[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap 2.4.11 slave update chaining
- To: openldap-software@openldap.org
- Subject: openldap 2.4.11 slave update chaining
- From: Alan Evans <alanwevans@gmail.com>
- Date: Tue, 14 Apr 2009 16:45:23 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:date:message-id :subject:from:to:content-type; bh=I4d/yb12mBdvA8LdkDwfnfLSHmLtKIgFy6koDCcwBbg=; b=yFyEAPN8HDoUztnejK0AY4CdHyjqb/x8iGzELimx1jOeoR1OYzKkZCvI+nELfZHlFE z082zPE6F6ARxjlLkzN9KQroH4m2mpAEjkUSMQ+eslt3Gkoe+bFigSWCKGXAa1EUuBsR u4VRY2BTTK6vJ9EOtJYii3YhgDCZyqSvaswM4=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; b=Tml87ZEhPpK0siA6Ys+FMlbgE6MYf/I6JYso5PsfvWbNUaO4lrJOApTtlqtnzi/ODz JIDJolk4lO5kpQHxZESQ0x4FeM/zQ0gJJyea1MursjE62Ou+Kti7m3qIkWcNGHAaWVLZ TekD5zgxZ4AcghFmxH5mkPV7jVRRtGf7Oda/M=
I have read through the docs over and over and I am still not quite able to wrap my head around idassert-bind and chaining. Can someone please help me figure this configuration out.
I have a ldap master and ldap slave and I want the slave to chain updates to the master so the clients don't have to worry about following referrals.
I am successful in getting the slave to follow the referral and return errors from the master however with various combinations of idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get errors about insufficent access or needing more rights.
- Client binds with dn and password to slave
- Client submits modify request to slave
- Slave binds to master with binddn (bindmethod=simple)
- Slave rebinds to master with dn and password provided by the client (mode=self, chain-rebind-as-user TRUE)
- Slave submits modify to master as client (chain is global)
- Master checks client's dn for access
- Master performs update
- Master returns result to slave
- Slave returns result to client
# ldapsearch cn=replicator authzTo -LLL
Enter LDAP Password:
dn: cn=replicator,dc=company,dc=com
authzTo: dn:*
You can see in the case of mode=legacy that I have given my replicator account authzTo
# slave slapd.conf
# Global Section
overlay chain
chain-tls start
chain-chase-referrals yes
chain-return-error true
chain-uri "ldap://ldapmaster.company.net/"
chain-rebind-as-user TRUE
chain-idassert-bind
bindmethod="simple"
binddn="cn=replicator,dc=company,dc=com"
credentials="secret"
starttls="yes"
tls_reqcert="allow"
mode="self"
# Database Sections
database bdb
suffix "dc=company,dc=com"
rootdn "cn=manager,dc=company,dc=com"
... removed for brevity ...
updateref ldap://ldapmaster.company.net/