[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd-meta configuration details
- To: openldap-technical@openldap.org
- Subject: slapd-meta configuration details
- From: Scott Koranda <skoranda@gmail.com>
- Date: Thu, 6 Dec 2012 20:39:02 -0600
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=hPKPQONbqfnD7TLkFlwHW1vKREKUeqstRhkT0QfG+i0=; b=ELt9peISeJ3r8wISaGkYI+VU6JYhr2Sx4AvYr5MhCtcpZldmiEEGHxDTBMuMPqyr7Z lChhuYJ//458HkqJjxn53RGGMeNNF4P2IZ6TwpJrJLOWIOi9THQ79TDX5cl/xE18QzZG +MASy2ERMmkBmKjeObh+fH6vcc7sA0wpwvtzqC9W8PwfLAvRy00MTDc1sUdDccGKaSzq BauOzgtyvtF2zHgEfz7dzZVKGgCCSLpIiC7OLtVEoHl5CTitcXBkPnnAk4Z9oo3zlZNb 9hQU35Kvb83aPlkRwQgeFp/cLIy11eKeJyZwDnwyaqXqIo+br0q+38lDXSeVb7/e3Jdd 5KGw==
- User-agent: Mutt/1.5.20 (2009-06-14)
Hello,
As part of an evaluation and testing phase, on a Debian
Squeeze system using version 2.4.23 of OpenLDAP I successfully
configured and used the slapd-meta backend. The configuration
looked like this:
database meta
suffix "dc=test,dc=myorg,dc=org"
uri "ldapi:///o=external,dc=test,dc=myorg,dc=org"
acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org
acl-passwd passwd
idassert-bind bindmethod=simple
binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org"
credentials="passwd"
mode=self
uri "ldapi:///o=internal,dc=test,dc=myorg,dc=org"
acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org
acl-passwd passwd
idassert-bind bindmethod=simple
binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org"
credentials="passwd"
mode=self
To prepare for a production deployment I then compiled
OpenLDAP 2.4.33 using this set of configure options:
./configure --prefix=/opt/openldap-2.4.33 --enable-slapd
--enable-cleartext --enable-rewrite --enable-bdb --enable-hdb
--enable-ldap --enable-meta --enable-rwm
I attempted to use the same configuration for the slapd-meta
backend. My queries to slapd no longer returned anything and I
saw this in the debug ouput:
50c15573 conn=1000 op=1 meta_search_dobind_init[0] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously
50c15573 conn=1000 op=1 meta_search_dobind_init[1] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously
I interpret this to mean that the slapd-meta backend is
deciding it does not have a credential to use and is binding
anonymously to the proxied services.
How should I change my configuration above so that the most
recent version of OpenLDAP will be able to bind to the proxied
services in the way that happened with version 2.4.23?
Note that I installed versions between 2.4.23 and 2.4.33
(bisection) and found that the change from 2.4.25 to 2.4.26
causes the configuration above to go from "working" to "not
working". Versions 2.4.26 and above that I tested result in
the "non-empty dn with empty cred" in the debug output.
Thanks,
Scott