Re: multiple databases (subordinate) and subschemaSubentry

[Howard Chu <hyc@symas.com>]

Sebastian Guarino wrote:
> Oops. I haven't tried the same rootdn without password on the 
> subordinate suffix.
> Thanks, it worked.
Note that the slapd.conf(5) manpage says explicitly that all subordinate 
DBs should have the same rootdn as the parent DB. We write these things 
for a reason...
> Sebastian Guarino.
>
> Michael Eichenberger wrote:
>
> > Hi Sebastian
> >
> > I've got more or less the same setup, but I've got the same rootdn 
> > for all the backend's and the rootpw is only mentioned once (the last 
> > database definition). I then access the databases with different 
> > users, working with ACL's.
> >
> > See the end of the mail for my example setup.
> >
> > > I have a configuration with two databases like this (one inside the 
> > > other)
> > >
> > > database        bdb
> > > subordinate
> > > suffix          "ou=other,o=org,c=ar"
> > > rootdn          "cn=Manager,ou=other,c=org,c=ar"
> > > rootpw          secret
> > > directory       /var/db/openldap-data/other
> > > lastmod on
> > >
> > > database        bdb
> > > suffix          "o=org,c=ar"
> > > rootdn          "cn=Manager,o=org,c=ar"
> > > rootpw          pepe00
> > > directory       /var/db/openldap-data
> > > lastmod on
> > >
> > > When I activate the first database (the subordinate one) then I 
> > > can't search the subschemaSubentry. (0 entries)
> > > The schemas can only be searched if I bind with the manager password 
> > > of the subordinate suffix and not the one from the upper suffix.
> >
> >
> > #############################
> > # ou=administration,o=stepping-stone,c=ch
> > #############################
> > database        hdb
> > suffix          "ou=administration,o=stepping-stone,c=ch"
> > rootdn          "cn=Manager,o=stepping-stone,c=ch"
> > subordinate
> > directory       /var/lib/openldap-hdb/stepping-stone/administration
> > index   objectClass pres,eq
> > index   entryUUID eq
> >
> > access to 
> > dn.regex="cn=(.+),ou=people,ou=administration,o=stepping-stone,c=ch$"
> >  attr=userpassword
> >  by 
> > dn.regex="cn=$1,ou=people,ou=administration,o=stepping-stone,c=ch" write
> >  by anonymous auth
> >  by * none
> >
> > #############################################
> > # ou=storage,ou=service,o=stepping-stone,c=ch
> > #############################################
> > database        hdb
> > suffix          "ou=storage,ou=service,o=stepping-stone,c=ch"
> > rootdn          "cn=Manager,o=stepping-stone,c=ch"
> > subordinate
> >
> > directory       /var/lib/openldap-hdb/stepping-stone/service/storage
> > index           objectClass     pres,eq
> > index           cn,uid          eq
> > index           entryUUID       eq
> > index           uidNumber       eq
> > index           gidNumber       eq
> >
> > access to dn.subtree="ou=storage,ou=service,o=stepping-stone,c=ch"
> >  by 
> > group/groupOfUniqueNames/uniqueMember="cn=storage,ou=group,ou=administration,o=stepping-stone,c=ch" 
> > read
> >
> > ###########
> > # MAIN TREE
> > ###########
> > database        hdb
> > suffix          "o=stepping-stone,c=ch"
> > rootdn          "cn=Manager,o=stepping-stone,c=ch"
> > rootpw          gugus
> > directory       /var/lib/openldap-hdb/stepping-stone
> >
> > I know, it doesn't really answer your question, but it works.
> >
> > Kind regards, Michael


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/