[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-meta ignoring binddn ?

To: ando@sys-net.it
Subject: Re: back-meta ignoring binddn ?
From: Tom Riddle <ftr@highstreetnetworks.com>
Date: Tue, 18 Nov 2003 17:35:09 -0500
Cc: openldap-software@OpenLDAP.org
In-reply-to: <63416.81.72.89.40.1069184570.squirrel@webmail.sys-net.it>
References: <3FBA52C7.4020009@highstreetnetworks.com> <63392.81.72.89.40.1069179512.squirrel@webmail.sys-net.it> <3FBA6E8A.9090505@highstreetnetworks.com> <63416.81.72.89.40.1069184570.squirrel@webmail.sys-net.it>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312

Pierangelo Masarati wrote:

Sorry, I meant back-ldap.  You should try to stack
subordinate back-ldap instances on your proxy server
to exploit back-ldap auth proxying capability.

I tried that with the same results.  Now I have:

serverA:
database ldap
suffix "ou=siteB,o=XYZ"
uri ldap://serverB
subordinate
lastmod off

database ldap
suffix "ou=siteC,o=XYZ"
uri ldap://serverC
subordinate
lastmod off

database    ldbm
suffix      "o=XYZ"
rootdn      "cn=admin,ou=People,o=XYZ"
rootpw      ...
directory   /var/lib/ldap
index   objectClass eq
index   cn      eq,subinitial


serverB & serverC
database ldbm
suffix "ou=siteB,o=XYZ"
rootdn "cn=admin,ou=People,ou=siteB,o=XYZ"
rootpw ...
#subordinate
directory /var/lib/ldap
index objectClass eq
index cn eq,subinitial

database ldap
suffix "o=XYZ"
uri ldap://serverA
lastmod off

If I go through the proxy I get: % ldapsearch -x -W -D "cn=duser2,ou=People,ou=siteB,o=XYZ" -b 'o=XYZ' -s sub -LLL -H ldap://serverA

<<< dnPrettyNormal: <cn=duser2,ou=People,ou=siteB,o=XYZ>, <cn=duser2,ou=people,ou=siteb,o=xyz> do_bind: version=3 dn="cn=duser2,ou=People,ou=siteB,o=XYZ" method=128 conn=0 op=0 BIND dn="cn=duser2,ou=People,ou=siteB,o=XYZ" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 conn=0 op=0 RESULT tag=97 err=0 text= do_bind: v3 anonymous bind

If I go directly to serverC I get % ldapsearch -x -W -D "cn=duser2,ou=People,ou=siteB,o=XYZ" -b 'ou=siteC,o=XYZ' -s sub -LLL -H ldap://serverC

<<< dnPrettyNormal: <cn=duser2,ou=People,ou=siteB,o=XYZ>, <cn=duser2,ou=people,ou=siteb,o=xyz> do_bind: version=3 dn="cn=duser2,ou=People,ou=siteB,o=XYZ" method=128 conn=0 op=0 BIND dn="cn=duser2,ou=People,ou=siteB,o=XYZ" method=128 =>ldap_back_getconn: conn 0 inserted rw> bindDn: "cn=duser2,ou=People,ou=siteB,o=XYZ" -> "cn=duser2,ou=People,ou=siteB,o=XYZ" conn=0 op=0 BIND dn="cn=duser2,ou=People,ou=siteB,o=XYZ" mech=simple ssf=0 do_bind: v3 bind: "cn=duser2,ou=People,ou=siteB,o=XYZ" to "cn=duser2,ou=People,ou=siteB,o=XYZ" send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 conn=0 op=0 RESULT tag=97 err=0 text=

If I uncomment the subordinate line at serverB & serverC then ldapsearch hangs forever (circular reference ?) I also tried putting in a back-ldap entry in serverB for serverC and vis-versa but got the same result.

Thanks,
Tom

--
Tom Riddle
HighStreet Networks
www.highstreetnetworks.com

References:
- back-meta ignoring binddn ?
  - From: Tom Riddle <ftr@highstreetnetworks.com>
- Re: back-meta ignoring binddn ?
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: back-meta ignoring binddn ?
  - From: Tom Riddle <ftr@highstreetnetworks.com>
- Re: back-meta ignoring binddn ?
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Net::LDAP and GSSAPI authentication
Next by Date: Re: Net::LDAP and GSSAPI authentication
Index(es):
- Chronological
- Thread