[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Globally instantiated Chaining Overlay makes subschemaSubentry Attribute vanish from ldapsearches
Hi list,
I encountered the following phenomenon when experimenting with a globally
instantiated chaining overlay for automatic update referral chasing:
Issueing the following ldapsearch without the overlay instantiated gave
the expected results:
> ldapsearch -D "uid=<xxx>,ou=cno-ldc,ou=people,dc=o2online,dc=de" -b ""
-s base -WxZZLLL "*" "+"
Enter LDAP Password:
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=o2online,dc=de
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: EXTERNAL
entryDN:
subschemaSubentry: cn=Subschema
After uncommenting the chain directives from my LDAP server's slapd.conf
and running the same ldapsearch again the subschemaSubentry was no longer
included in the ldapsearch output:
> ldapsearch -D "uid=<xxx>,ou=cno-ldc,ou=people,dc=o2online,dc=de" -b ""
-s base -WxZZLLL "*" "+"
Enter LDAP Password:
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
[... same as above ;) ...]
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: EXTERNAL
I'm using OL 2.3.20 + DBD 4.2.52 with the 4 Patches on RHES30.
Here's an excerpt of my slapd.conf containing the relevant information:
access to attrs=userPassword
by self write
by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" write
by dn.exact="cn=syncreader,dc=o2online,dc=de" read
by anonymous auth
access to attrs=shadowLastChange
by self write
by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" write
by * read
access to *
by dn.children="ou=CNO-LDC,ou=People,dc=o2online,dc=de" write
by * read
...
# Chainig overlay for automatic referral chasing (global so it affects
updaterefs!)
overlay chain
chain-uri "ldap://<master ip>:389"
chain-idassert-bind bindmethod=simple binddn="<rootdn>"
credentials=<rootpw> mode=self
chain-tls start
#######################################################################
# BDB database definitions
#######################################################################
database bdb
...
As you can see the user I used to bind to the server has the proper access
(to * write). The same thing happens when I use the rootdn, though. So I
doubt it's an ACL issue.
I know the chain-idassert-bind is a little dirty because I'm using the
rootdn, but this is just my testenvironment. First I want to get it up and
running with an as simple as possible configuration.
So is this behavior intended, a bug/feature or simply some
misconfiguration on my side.
Any help yould be much apreciated.
Thanks and kind regards,
Michael Heep