[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Chaining not working
Hi folks,
While testing the current Debian squeeze version of OpenLDAP,
v2.4.23-6, in a provider/consumer syncprov/syncrepl
(refreshAndPersist) configuration, using a patch(1) written by
Pierangelo, I have not been able to get chaining to work.
The consumer, ldaps2, was configured with a referral(2) to the
provider, ldaps1, as well as a chaining configuration(3). A couple of
authzTo rules(4) were added to its entry in the DIT, which immediately
replicated to the consumer, and the provider was configured with an
olcAuthzPolicy directive for "to"(5). So far, so good.
However, when using ldapmodify on the consumer to test that an entry
in the DIT could actually be modified (the description attr of the
consumer's entry) from there as a result, I got this response:
------------------------------------------------------------
modifying entry "cn=ldaps2,dc=example,dc=com"
ldap_modify: Referral (10)
referrals:
ldap://ldaps.example.com/cn=ldaps2,dc=example,dc=com
------------------------------------------------------------
I know ldapmodify doesn't understand referrals; this is where chaining
should have worked instead. So, I removed the referral from the
consumer's configuration to see what would then happen with the same
command:
------------------------------------------------------------
modifying entry "cn=ldaps2,dc=example,dc=com"
ldap_modify: Server is unwilling to perform (53)
additional info: shadow context; no update referral
------------------------------------------------------------
(shadow context?). In both cases, this shows up in the syslog as a result:
------------------------------------------------------------
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 ACCEPT from
IP=127.0.1.1:43982 (IP=0.0.0.0:389)
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND
dn="cn=admin,dc=example,dc=com" method=128
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 BIND
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=0 RESULT tag=97 err=0 text=
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD
dn="cn=ldaps2,dc=example,dc=com"
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 MOD attr=description
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=1 RESULT tag=103
err=53 text=shadow context; no update referral
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 op=2 UNBIND
Nov 12 00:48:54 ldaps2 slapd[23862]: conn=1002 fd=19 closed
------------------------------------------------------------
Have I made a mistake somewhere, or could this be another bug?
Thanks,
Jaap
1)
ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch
2) LDIF applied to ldaps2 (the consumer) to create the referral to
ldaps1 (the provider) via an alias (ldaps):
---------------------------------
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcUpdateref
olcUpdateref: ldap://ldaps.example.com
---------------------------------
3) LDIF applied to ldaps2 to create the chaining configuration:
---------------------------------
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}back_ldap
dn: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: ldap://ldaps.example.com
olcDbRebindAsUser: TRUE
olcDbIDAssertBind: bindmethod=simple
binddn="cn=ldaps2,dc=example,dc=com"
credentials=bilineatus
mode=self
---------------------------------
4) LDIF to create a couple of authzTo rules for the consumer:
---------------------------------
dn: cn=ldaps2,dc=example,dc=com
changetype: modify
add: authzTo
authzTo: {0}dn.regex:^uid=[^,]+,ou=people,dc=example,dc=com$
authzTo: {1}dn.exact:cn=admin,dc=example,dc=com
---------------------------------
5) LDIF to add an olcAuthzPolicy directive to the provider, ldaps1:
---------------------------------
dn: cn=config
changetype: modify
add: olcAuthzPolicy
olcAuthzPolicy: to
---------------------------------