[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining question

Subject: Re: chaining question
From: Tony Earnshaw <tonni@hetnet.nl>
Date: Wed, 05 Sep 2007 09:03:04 +0200
Cc: openldap-software@openldap.org
In-reply-to: <46DD89E8.7070708@rz.tu-clausthal.de>
References: <46DCFDD8.7090000@hetnet.nl> <46DD89E8.7070708@rz.tu-clausthal.de>
User-agent: Thunderbird 2.0.0.6 (X11/20070728)

Christian Marg skrev, on 04-09-2007 18:38:

I always find it helpful to look into the Logfiles of the
openldap-servers. On FreeBSD it's /var/log/debug.log.

Personally I find

loglevel 256

which "stats log connections/operations/results" most helpful. If you
are not sure how to interpret log entries, edit it to remove sensitive
content and post them, perhaps - if its more than 10 lines or so - using
a pastebin (eg. pastebin.ca or something)

Hmmm ... I'm used to tailing the slapd logs, I go square-eyed looking at them at all possible values. Level 256 below.

Of course it seems weird to first have to disable and then later on to
enable "chain-rebind-as-user". It seems that this is because one
shouldn't rely on default values (as they might change). In the second
chain-uri-stanza of the example they don't set the rebind-flag again, so
 I'd assume that the "global" value set after "overlay chain" will be
applied.

Anyway: the best thing next to an explanation I found of what
..rebind-as-user does is in slapd-ldap:
---------8<---------8<---------8<---------8<---------8<---------8<---------
rebind-as-user {NO|yes}

If this option is given, the client's bind credentials are remembered
for rebinds, when trying to re-establish a broken connection, or when
chasing a referral, if chase-referrals is set to yes.
---------8<---------8<---------8<---------8<---------8<---------8<---------

chase-referrals is specific to SLAPD-LDAP and isn't documented in SLAPO-CHAIN.

So I assume that something concerning the credentials breaks - the log
should help you pinpoint what exactly.


Why should it? Do you have chaining running?

Log lines (really, there are only 3) while changing a test user's password on the chaining consumer/slave:

Sep 5 08:26:04 oikos slapd2.3[22295]: conn=23043 op=10 MOD dn="cn=bmyguest,ou=gasten,dc=barlaeus,dc=nl" Sep 5 08:26:04 oikos slapd2.3[22295]: conn=23043 op=10 MOD attr=userPassword Sep 5 08:26:04 oikos slapd2.3[22295]: conn=23043 op=10 RESULT tag=103 err=0 text=

The "103" signifies a referral with err=0; good, if there were problems with the referral there would have been an err=10.

Log on the provider/master:

Sep 5 08:26:04 mercurius slapd2.3[6028]: conn=189238 op=6356 MOD dn="cn=bmyguest,ou=gasten,dc=barlaeus,dc=nl" Sep 5 08:26:04 mercurius slapd2.3[6028]: conn=189238 op=6356 MOD attr=userPassword Sep 5 08:26:04 mercurius slapd2.3[6028]: conn=189238 op=6356 RESULT tag=103 err=0 text=

Honestly, I'm no wiser from this. It just shows that there has been a referral, that a MOD operation has been carried out with no error.

Googleing for chain-rebind-as-user brought up 2 helpful OL ML threads (out of a total of 3 references) whereby Pierangelo Masarati stressed the importance of the chaining proxy on the master having authZTo configured; well, since we use digest-md5 SASL for Postfix and other things, it is (this could cause further problems for Taymour A. El Erian).

I can only assume I'm one of the few people in the world who needs real-world chaining and has it - and subscribes to this ML.

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Follow-Ups:
- Re: chaining question
  - From: Howard Chu <hyc@symas.com>

References:
- chaining question
  - From: Tony Earnshaw <tonni@hetnet.nl>
- Re: chaining question
  - From: Christian Marg <marg@rz.tu-clausthal.de>

Prev by Date: Re: Automatic referral chasing
Next by Date: Re: Automatic referral chasing
Index(es):
- Chronological
- Thread