[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up a chain overlay

To: openldap-technical@openldap.org
Subject: Re: Setting up a chain overlay
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 22 Sep 2010 23:52:26 +0200
In-reply-to: <4C9A7472.3040001@cbnco.com> (Bram Cymet's message of "Wed, 22 Sep 2010 17:26:10 -0400")
References: <4C9941FB.4060402@cbnco.com> <2e5912ad10408144b2ede830c04bfe82.squirrel@www.aero.polimi.it> <4C99E5D8.3020107@cbnco.com> <53c1d65b2c3b493e1a6ec497a5a80050.squirrel@www.aero.polimi.it> <4C9A7472.3040001@cbnco.com>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b29 (linux)

Bram Cymet <bcymet@cbnco.com> writes:

>  On 09/22/2010 07:27 AM, masarati@aero.polimi.it wrote:
>>>> Please try this patch
>>>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch>,
>>>> posted some time ago in partial response to ITS#6540 and report.
>>>> Thanks,
>>>> p.
>>>>
>>> I will give the patch a try.
>>>
>>> What is the patch doing? I am guessing it will fix the illegal
>>> configuration problem.
>> It comments some braindead checks that I don't even remember what were
>> there for, that prevent reloading a valid configuration from cn=config.
>> Consider that back-config support in back-ldap was added during the
>> development of back-config itself, so some odd configuration cases that
>> worked at that time might no longer be valid now.
>>
>>> Should I use the configuration I gave above or should it be modified?
>> The configuration should be fine; even the contents of the configuration
>> database (back-config) should be valid.  After applying the patch, slapd
>> should restart fine, loading slapo-chain(5) as it is configured now.
>>
>> p.
>>
> Hi,
>
> I have applied the patch and now after adding my config I am able to
> restart slapd. The only problem now is that the chaining has stopped
> working. I am not sure why it worked before and not now.
> Will that patch be applied to future version of openldap?
>
> At this point I am trying to figure out the best way to take a config like:
>
> overlay                 chain
> chain-rebind-as-user    FALSE
> chain-uri               "ldap://ldap1.example.com";
> chain-rebind-as-user    TRUE
> chain-idassert-bind     bindmethod="simple"
>                         binddn="cn=Auth,dc=example,dc=com"
>                         credentials="secret"
>                         mode="self"
> chain-uri               "ldap://ldap2.example.com";
> chain-idassert-bind     bindmethod="simple"
>                         binddn="cn=Auth,dc=example,dc=com"
>                         credentials="secret"
>                         mode="none"
>
>
> and properly add it to the cn=config directory.

In this particular case, overlay chain should be a global
configuration, not a database specific configuration.
This is a working example:

<global configuration>
...
overlay chain
chain-uri ldap://some.host
chain-idassert-bind
        bindmethod=simple
        binddn="cn=replicator,o=avci,c=de"
        credentials="secret"
        mode=self
        flags=non-prescriptive
chain-return-error TRUE
chain-rebind-as-user TRUE
chain-tls start 
        tls_cacert="/etc/openldap/certs/avciCA.pem"
        tls_reqcert=demand
database        config
rootdn          cn=config
syncrepl rid=042
...
database        hdb
suffix          o=avci,c=de
...
syncrepl rid=099
...

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Follow-Ups:
- Re: Setting up a chain overlay
  - From: Bram Cymet <bcymet@cbnco.com>

References:
- Setting up a chain overlay
  - From: Bram Cymet <bcymet@cbnco.com>
- Re: Setting up a chain overlay
  - From: masarati@aero.polimi.it
- Re: Setting up a chain overlay
  - From: Bram Cymet <bcymet@cbnco.com>
- Re: Setting up a chain overlay
  - From: masarati@aero.polimi.it
- Re: Setting up a chain overlay
  - From: Bram Cymet <bcymet@cbnco.com>

Prev by Date: Re: [SpamBlock] Re: problem with replication
Next by Date: Re: A LDAPS related issue
Index(es):
- Chronological
- Thread