[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: database meta question
"D'Arcy Smith" <ds.bcit@gmail.com> writes:
> On 8/25/07, Pierangelo Masarati <ando@sys-net.it> wrote:
>> D'Arcy Smith wrote:
>
>> > I am having a terrible time trying to get the meta backend to work
>> > with my setup. If I do not have meta things work as expected. As
>> > soon as I add the meta backend thing go south.
>
>> What version of OpenLDAP are you using?
>
> 2.3.35
>
>
>> ^^^ extra cruft after "#" (included) is invalid, as clearly indicated in
>> slapd.conf(5). This is treated as an error in OpenLDAP 2.4 (finally!)
>
> Good I like it when errors are treated as errors!
>
> after some more searching around I now have this:
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
>
> password-hash {ssha}
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> modulepath /usr/lib64/openldap/openldap
> moduleload back_null.so
> moduleload back_meta.so
>
> database ldap
> suffix "o=aaa.yyy.zzz,o=bcit"
> uri ldap://aaa.yyy.zzz:389
>
> idassert-authzFrom "dn:*"
> idassert-bind bindmethod=simple
> binddn="uid=******,ou=people,o=aaa.yyy.zzz,o=yyy"
> credentials="******"
> mode=none
>
> database bdb
> suffix "o=bbb.yyy.zzz,o=bcit"
> rootdn "cn=Manager,o=bbb.yyy.zzz,o=yyy"
> rootpw {SSHA}******
> checkpoint 32 30
> directory /var/lib/openldap-data
> index objectClass eq
>
> database meta
> suffix "dc=yyy,dc=zzz"
> uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz
> suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=aaa.yyy.zzz,o=yyy"
> uri ldap://foo.yyy.zzz:389/dc=ccc,dc=yyy,dc=zzz
> suffixmassage "dc=ccc,dc=yyy,dc=zzz" "o=bbb.yyy.zzz,o=yyy"
>
> What I am after is having it so that users that exist in the
> "aaa.yyy.zzz" LDAP server (that I have no control over) can
> authenticate, users in the "bbb.yyy.zzz" LDAP server (that I do
> control) can authenticate, and that the groups in the "bbb.yyy.zzz",
> which contain users from both "aaa" and "bbb" are able to
> authenticate. Authenticate right now means can access apache via
> authnzldap.
>
> Running "/usr/lib64/openldap/slapd -d -{any level}" doesn't seem to
> issue any objections, and my testing works (users from both "aaa" and
> "bbb" can login either as a by user or group).
>
> If I run "slaptest -f /etc/openldap/slapd.conf -F
> /etc/openldap/slapd.d" -d {any level} I get:
>
> WARNING: No dynamic config support for database meta.
> WARNING: The converted cn=config directory is incomplete and may not work.
> config file testing succeeded
>
> I cannot spot any errors that it is giving me in the config.
>
> then running "/usr/lib64/openldap/slapd -d -{any level}" doesn't work
> (it does work if I delete the files in the /etc/openldap/slapd.d
> directory.
>
> For example (with -d 64):
>
> @(#) $OpenLDAP: slapd 2.3.35 (Aug 23 2007 11:00:09) $
> root@foo:/var/tmp/portage/net-nds/openldap-2.3.35-r1/work/openldap-2.3.35/servers/slapd
> loaded module back_null.so
> module back_null.so: null module registered
> loaded module back_meta.so
> module back_meta.so: null module registered
> index objectClass 0x0004
> meta_back_db_open: no targets defined
> backend_startup_one: bi_db_open failed! (1)
> slapd stopped.
> connections_destroy: nothing to destroy.
You have not defined a config database in slapd.conf but created a
slapd.d directory, so just run slapd with -f <path/to/slapd.conf>
parameter, man slapd(8)
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6