[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple databases (subordinate) and subschemaSubentry



Sebastian Guarino wrote:
Oops. I haven't tried the same rootdn without password on the subordinate suffix.
Thanks, it worked.
Note that the slapd.conf(5) manpage says explicitly that all subordinate DBs should have the same rootdn as the parent DB. We write these things for a reason...

Sebastian Guarino.

Michael Eichenberger wrote:

Hi Sebastian

I've got more or less the same setup, but I've got the same rootdn for all the backend's and the rootpw is only mentioned once (the last database definition). I then access the databases with different users, working with ACL's.

See the end of the mail for my example setup.

I have a configuration with two databases like this (one inside the other)

database        bdb
subordinate
suffix          "ou=other,o=org,c=ar"
rootdn          "cn=Manager,ou=other,c=org,c=ar"
rootpw          secret
directory       /var/db/openldap-data/other
lastmod on

database        bdb
suffix          "o=org,c=ar"
rootdn          "cn=Manager,o=org,c=ar"
rootpw          pepe00
directory       /var/db/openldap-data
lastmod on

When I activate the first database (the subordinate one) then I can't search the subschemaSubentry. (0 entries)
The schemas can only be searched if I bind with the manager password of the subordinate suffix and not the one from the upper suffix.


#############################
# ou=administration,o=stepping-stone,c=ch
#############################
database        hdb
suffix          "ou=administration,o=stepping-stone,c=ch"
rootdn          "cn=Manager,o=stepping-stone,c=ch"
subordinate
directory       /var/lib/openldap-hdb/stepping-stone/administration
index   objectClass pres,eq
index   entryUUID eq

access to dn.regex="cn=(.+),ou=people,ou=administration,o=stepping-stone,c=ch$"
attr=userpassword
by dn.regex="cn=$1,ou=people,ou=administration,o=stepping-stone,c=ch" write
by anonymous auth
by * none


#############################################
# ou=storage,ou=service,o=stepping-stone,c=ch
#############################################
database        hdb
suffix          "ou=storage,ou=service,o=stepping-stone,c=ch"
rootdn          "cn=Manager,o=stepping-stone,c=ch"
subordinate

directory       /var/lib/openldap-hdb/stepping-stone/service/storage
index           objectClass     pres,eq
index           cn,uid          eq
index           entryUUID       eq
index           uidNumber       eq
index           gidNumber       eq

access to dn.subtree="ou=storage,ou=service,o=stepping-stone,c=ch"
by group/groupOfUniqueNames/uniqueMember="cn=storage,ou=group,ou=administration,o=stepping-stone,c=ch" read


###########
# MAIN TREE
###########
database        hdb
suffix          "o=stepping-stone,c=ch"
rootdn          "cn=Manager,o=stepping-stone,c=ch"
rootpw          gugus
directory       /var/lib/openldap-hdb/stepping-stone

I know, it doesn't really answer your question, but it works.

Kind regards, Michael





--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/