="cn=admin,ou=People,dc=papadoc,dc=bayour,dc=com" write
        by dn="uid=turbo.+\+realm=BAYOUR.COM" read
        by dn="uid=$1.+\+realm=BAYOUR.COM" write
        by dnattr=owner write
        by * none
----- s n i p -----

With these I can add/delete/modify the nsliProfileName object _AND_ everything
beneath it with both SASL and simple binds. To make sure that netscape 'ignored'
the modifiersName, modifyTimestamp, creatorsName and createTimestamp, I sat the
system clock to 1990, added all the 'top' objects (nsliProfileName=*), and synced
the clock again. That way netscape is BOUND to find the LDAP object(s) old, so
an upload is forced. This worked with 1.2 at least... :)

Now 'err=32' I interpret as LDAP_INSUFFICIENT_ACCESS (?), but why do I get this?

As proven below, both SASL and simple bind works, by using -D, -W and -U to ldap(add|delete),
but when netscape is doing it, I got the 'err=32' above. Also, the 'attribute provided more than once'
is disturbing. I've tried to run slapd with '-d -1' but I got so much irrelevant information,
so it was hard to find anything usefull...

----- s n i p -----
[papadoc.pts/4]$ cat <<EOF | ldapadd -x -D "uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com" -W
> dn: nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
> nsLIData: jfkdlas
> nsLIElementType: bookmarks
> owner: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
> objectClass: nsLIProfileElement
> nsLIVersion: 1
> EOF
Enter LDAP Password: 
adding new entry "nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com"
[papadoc.pts/4]$ ldapdelete -x -D "uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com" -W "nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com"
Enter LDAP Password: 
[papadoc.pts/4]$ klist 
Ticket cache: FILE:/home/fredriksson/turbo/.krb5_cache
Default principal: turbo@BAYOUR.COM

Valid starting     Expires            Service principal
04/10/02 14:45:19  04/10/02 18:45:19  krbtgt/BAYOUR.COM@BAYOUR.COM
04/10/02 14:45:20  04/10/02 18:45:19  ldap/papadoc.bayour.com@BAYOUR.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
[papadoc.pts/4]$ cat <<EOF | ldapadd -U turbo
> dn: nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
> nsLIData: jfkdlas
> nsLIElementType: bookmarks
> owner: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
> objectClass: nsLIProfileElement
> nsLIVersion: 1
> EOF
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
adding new entry "nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com"
[papadoc.pts/4]$ ldapdelete nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
[papadoc.pts/4]$ 
----- s n i p -----

And just for the record, I tried LDAPv2, worked fine:
----- s n i p -----
[papadoc.pts/4]$ cat <<EOF | ldapadd -P 2 -x -D "uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com" -W
> dn: nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
> nsLIData: jfkdlas
> nsLIElementType: bookmarks
> owner: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
> objectClass: nsLIProfileElement
> nsLIVersion: 1
> EOF
Enter LDAP Password:
adding new entry "nsLIElementType=bookmarks,nsLIProfileName=turbo,uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com"

[papadoc.pts/4]$ 
----- s n i p -----