[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Chain Overlay and Syncrepl
Hello all,
I am having problems with chasing referrals on my slave OpenLDAP server. I feel like I'm repeating an older thread here, but despite everything I have read I cannot find a solution.
My setup is as follows:
Both the master and the slave are OpenLDAP 2.3.32 builds with the follwing configure parameters,
LD_LIBRARY_PATH="/usr/local/lib" ./configure --prefix=/usr/local --disable-ipv6 --with-tls --enable-dynamic --enable-slapd --enable-modules --enable-crypt --enable-bdb --enable-rewrite --enable-backends=yes --enable-rlookups --disable-shell --disable-sql --enable-overlays=yes --enable-slurpd=yes
At the end of the email, I have attached both the master and the slave slapd.conf.
The problem is that when I attempt an ldapadd against the slave server, I am returned a referral instead of having the slave forward the request to the master. I see no attempt to contact the master server in either the slave or master logs. Nor do I see any traffic between the two (other than syncrepl stuff) in a tcpdump. As far as I can tell the chain overlay is being ignored entirely.
Any suggestions or fixes would be greatly appreciated.
- Scott Sanders
############################################
# Master slapd.conf -- ldap://info.domain.com:389
############################################
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
password-hash {ssha}
security tls=1
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificatePath /etc/pki/CA
TLSCertificateFile /usr/local/etc/openldap/security/ldap-master.crt
TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-master.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient allow
limits
dn.exact="cn=syncuser,dc=domain,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
access to attrs=userPassword
by self write
by dn="cn=admin,dc=domain,dc=com" write
by dn="cn=syncuser,dc=domain,dc=com" read
by * auth
access to *
by dn="cn=admin,dc=domain,dc=com" write
by dn="cn=syncuser,dc=domain,dc=com" read
by dn="cn=syncuser,dc=domain,dc=com" read
by * read
database hdb
suffix cn=accesslog
directory /usr/local/var/openldap-accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=admin,dc=domain,dc=com"
rootpw {SSHA}T2JGZSB3Q2x57s/O
directory /usr/local/var/openldap-data
index objectClass eq
index entryCSN eq
index entryUUID eq
overlay syncprov
syncprov-checkpoint 1000 60
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess true
logpurge 07+00:00 01+00:00
############################################
# Slave slapd.conf -- ldap://arch.domain.com
############################################
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
password-hash {ssha}
security tls=1
TLSCACertificateFile /etc/pki/CA/cacert.pem
TLSCACertificatePath /etc/pki/CA
TLSCertificateFile /usr/local/etc/openldap/security/ldap-slave.crt
TLSCertificateKeyFile /usr/local/etc/openldap/security/ldap-slave.key
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSVerifyClient allow
access to attrs=userPassword
by self write
by dn="cn=admin,dc=domain,dc=com" read
by dn="cn=syncuser,dc=domain,dc=com" write
by * auth
access to *
by dn="cn=admin,dc=domain,dc=com" read
by dn="cn=syncuser,dc=domain,dc=com" write
by * read
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=admin,dc=domain,dc=com"
rootpw {SSHA}T2JGZkB3Q2x57s/O
overlay chain
chain-uri ldap://info.domain.com:389
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod=simple
binddn="cn=admin,dc=domain,dc=com"
credentials=secret
mode=self
directory /usr/local/var/openldap-data
index objectClass eq
index entryUUID eq
syncrepl rid=0
provider=ldap://info.domain.com:389
starttls=yes
bindmethod=simple
binddn="cn=syncuser,dc=domain,dc=com"
credentials=secretsyncpasswd
searchbase="dc=domain,dc=com"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemaChecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
updateref ldap://info.domain.com:389