[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta doesn't continue with multiple uri's



> I've been trying to get slapd-meta to failover using multiple URIs but
> can't get it to work.
>
> Initially I was using 2.4.26, but having seen the report in ITS#7050
> I've now built 2.4.32 but the problem is still there as far as I can
> tell. This bug was quashed in 2.4.29 according to the change log.
>
> In the example below, if host1 is not contactable at the point a search
> is performed, host2 will be contacted and the result returned correctly
> but ldapsearch then hangs indefinitely and the server's debug (level 1)
> output spews the following messages endlessly:
>
>
> ldap_sasl_bind
> ldap_send_initial_request
> ldap_int_poll: fd: 10 tm: 0
> 502a4634 conn=1001 op=1 <<< meta_search_dobind_init[0]=4
> 502a4634 conn=1001 op=1 >>> meta_search_dobind_init[0]
>
>
> Here's the relevant portion of slapd.conf:
>
>
> database            meta
> suffix              dc=local
> rootdn              cn=administrator,dc=local
> rootpw              secret
>
> network-timeout     3
>
> uri                 ldap://host1:3268/ou=dc1,dc=local
> uri                 ldap://host2:3268/ou=dc1,dc=local
> uri                 ldap://host3:3268/ou=dc1,dc=local
>
> suffixmassage       "ou=dc1,dc=local" "dc=example,dc=com"
>
> idassert-bind       bindmethod=simple
>                      binddn="cn=proxyuser,dc=example,dc=com"
>                      credentials="password"
>
> idassert-authzfrom  "dn.exact:cn=administrator,dc=local"
>
>
> Am I doing something wrong

You are.  The above is creating three targets, one pointing to host1, one
pointing to host2 and one pointing to host3.  The rest of the
configuration is associated to the last target, the others are sort of
dangling.  A correct configuration for failover would be

uri                 ldap://host1:3268/ou=dc1,dc=local
                    ldap://host2:3268/
                    ldap://host3:3268/
suffixmassage       "ou=dc1,dc=local" "dc=example,dc=com"
idassert-bind       bindmethod=simple
                    binddn="cn=proxyuser,dc=example,dc=com"
                    credentials="password"
idassert-authzfrom  "dn.exact:cn=administrator,dc=local"

Note that URIs other than the first one cannot have the DN part (the same
of the first URI is assumed).

p.

> or has the bug described in ITS#7050 crept
> back in?
>
> --
> Liam Gretton                                    liam.gretton@le.ac.uk
> HPC Architect                                 http://www.le.ac.uk/its
> IT Services                                   Tel: +44 (0)116 2522254
> University of Leicester, University Road
> Leicestershire LE1 7RH, United Kingdom
>
>
>
>