[Date Prev][Date Next] [Chronological] [Thread] [Top]

Chain Overlay and Syncrepl

To: openldap-software@openldap.org
Subject: Chain Overlay and Syncrepl
From: "Scott Sanders" <lists@jssjr.com>
Date: Tue, 8 May 2007 11:19:59 -0400

Hello all,

I am having problems with chasing referrals on my slave OpenLDAP server. I feel like I'm repeating an older thread here, but despite everything I have read I cannot find a solution.

My setup is as follows:
Both the master and the slave are OpenLDAP 2.3.32 builds with the follwing configure parameters,
LD_LIBRARY_PATH="/usr/local/lib" ./configure --prefix=/usr/local --disable-ipv6 --with-tls --enable-dynamic --enable-slapd --enable-modules --enable-crypt --enable-bdb --enable-rewrite --enable-backends=yes --enable-rlookups --disable-shell --disable-sql --enable-overlays=yes --enable-slurpd=yes
At the end of the email, I have attached both the master and the slave slapd.conf.

The problem is that when I attempt an ldapadd against the slave server, I am returned a referral instead of having the slave forward the request to the master. I see no attempt to contact the master server in either the slave or master logs. Nor do I see any traffic between the two (other than syncrepl stuff) in a tcpdump. As far as I can tell the chain overlay is being ignored entirely.

Any suggestions or fixes would be greatly appreciated.

- Scott Sanders

############################################
# Master slapd.conf -- ldap://info.domain.com:389
############################################
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

password-hash {ssha}

security tls=1
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificatePath /etc/pki/CA
TLSCertificateFile    /usr/local/etc/openldap/security/ldap-master.crt
TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-master.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient allow

limits dn.exact="cn=syncuser,dc=domain,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited

access to attrs=userPassword
        by self write
        by dn="cn=admin,dc=domain,dc=com" write
        by dn="cn=syncuser,dc=domain,dc=com" read
        by * auth

access to *
        by dn="cn=admin,dc=domain,dc=com" write
        by dn="cn=syncuser,dc=domain,dc=com" read
        by dn="cn=syncuser,dc=domain,dc=com" read
        by * read

database hdb
suffix cn=accesslog
directory /usr/local/var/openldap-accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=admin,dc=domain,dc=com"
rootpw          {SSHA}T2JGZSB3Q2x57s/O
directory       /usr/local/var/openldap-data
index   objectClass     eq
index entryCSN eq
index entryUUID eq

overlay syncprov
syncprov-checkpoint 1000 60

overlay accesslog
logdb cn=accesslog
logops writes
logsuccess true
logpurge 07+00:00 01+00:00

############################################
# Slave slapd.conf -- ldap://arch.domain.com
############################################
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema

pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args

password-hash {ssha}

security tls=1
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificatePath /etc/pki/CA
TLSCertificateFile    /usr/local/etc/openldap/security/ldap-slave.crt
TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-slave.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient allow

access to attrs=userPassword
        by self write
        by dn="cn=admin,dc=domain,dc=com" read
        by dn="cn=syncuser,dc=domain,dc=com" write
        by * auth

access to *
        by dn="cn=admin,dc=domain,dc=com" read
        by dn="cn=syncuser,dc=domain,dc=com" write
        by * read

database        bdb
suffix          "dc=domain,dc=com"
rootdn          "cn=admin,dc=domain,dc=com"
rootpw          {SSHA}T2JGZkB3Q2x57s/O
overlay         chain
chain-uri       ldap://info.domain.com:389
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod=simple
                        binddn="cn=admin,dc=domain,dc=com"
                        credentials=secret
                        mode=self
directory       /usr/local/var/openldap-data
index   objectClass     eq
index entryUUID eq

syncrepl        rid=0
                provider=ldap://info.domain.com:389
                starttls=yes
                bindmethod=simple
            binddn="cn=syncuser,dc=domain,dc=com"
                credentials=secretsyncpasswd
                searchbase="dc=domain,dc=com"
                logbase="cn=accesslog"
                logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
                schemaChecking=on
                type=refreshAndPersist
                retry="60 +"
                syncdata=accesslog

updateref       ldap://info.domain.com:389

Follow-Ups:
- Re: Chain Overlay and Syncrepl
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Fwd: rewrite rule - turn groupOfNames into posixGroup
Next by Date: Re: Fwd: rewrite rule - turn groupOfNames into posixGroup
Index(es):
- Chronological
- Thread